ModSecurity

Hello Peter,

This doesn't make sense audit test (10-audit-directives.) crashes
SecUnicode directives.
For some reason your unicode filename is your audit log

mapfn
="/home/user/tmp/modsecurity/apache_2.6.6/tests/regression/server_root/logs/modsec_audit.log"

Is it happing when you start apache ? or just when run this regression
audit test ?

Thanks


On Fri, Jul 27, 2012 at 1:54 AM, Peter Heimann <heimannp@...> wrote:

> Environment: ModSecurity 2.6.6, Apache 2.2.22, AIX 5.3, IBM C compiler.
> mod_security2.so makes Apache dump core during config file parsing.
>
> ModSecurity 2.5.12 can be used in the same environment without crashes.
>
> The core dump can be reproduced with the regression tests:
>
> % ./run-regression-tests.pl regression/config/10-audit-directives.t 1
>
> Loaded 11 tests from regression/config/10-audit-directives.t
> Httpd start failed with signal 0.
>
> Segmentation fault in unicode_map_init at line 151 in file
> "msc_unicode.c" ($t1)
>   151   }
> (dbx) where
> unicode_map_init(dcfg = 0x20032610, mapfn =
>
> "/home/user/tmp/modsecurity-apache_2.6.6/tests/regression/server_root/logs/modsec_audit.log",
> error_msg = 0x203e0ea8), line 151 in "msc_unicode.c"
> unnamed block in cmd_audit_log(cmd = 0x2ff220e8, _dcfg = 0x200a6b58, p1
> =
>
> "/home/user/tmp/modsecurity-apache_2.6.6/tests/regression/server_root/logs/modsec_audit.log"),
> line 1015 in "apache2_config.c"
> invoke_cmd(cmd = 0x2039e838, parms = 0x2ff220e8, mconfig = 0x200a6b58,
> args = ""), line 790 in "config.c"
> unnamed block in ap_walk_config_sub(current = 0x200b1810, parms =
> 0x2ff220e8, section_vector = 0x2005dd00), line 1163 in "config.c"
> ap_walk_config_sub(current = 0x200b1810, parms = 0x2ff220e8,
> section_vector = 0x2005dd00), line 1163 in "config.c"
> unnamed block in ap_walk_config(current = 0x200b1810, parms =
> 0x2ff220e8, section_vector = 0x2005dd00), line 1196 in "config.c"
> ap_walk_config(current = 0x200b1810, parms = 0x2ff220e8, section_vector
> = 0x2005dd00), line 1196 in "config.c"
> ap_process_config_tree(s = 0x2005c970, conftree = 0x20073fd8, p =
> 0x20032610, ptemp = 0x20070800), line 1765 in "config.c"
> main(argc = 11, argv = 0x2ff2225c), line 645 in "main.c"
>
> (dbx) p *dcfg
> (mp = 0x20030600, ruleset = 0x203de1e0, is_enabled = 0, reqbody_access =
> 537085480, reqintercept_oe = 537553736, reqbody_buffering = 537345736,
> reqbody_inmemory_limit = 537052504, reqbody_limit = 0,
> reqbody_no_files_limit = 0, resbody_access = 537593144, of_limit =
> 536874776, of_mime_types = 0x203e01d8, of_mime_types_cleared =
> 537077240, of_limit_action = 537077328, if_limit_action = 0,
> debuglog_name = (nil), debuglog_level = 537077264, debuglog_fd =
> 0x200a6160, cookie_format = 537077328, argument_separator = 0,
> rule_inheritance = 0, rule_exceptions = 0x00000100, auditlog_flag = 264,
> auditlog_type = 511, auditlog_dirperms = -249061308, auditlog_fileperms
> = 0, auditlog_name = (nil), auditlog2_name = "", auditlog_fd =
> 0x200328d0, auditlog2_fd = 0x20032978, auditlog_storage_dir = "",
> auditlog_parts = "", auditlog_relevant_regex = 0x20032860, tmp_dir =
> (nil), upload_dir = "", upload_keep_files = 0, upload_validates_files =
> 0, upload_filemode = 537077688, upload_file_limit = 537078024,
> tmp_chain_starter = 0x200329a8, tmp_default_actionset = 0x20032898,
> tmp_rule_placeholders = 0x20032788, data_dir = (nil), webappid = (nil),
> content_injection_enabled = 536994072, stream_inbody_inspection =
> -249061416, stream_outbody_inspection = 0, geo = 0x2000d650, gsb =
> 0x200085e0, u_map = (nil), cache_trans = 1013213554,
> cache_trans_incremental = 1701016687, cache_trans_min = 1920532480,
> cache_trans_max = 0, cache_trans_maxitems = 0, component_signatures =
> 0x945f8b11, request_encoding = "<directory", disable_backend_compression
> = 10, col_timeout = 537077448)
>
> (dbx) p *error_msg
> warning: Unable to access address 0x2f686f6d from core
> (invalid char ptr (0x2f686f6d))
>
> ModSecurity has been configured with:
>
> C="xlc_r -g" ; export CC
> ./configure --prefix=/usr/local/apache \
> --with-apxs=/usr/local/apache/bin/apxs \
> --with-apr=/usr/local/apache/bin \
> --with-apu=/usr/local/apache/bin \
> --with-curl=/usr/local/curl \
> --with-libxml=/usr/local/libxml \
> --with-pcre=/home/user/tmp/httpd-2.2.22/srclib/pcre \
> --enable-pcre-match-limit=10000 \
> --enable-pcre-match-limit-recursion=10000
>
> The normal test does not show any obvious problems:
> % make CFLAGS=-DMSC_TEST test
> All tests passed (574).
>
> How can I further pinpoint the source of the crash?
>
> --
> Peter Heimann
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

