contact@shookalabs.com

ShookaLabs

Cutting Edge Agile Web Development and Security Consulting

Advisories

2013/05/27 - [CVE-2013-2765] ModSecurity Null Pointer Dereference DoS

When ModSecurity receives a request body with a size bigger than the value set by the "SecRequestBodyInMemoryLimit" and with a "Content-Type" that has no request body processor mapped to it, ModSecurity will systematically crash on every call to "forceRequestBodyVariable" (in phase 1).

In addition to the segfault that occurs here, ModSecurity will not remove the temporary request body file and the temporary directory (set by the "SecTmpDir" directive) will keep growing until saturation.

As an example, in the latest core rule set (2.2.7), "forceRequestBodyVariable" can be triggered by sending a POST request with some random "Content-Type" (rule 960010).

Payload example:

curl -v "http://localhost/" -d @file_bigger_than_128kb -H"Content-Type: text/random"

Exploit:

https://github.com/shookalabs/exploits/blob/master/modsecurity_cve_2013_2765_check.py

Copyright © 2013. ShookaLabs