Re: [mod-security-users] Problems with @inspectFile not escaping arguments

[Gryzli B. <gry...@gm...>]

Hi Felipe

Thanks for your answer.

I'm already "learning lua" in order to get the job done... I somehow 
wondered to skip it, but in the end it seems that's the only working 
solution.

Regards,
Gryzli

On 12/08/2015 03:04 PM, Felipe Costa wrote:
> Hi Gryzli,
>
> Thank you for the report.
>
> Do not use the @inspectFile with variables that you don’t have control. @inspectFile
> was originally created to be used with the FILES_TMPNAMES [1] as cited on the
> example: [2]. The content of FILES_TMPNAMES is generated by ModSecurity, therefore we
> don’t need to escape.
>
> I think you concern is more than valid. I am adding a note at the Reference manual,
> so that, others users will not use it in this fashion.
>
> Maybe what you are looking for is to use the Lua engine [3]. Using the Lua engine,
> you will be able to fetch the variables using: m.getvar("FULL_REQUEST");
>
> Notice that using FULL_REQUEST is not always a good practice because it may drop the
> performance of your server a little bit.
>
>
> For ModSecurity version 3, the @inspectFile may not be necessary anymore. We wish to
> support natively:
>   - Ruby
>   - Python
>   - Lua
>   - Any other suggestion?
- Perl maybe :)
>
>
> (Moving this discussion to mod...@li...)
>
>
> [1] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#files_tmpnames
> [2] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#inspectfile
> [3] https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secrulescript
>
>
>
> Br.,
> Felipe “Zimmerle” Costa
> Security Researcher, SpiderLabs
>
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
>
>
>
>
>
>
>
>
>
>
> On 12/8/15, 4:50 AM, "Gryzli Bugbear" <gry...@gm...> wrote:
>
>> Hi all,
>>
>> I'm trying to make some rules work, and see some very strange behaviour.
>>
>> I have the following rule in mod_security:
>> ---
>> SecRule FULL_REQUEST "@inspectFile /tmp/test_script.pl" "id:159, deny,
>> status:406, phase:2"
>> ---
>>
>> When I pass some request to Apache I get bunch of logs in error_log
>> looking like this:
>> =========
>> /bin/sh: line 2: Host:: command not found
>> /bin/sh: line 3: Connection:: command not found
>> /bin/sh: line 4: Accept:: command not found
>> /bin/sh: line 5: Upgrade-Insecure-Requests:: command not found
>> /bin/sh: -c: line 6: syntax error near unexpected token `('
>> /bin/sh: -c: line 6: `User-Agent: Mozilla/5.0 (X11; Linux x86_64)
>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36'
>> /bin/sh: line 2: Host:: command not found
>> /bin/sh: line 3: Connection:: command not found
>> /bin/sh: line 4: Accept:: command not found
>> /bin/sh: line 5: Upgrade-Insecure-Requests:: command not found
>> /bin/sh: -c: line 6: syntax error near unexpected token `('
>> /bin/sh: -c: line 6: `User-Agent: Mozilla/5.0 (X11; Linux x86_64)
>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36'
>> ===========
>>
>> It seems that ModSecurity is unable to correctly escape the arguments,
>> which must be sent to the /tmp/test_scrip.pl, which results to execution
>> tries in /bin/sh.
>>
>> This behavior looks extremely dangerous, cause attacker could easily use
>> it to execute malicious code with Apache user.
>>
>> Is this a bug, or there is an option to make ModSecuriy escape correctly
>> the arguments passed ?
>>
>> Regards,
>> Gryzli
>>
>> ------------------------------------------------------------------------------
>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>> Give your users amazing mobile app experiences with Intel(R) XDK.
>> Use one codebase in this all-in-one HTML5 development environment.
>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
>> http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEmGX6zHnvw&s=5&u=http%3a%2f%2fpubads%2eg%2edoubleclick%2enet%2fgampad%2fclk%3fid%3d254741911%26iu%3d%2f4140
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEjaR7DO06Q&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEmTDuGrg7Q&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2frules%2f
>> http://scanmail.trustwave.com/?c=4062&d=sozm1oGKqts4aZ2DnwV7U8LosM7zRZ1IEmXH6ma0uA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercial%2fsupport%2f
> ________________________________
>
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/