[Owasp-modsecurity-core-rule-set] Woe with 920270 (Null Byte...) (was: Re: Matched rule modification)

Ervin Hegedüs airween at gmail.com
Fri Jul 7 12:24:35 UTC 2017


Hi Christian and Chaim,
other CRS users,


here is my previous e-mail with an issue (with more issues
exactly, but this one whis is interesting now)

On Thu, Jun 01, 2017 at 08:49:03AM +0200, Christian Folini wrote:
> 
> On Wed, May 31, 2017 at 08:32:03AM +0200, Ervin Hegedüs wrote:
> > And there is an another issue with 3.0.2 (but may be that affects
> > another versions too).
> > 
> > The request is similar that I detailed in my first post. The
> > "extraParams" value (JSON field) is this:
...

and you sent me your test:

> I was kind of expecting problems with 920270, but probably not as
> deep rooted ones as this. But first, I need to be able to reproduce
> this, and I can't.
> 
> Here is my curl call taking up your example:
> 
> curl 'localhost/index.html' -d 'extraParams=%7B%22node%22%3A%223%22%2C%22text%22%3A%22v%C3%A9gs%C5%91%20fejezet%22' --trace-ascii -
> == Info:   Trying 127.0.0.1...
> == Info: Connected to localhost (127.0.0.1) port 80 (#0)
> => Send header, 153 bytes (0x99)

...


now the situation is totally same like above, but the server is
another, and the web application is an up-to-date RoundCube
webmail.

The issue is when I'ld like to compose a new mail and I'm using
special hungarian characters, Modsecurity denies the request.

Here is the curl test:

curl "https://roundcube.mydomain.hu/" -d "_token=0uuYa9sHayQF7AU6s5Kb4XtJeKt6PZak&_task=mail&_action=send&_id=1466771890595f68c41f875&_attachments=&_from=5&_to=airween%40gmail.com&_cc=&_bcc=&_replyto=&_followupto=&_subject=Pr%C3%B3ba+0707+1256&editorSelector=plain&_priority=0&_store_target=Sent&_draft_saveid=&_draft=&_is_html=0&_framed=1&_message=Pr%C3%B3ba+%C3%BCzenet." --trace-ascii -
== Info: Hostname was NOT found in DNS cache
== Info:   Trying 1.2.3.4...
== Info: Connected to roundcube.mydomain.hu (1.2.3.4) port 443 (#0)
== Info: successfully set certificate verify locations:
== Info:   CAfile: none
  CApath: /etc/ssl/certs
== Info: SSLv3, TLS handshake, Client hello (1):
=> Send SSL data, 512 bytes (0x200)
0000: ........rJK..M`4Qg9.)..........r7.....v.0.,.(.$.........k.j.9.
...
== Info: 	 SSL certificate verify ok.
=> Send header, 159 bytes (0x9f)
0000: POST / HTTP/1.1
0011: User-Agent: curl/7.38.0
002a: Host: roundcube.mydomain.hu
004a: Accept: */*
0057: Content-Length: 330
006c: Content-Type: application/x-www-form-urlencoded
009d: 
=> Send data, 330 bytes (0x14a)
0000: _token=0uuYa9sHayQF7AU6s5Kb4XtJeKt6PZak&_task=mail&_action=send&
0040: _id=1466771890595f68c41f875&_attachments=&_from=5&_to=airween%40
0080: gmail.com&_cc=&_bcc=&_replyto=&_followupto=&_subject=Pr%C3%B3ba+
00c0: 0707+1256&editorSelector=plain&_priority=0&_store_target=Sent&_d
0100: raft_saveid=&_draft=&_is_html=0&_framed=1&_message=Pr%C3%B3ba+%C
0140: 3%BCzenet.
== Info: upload completely sent off: 330 out of 330 bytes
<= Recv header, 24 bytes (0x18)
0000: HTTP/1.1 403 Forbidden
== Info: Server nginx/1.6.2 is not blacklisted
<= Recv header, 21 bytes (0x15)
0000: Server: nginx/1.6.2
<= Recv header, 37 bytes (0x25)
0000: Date: Fri, 07 Jul 2017 11:57:13 GMT
<= Recv header, 25 bytes (0x19)
0000: Content-Type: text/html
<= Recv header, 21 bytes (0x15)
0000: Content-Length: 168
<= Recv header, 24 bytes (0x18)
0000: Connection: keep-alive
<= Recv header, 2 bytes (0x2)
0000: 
<= Recv data, 168 bytes (0xa8)
0000: <html>
0008: <head><title>403 Forbidden</title></head>
0033: <body bgcolor="white">
004b: <center><h1>403 Forbidden</h1></center>
0074: <hr><center>nginx/1.6.2</center>
0096: </body>
009f: </html>


The audit log contains these lines for that request?

ModSecurity: Warning. Matched "Operator `ValidadeByteRange' with parameter `1-255' against variable `ARGS:_message' (Value: `Pr\xffffffc3\xffffffb3ba \xffffffc3\xffffffbczenet.' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "488"] [id "920270"] [rev "2"] [msg "Invalid character in request (null character)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [ref "o2,1o3,1v333,16t:urlDecodeUnio2,1o3,1o7,1o8,1v459,15t:urlDecodeUni"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:ANOMALY_SCORE' (Value: `8' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `8' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "61"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Invalid character in request (null character)'"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [ref ""]

Note, that when I put the special characters to subject of mail,
and the body contains only ascii chars, the rule doesn't
triggered:

_token=0uuYa9sHayQF7AU6s5Kb4XtJeKt6PZak&_task=mail&_action=send&_id=1061864000595f7c3bc5c2e&_attachments =&_from=5&_to=airween%40gmail.com&_cc=&_bcc=&_replyto=&_followupto=&_subject=Pr%C3%B3ba+mail+0707+1419 &editorSelector=plain&_priority=0&_store_target=Sent&_draft_saveid=&_draft=&_is_html=0&_framed=1&_message=Teszt+uzenet.

but the audit log contains a line:

ModSecurity: Warning. Matched "Operator `ValidadeByteRange' with parameter `1-255' against variable `ARGS:_subject' (Value: `Pr\xffffffc3\xffffffb3ba mail 0707 1419' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "488"] [id "920270"] [rev "2"] [msg "Invalid character in request (null character)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] [ref "o2,1o3,1v857,21t:urlDecodeUni"]


What em I missing?


Thanks,


a.




More information about the Owasp-modsecurity-core-rule-set mailing list