ModSecurity Vulnerability & PoC (CVE-2019-19886)

栏目: IT技术 · 发布时间: 4年前

内容简介:In October 2019, Ervin Hegedus and I have discovered two vulnerabilities on the open source web application firewall "libModSecurity"(As per theThanks to Ervin Hegedus who, like me, is a member of the OWASP Core Rule Set developer team, we've identified so

In October 2019, Ervin Hegedus and I have discovered two vulnerabilities on the open source web application firewall "libModSecurity"( CVE-2019-19886 from version 3.0.0 to 3.0.3) that could lead to a SecRule bypass and a denial of Service. In this article, I'll describe both vulnerabilities with a PoC on Nginx.

We found a critical DoS vulnerability on libModSecurity 3.0.0-3.0.3 (CVE-2019-19886). To all @nginx or @litespeedtech users, upgrade to the v3.0.4 ASAP. @CoreRuleSet @ModSecurity https://t.co/KV5cwCj5SR

— theMiddle (@Menin_TheMiddle) January 20, 2020

As per the ModSecurity GitHub project libModSecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. In general, it provides the capability to load/interpret rules written in the SecRules format and apply them to HTTP content provided by your application via Connectors.

Thanks to Ervin Hegedus who, like me, is a member of the OWASP Core Rule Set developer team, we've identified some problems on the cookie string parser of the 3.0.0-3.0.3 versions of libModSecurity. To simplify the test process, Ervin has created a stand-alone C++ program called "cookieparse" that reads a cookie string from the first argument and parses it, comparing the results between the "old" and the patched parser version. But let's step back for a moment and focus on cookies.

SecRule Bypass

For the HTTP protocol, the cookie string is a sequence of key=value pairs separated by a ; character.

ModSecurity Vulnerability & PoC (CVE-2019-19886)
Request cookie string

Even if it looks easy at first, there are lots ways to lead the parser that don't fit with what the standard provides, for example:

ModSecurity Vulnerability & PoC (CVE-2019-19886)

What surprised me here is that according to the RFC 6265 a cookie string sent without the = character should be totally ignored. Another interesting thing is:

ModSecurity Vulnerability & PoC (CVE-2019-19886)

At point 3 it seems that a cookie could have an empty value or an empty name. I've never considered testing what an application firewall trying to parse a cookie with an empty name would do. Using the cookieparse Ervin discovered that the old parser doesn't include part of the cookie value when the cookie string is something like foo=bar=ciao :

ModSecurity Vulnerability & PoC (CVE-2019-19886)
cookieparse output

As you can see, for the old parser the value of the cookie foo is bar and not bar=ciao as it should be. That means that it could be possible to inject malicious payload (such as SQL Injection or Cross-Site Scripting) just by putting it after a = character. For example:

ModSecurity Vulnerability & PoC (CVE-2019-19886)
cookieparse output with XSS payload

The old parser would have completely ignored the XSS payload and it could be possible to bypass a hypothetical rule that checks if a cookie value has malicious content.

DoS Vulnerability

Continuing our bypass tests, what I found after was scared us and it lead us to ask Trustwave for a patch and a security release. As we said before, in a cookie string each name and value are separated by a = and each cookie name/value pairs are separated by a ; . After few tests, I started to put random sequences of ; and = trying to crash it. By sending ;=; nothing has happened but removing the first ; something went wrong. The old parser exited with the following error:

ModSecurity Vulnerability & PoC (CVE-2019-19886)
cookieparse error

Talking with Ervin about the consequences that this error could have on a webserver running libModSecurity, I've created a docker container with Nginx and the 3.0.3 of libModSecurity. Sending a single request with the cookie header Cookie: =foo I didn't get any response from the webserver, even the response headers part.

ModSecurity Vulnerability & PoC (CVE-2019-19886)
Nginx error_logs (top), curl output (bottom)

By reading the Nginx error_log it becomes clear that my previous request killed the Nginx worker process that wrote the same "out of range" error on the log. From here, it was really easy for me to stuck Nginx just by sending multiple requests with curl and continuously killing all respawning Nginx worker processes with something like:

curl -H 'Cookie: =;' 'http://localhost/?a=[0-10000]'

Testing it with Nginx that proxy all request to a WordPress, this is what happened:

ModSecurity Vulnerability & PoC (CVE-2019-19886)

References

If you liked this post, please share and follow me!

Follow @Menin_theMiddle

Follow @theMiddleBlue

View my linkedIn profile

ModSecurity Vulnerability & PoC (CVE-2019-19886)
The awesome image used in this article is called Mad Hatter and it was created by Nikola Korac .

以上所述就是小编给大家介绍的《ModSecurity Vulnerability & PoC (CVE-2019-19886)》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

深入理解Nginx

深入理解Nginx

陶辉 / 机械工业出版社 / 2013-4-15 / 89.00元

本书是阿里巴巴资深Nginx技术专家呕心沥血之作,是作者多年的经验结晶,也是目前市场上唯一一本通过还原Nginx设计思想,剖析Nginx架构来帮助读者快速高效开发HTTP模块的图书。 本书首先通过介绍官方Nginx的基本用法和配置规则,帮助读者了解一般Nginx模块的用法,然后重点介绍如何开发HTTP模块(含HTTP过滤模块)来得到定制的Nginx,其中包括开发一个功能复杂的模块所需要了解的......一起来看看 《深入理解Nginx》 这本书的介绍吧!

SHA 加密
SHA 加密

SHA 加密工具

UNIX 时间戳转换
UNIX 时间戳转换

UNIX 时间戳转换

正则表达式在线测试
正则表达式在线测试

正则表达式在线测试