On 07/27/2012 04:31 PM, Breno Silva wrote:
> This doesn't make sense 
> audit test (10-audit-directives.) crashes SecUnicode directives.
> For some reason your unicode filename is your audit log

It doesn't make sense to me either.


> Is it happing when you start apache ? or just when run this regression
> audit test ?

Apache crashes when I start it with my usual configuration. The
regression test just helps to trigger the problem with a minimal config.


Apache can be started with just
"LoadModule security2_module modules/mod_security2.so"
in the configuration. Configuration options that take a boolean
or numerical value, as "SecRuleEngine On", don't seem to harm either.

As soon as I use a configuration option that takes a file or directory
path as value (SecAuditLog, SecDataDir), Apache crashes during start.

'SecDefaultAction "phase:2,pass,log,status:404"' makes Apache crash as
well, but at a different position in the code:

Segmentation fault in apr_pools.apr_palloc
[/usr/local/apache/modules/mod_security2.so] at line 704 in file
"memory/unix/apr_pools.c" ($t1)
  704       list_insert(node, active);
apr_pools.apr_palloc(pool = (nil), in_size = 92), line 704 in "apr_pools.c"
msre_actionset_create(engine = (nil), text =
"phase:2,pass,log,status:404", error_msg = 0x2ff223d4), line 804 in "re.c"
cmd_default_action(cmd = 0x2ff226a8, _dcfg = 0x3008c960, p1 =
"phase:2,pass,log,status:404"), line 1290 in "apache2_config.c"
invoke_cmd(cmd = 0x3056aa00, parms = 0x2ff226a8, mconfig = 0x3008c960,
args = ""), line 790 in "config.c"
unnamed block in ap_walk_config_sub(current = 0x305770c8, parms =
0x2ff226a8, section_vector = 0x3005e0d8), line 1163 in "config.c"
ap_walk_config_sub(current = 0x305770c8, parms = 0x2ff226a8,
section_vector = 0x3005e0d8), line 1163 in "config.c"
unnamed block in ap_walk_config(current = 0x305770c8, parms =
0x2ff226a8, section_vector = 0x3005e0d8), line 1196 in "config.c"
ap_walk_config(current = 0x305770c8, parms = 0x2ff226a8, section_vector
= 0x3005e0d8), line 1196 in "config.c"
ap_process_config_tree(s = 0x3005cd48, conftree = 0x30080d30, p =
0x30032a00, ptemp = 0x30070bf0), line 1765 in "config.c"
main(argc = 2, argv = 0x2ff22814), line 645 in "main.c"

-- 
Regards
Peter Heimann

Some further experiments:

 2.5.12: OK
 2.5.13: OK
 2.6.0:  core dump during apache start
 2.6.5:  core dump during apache start
 2.6.6:  core dump during apache start
 2.6.7:  core dump during apache start

In most cases, Apache crashes when executing the
"LoadModule security2_module /usr/local/apache/modules/mod_security2.so"
configuration line. This can be reproduced with

%  ./run-regression-tests.pl regression/config/00-load-modsec.t 1

Segmentation fault in mod_security2.register_hooks at line 1394 in file
"mod_security2.c" ($t1)
 1394       *(char **)apr_array_push(ap_server_config_defines) =
apr_pstrdup(mp, "MODSEC_2.5");
(dbx) where
mod_security2.register_hooks(mp = 0x20032610), line 1394 in
"mod_security2.c"
ap_register_hooks(m = 0x203af3f0, p = 0x20032610), line 431 in "config.c"
ap_add_module(m = 0x203af3f0, p = 0x20032610), line 556 in "config.c"
ap_add_loaded_module(mod = 0x203af3f0, p = 0x20032610), line 614 in
"config.c"
load_module(cmd = 0x2ff21df0, dummy = 0x2ff219dc, modname =
"security2_module", filename =
"/usr/local/apache/modules/mod_security2.so"), line 282 in "mod_so.c"
invoke_cmd(cmd = 0x2001c3b8, parms = 0x2ff21df0, mconfig = 0x2ff219dc,
args = ""), line 800 in "config.c"
unnamed block in execute_now(cmd_line = "LoadModule", args =
"security2_module /usr/local/apache/modules/mod_security2.so", parms =
0x2ff21df0, p = 0x20032610, ptemp = 0x20070800, sub_tree = 0x2ff219dc,
parent = (nil)), line 1441 in "config.c"
execute_now(cmd_line = "LoadModule", args = "security2_module
/usr/local/apache/modules/mod_security2.so", parms = 0x2ff21df0, p =
0x20032610, ptemp = 0x20070800, sub_tree = 0x2ff219dc, parent = (nil)),
line 1441 in "config.c"
unnamed block in ap_build_config_sub(p = 0x20032610, temp_pool =
0x20070800, l = "LoadModule security2_module
/usr/local/apache/modules/mod_security2.so", parms = 0x2ff21df0, current
= 0x2ff21aa0, curr_parent = 0x2ff21a9c, conftree = 0x2ff21a3c), line
1012 in "config.c"


ModSecurity 2.5.x uses libtool from the Apache build directory, while
ModSecurity 2.6.x brings its own libtool implementation. I don't know
whether this is related, or pure coincidence.

