Sonntag, 10. Juli 2011

Floatingpoint CVE-2010-4476 protection with mod_security

Some months ago i tried to block attacks which tried to abuse the Floatingpoint vulnarability with mod_security which is described in the following site http://blog.fortify.com/blog/2011/02/08/Double-Trouble.
I used the lua script which was posted on the spiderlabs blog site http://blog.spiderlabs.com/2011/02/java-floating-point-dos-attack-protection.html .
I copied the exact configuration which was documented but something didn't seem right.
The following curl command:
curl -H "Accept-Language: en-us;q=2.2250738585072012e-308" http://localhost/
was blocked by mod_security with the following Auditlog entry.
Message: Access denied with code 403 (phase 2). Pattern match ".*" at TX:floatingpointdos. [file "/test/apache/conf/modsecurity/modsecurity_crs_15_exception.conf"] [line "36"] [msg "Floating Point DoS Payload Found."] [data "Location: REQUEST_HEADERS:User-Agent"] [tag "CVE-2010-4476"]

The Request was blocked but it didn't recognized that i sent a malicious Accept-Language Header not a malicious User-Agent Header. After that i looked into the lua script and there where some errors in it.
The lua script used the string.gmatch function which seems to be always true.
The following if statement "if string.gmatch(FilteredPattern, Pattern) then" matched always and so the first parameter which where checked was printed in the audit log, this was in my case the User-Agent Header.

Here is the modified Lua script which worked for me.

#!/test/lua/bin/lua
function main()
 local Pattern = "2225073858507201";  
  -- Get the ModSec collections
  local Headers = m.getvars("REQUEST_HEADERS");
  local Args = m.getvars("ARGS");
  for i = 1, #Headers do
    FilteredPattern,NumChanges=string.gsub(Headers[i].value, "[.]", "")
    for j in string.gmatch(FilteredPattern, Pattern) do  
      m.setvar("tx.floatingpointdos", Headers[i].name)
      return ("Potential Floating Point DoS Attack via variable: " ..Headers[i].name ..  ".");
    end
  end
  for i = 1, #Args do
    FilteredPattern,NumChanges=string.gsub(Args[i].value, "[.]", "")
    for j in string.gmatch(FilteredPattern, Pattern) do
      m.setvar("tx.floatingpointdos", Args[i].name)
      return ("Potential Floating Point DoS Attack via variable: " ..Args[i].name ..  ".");
    end
  end
  return nil;
end

Maybe it helps someone who had the same problem or some false positives.

Michael 

Keine Kommentare:

Kommentar veröffentlichen

Kommentar veröffentlichen