|
From: Bill R. <con...@ho...> - 2012-08-10 18:58:37
|
Moving.
From: RBa...@tr...
To: Gre...@mi...; con...@ho...; BP...@tr...
CC: owa...@li...
Date: Fri, 10 Aug 2012 13:11:16 -0500
Subject: Re: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2
Should probably move this discussion to the mod-security-developers list and then report back a fix.
--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader
From: "Greg Wroblewski (SPARROW)" <Gre...@mi...>
Date: Fri, 10 Aug 2012 12:38:14 -0500
To: Bill Roemhild <con...@ho...>, Ryan Barnett <rba...@tr...>, Breno Silva Pinto <BP...@tr...>
Cc: "owa...@li..." <owa...@li...>
Subject: RE: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2
I see a problem. Even when permissions are correct, the code reads the file, but then it crashes.
Breno,
This is all happening in:
staticint
msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg)
with crash:
> libapr-1.dll!apr_pool_cleanup_kill(apr_pool_t * p, const void * data, int (void *)* cleanup_fn) Line 2270 C
libapr-1.dll!apr_file_close(apr_file_t * file) Line 501 C
ModSecurityIIS.dll!msre_op_pmFromFile_param_init(msre_rule * rule, char * * error_msg) Line 1384 C
Here:
while (c) {
#if APR_POOL_DEBUG
/* Some cheap loop detection to catch a corrupt list: */
if (c == c->next
|| (c->next && c == c->next->next)
|| (c->next && c->next->next && c == c->next->next->next)) {
abort();
}
#endif
if (c->data == data && c->plain_cleanup_fn == cleanup_fn) {
ç CRASH
I cannot figure out what’s wrong, but I’ll keep looking.
Greg
From: Bill Roemhild [mailto:con...@ho...]
Sent: Friday, August 10, 2012 9:38 AM
To: Greg Wroblewski (SPARROW); Ryan Barnett
Cc: owa...@li...
Subject: RE: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2
Maybe I should be asking if anyone else has been able to get this to work.
From:
con...@ho...
To: gre...@mi...;
rba...@tr...
Date: Fri, 10 Aug 2012 08:47:39 -0700
CC: owa...@li...
Subject: Re: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2
There is not an entry listed in the event log for a missing file.
I gave "IIS AppPool\DefaultAppPool" full control over the data files as I'm using IIS 7.5. Same result.
I also tried adding "Network Service", even through I'm pretty sure that is wrong. Still no love.
Bill
From:
Gre...@mi...
To: RBa...@tr...;
con...@ho...
CC: owa...@li...
Subject: RE: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2
Date: Thu, 9 Aug 2012 23:21:55 +0000
This is really an APR bug (we should report it or create a workaround), but the problem is in the file permissions. Read access to everyone is not
enough, proper ACLs must be set as well.
When the file does not exist this error gets logged in the event log:
Syntax error in config file c:\inetpub\wwwroot\test.conf, line 47: Error creating rule: Could not open phrase file "c:\inetpub\wwwroot\modsecurity_35_scanners.data":
The system cannot find the file specified.
So you can see when it’s a permission issue or a path issue.
Greg
From: Ryan Barnett
[mailto:RBa...@tr...]
Sent: Thursday, August 9, 2012 2:45 PM
To: Bill Roemhild
Cc: owa...@li...; Greg Wroblewski (SPARROW)
Subject: Re: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2
You might want to try and specify a full path to the .data file.
--
Ryan Barnett
Researcher Lead
Trustwave - SpiderLabs
On Aug 9, 2012, at 5:39 PM, Bill Roemhild <con...@ho...> wrote:
I've been playing around with modsecurity 2.7.0-RC2 for IIS along with the OWASP rules. When running any rule set that calls for a data file through @pmFromFile the application pool crashes.
I've given read access to 'Everyone' on the data files being read without success. Anyone else run into this problem?
Rule:
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_scanners.data" \
"phase:2,rev:'2.2.5',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
Crash:
w3wp.exe
7.5.7601.17514
4ce7afa2
libapr-1.dll
1.4.5.0
500eaf34
c0000005
00000000000099f8
1e08
01cd7675752af369
c:\windows\system32\inetsrv\w3wp.exe
C:\Windows\system32\inetsrv\libapr-1.dll
b4147ab9-e268-11e1-82b3-4437e66c2115
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owa...@li...
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient,
you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy
the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list
Owa...@li... https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic
or hard copy format.
|