-- 
Peter Heimann

On 07/29/2012 02:45 PM, Peter Heimann wrote:
> ModSecurity 2.5.x uses libtool from the Apache build directory, while
> ModSecurity 2.6.x brings its own libtool implementation. I don't know
> whether this is related, or pure coincidence.

The core dumps at different code positions made me suspect that the
compiled ModSecurity code might not match the Apache API.

What I did for ModSecurity 2.6.7:

- run configure
- delete libtool from ModSecurity
- copy over libtool from /usr/local/apache/build/
- change libtool copy:  [1]

*** libtool.apache      Tue Jul 31 15:37:24 2012
--- libtool     Tue Jul 31 17:09:47 2012
***************
*** 292,298 ****

  # Flag to hardcode $libdir into a binary during linking.
  # This must work even if $libdir does not exist.
!
hardcode_libdir_flag_spec="\${wl}-blibpath:\$libdir:/usr/vac/lib:/usr/lib/threads:/usr/lib:/lib
                                        "

  # If ld is used when linking, flag to hardcode $libdir into
  # a binary during linking. This must work even if $libdir does
--- 292,298 ----

  # Flag to hardcode $libdir into a binary during linking.
  # This must work even if $libdir does not exist.
! hardcode_libdir_flag_spec="-L \$libdir "

  # If ld is used when linking, flag to hardcode $libdir into
  # a binary during linking. This must work even if $libdir does

- run make; make CFLAGS=-DMSC_TEST test
- install mod_security2.so

It's a hack, but: No more core dumps, so far!


[1]
AIX ld by default records all directories specified with the "-L" option
in the output file, to find dynamic libraries at run time. However,
if "-blibpath" is used, only the given path is recorded, and the "-L"
directories are ignored.

libtool tries to add the Apache library directory to the search path
with "hardcode_libdir_flag_spec". Instead, the search path gets
clobbered. Upon Apache start, mod_security2.so cannot be loaded,
because libraries like libz.so outside the standard system directories
are not found.

-- 
Regards
Peter Heimann

Good to know.

Would be great if you could send a patch for AIX building.

Thanks

Breno

On Tue, Jul 31, 2012 at 3:41 PM, Peter Heimann <heimannp@...> wrote:

> On 07/29/2012 02:45 PM, Peter Heimann wrote:
> > ModSecurity 2.5.x uses libtool from the Apache build directory, while
> > ModSecurity 2.6.x brings its own libtool implementation. I don't know
> > whether this is related, or pure coincidence.
>
> The core dumps at different code positions made me suspect that the
> compiled ModSecurity code might not match the Apache API.
>
> What I did for ModSecurity 2.6.7:
>
> - run configure
> - delete libtool from ModSecurity
> - copy over libtool from /usr/local/apache/build/
> - change libtool copy:  [1]
>
> *** libtool.apache      Tue Jul 31 15:37:24 2012
> --- libtool     Tue Jul 31 17:09:47 2012
> ***************
> *** 292,298 ****
>
>   # Flag to hardcode $libdir into a binary during linking.
>   # This must work even if $libdir does not exist.
> !
>
> hardcode_libdir_flag_spec="\${wl}-blibpath:\$libdir:/usr/vac/lib:/usr/lib/threads:/usr/lib:/lib
>                                         "
>
>   # If ld is used when linking, flag to hardcode $libdir into
>   # a binary during linking. This must work even if $libdir does
> --- 292,298 ----
>
>   # Flag to hardcode $libdir into a binary during linking.
>   # This must work even if $libdir does not exist.
> ! hardcode_libdir_flag_spec="-L \$libdir "
>
>   # If ld is used when linking, flag to hardcode $libdir into
>   # a binary during linking. This must work even if $libdir does
>
> - run make; make CFLAGS=-DMSC_TEST test
> - install mod_security2.so
>
> It's a hack, but: No more core dumps, so far!
>
>
> [1]
> AIX ld by default records all directories specified with the "-L" option
> in the output file, to find dynamic libraries at run time. However,
> if "-blibpath" is used, only the given path is recorded, and the "-L"
> directories are ignored.
>
> libtool tries to add the Apache library directory to the search path
> with "hardcode_libdir_flag_spec". Instead, the search path gets
> clobbered. Upon Apache start, mod_security2.so cannot be loaded,
> because libraries like libz.so outside the standard system directories
> are not found.
>
> --
> Regards
> Peter Heimann
>
>
>