DoS by Mod Security and a simple string?
28 views
Skip to first unread message
Adrian Crenshaw
Sep 19, 2012, 2:15:30 PM9/19/12
to isdpo...@googlegroups.com
Hi all,
Not sure how many sites this would even effect. I found a site that uses Mod_Security, with this as one of the rules:
SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>))" \
"phase:4,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'10000001',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"
It seems to be from:
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_45_trojans.conf
The issue is, if some content is served up that has something like c99shell or /c99shell/ (or any string as far as I can tell that has c99shell and does not have an alphanumeric concatenated on each end) in it, the page will return a 404. This becomes an denial of service issue it this rule is used on a site that takes user submitted content, and the user types in c99shell. Imagine typing this in the title of a forum post and having the forum start to 404 threads/sub forums. I'm not sure how wide spread this rule is, and I have yet to find a forum to test on, but I can show you two sites that must be using the rule (or one close to it) because they will 404 if you put /c99shell/ in your user agent string:
http://www.thismachine.info/
http://www.irongeek.com/browserinfo.php
Anyone know how wide spread the rule is, and a forum or blog with comments I can test on? I know Dreamhost seems to use this rule in at least some of its shared environments.
Thanks,
Adrian
http://www.irongeek.com
--
"The ability to quote is a serviceable substitute for wit." ~ W. Somerset Maugham
"The ability to Google can be a serviceable substitute for technical knowledge." ~ Adrian D. Crenshaw
Not sure how many sites this would even effect. I found a site that uses Mod_Security, with this as one of the rules:
SecRule RESPONSE_BODY "(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?: commander|-terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft windows\b.{,10}?\bversion\b.{,20}?\(c\) copyright 1985-.{,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r inc)\.|(?:www\.sanalteror\.org - indexer and read|haxplor)er|php(?:konsole| shell)|c99shell)\b|aventgrup\.<br>))" \
"phase:4,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'10000001',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'"
It seems to be from:
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_45_trojans.conf
The issue is, if some content is served up that has something like c99shell or /c99shell/ (or any string as far as I can tell that has c99shell and does not have an alphanumeric concatenated on each end) in it, the page will return a 404. This becomes an denial of service issue it this rule is used on a site that takes user submitted content, and the user types in c99shell. Imagine typing this in the title of a forum post and having the forum start to 404 threads/sub forums. I'm not sure how wide spread this rule is, and I have yet to find a forum to test on, but I can show you two sites that must be using the rule (or one close to it) because they will 404 if you put /c99shell/ in your user agent string:
http://www.thismachine.info/
http://www.irongeek.com/browserinfo.php
Anyone know how wide spread the rule is, and a forum or blog with comments I can test on? I know Dreamhost seems to use this rule in at least some of its shared environments.
Thanks,
Adrian
http://www.irongeek.com
--
"The ability to quote is a serviceable substitute for wit." ~ W. Somerset Maugham
"The ability to Google can be a serviceable substitute for technical knowledge." ~ Adrian D. Crenshaw
Reply all
Reply to author
Forward
0 new messages