[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: Re: [mod-security-users] Apache crashes with sigsev when using a chained rule with status page
From: Chaim Sanders <CSanders () trustwave ! com>
Date: 2016-06-29 3:03:06
Message-ID: D398B1BC.1D940%csanders () trustwave ! com
[Download RAW message or body]
So if I¡¯m understanding correctly, I¡¯ll give you the following tidbit.
Because the ctl is run during transaction processing it needs to be able
to find the ID its trying to remove already read into memory. In this case
if the ctl:removetargetbyID is after it will cause all sorts of nasty
issues. There is a note on the reference manual about this but it is
small.
<https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#ctl> .
Just something to think about. Try changing it to be BEFORE the rule you
are removing and seeing if that helps.
Also, FYI and for complications sake SecRuleRemoveByID must be AFTER the
rule because it is interpreted as rules are being loaded on startup.
--
Chaim Sanders
Security Researcher
Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>
On 6/28/16, 10:44 AM, "Marco A. Carcano" <marco.carcano@itc4u.ch> wrote:
> Hi Chaim,
>
> thank you for the reply
>
> I suppose after : here is the snippet of
> /etc/httpd/conf.d/modsecurity.conf
>
> <IfModule mod_security2.c>
> # ModSecurity Core Rules Set configuration
> IncludeOptional modsecurity.d/*.conf
> IncludeOptional modsecurity.d/activated_rules/*.conf
> # OWASP Modsecurity rules
> Include owasp-modsecurity/520a94b/modsecurity_crs_10_setup.conf
> Include owasp-modsecurity/520a94b/base_rules/*.conf
> Include modsecurity.d/whitelists/apps/apache.conf
> # Default recommended configuration
> SecRuleEngine On
> SecRequestBodyAccess On
> ...
>
> I used the default shipped with mod security EPEL7 provided RPM package,
> and simply added the following lines:
>
> # OWASP Modsecurity rules
> Include owasp-modsecurity/520a94b/modsecurity_crs_10_setup.conf
> Include owasp-modsecurity/520a94b/base_rules/*.conf
> Include modsecurity.d/whitelists/apps/apache.conf
>
> Where owasp-modsecurity/520a94b is the directory where I installed OWASP
> ruleset and modsecurity.d/whitelists/apps/apache.conf contains
>
> SecRule REQUEST_URI "/server-status¡±
> "id:8,phase:1,t:none,nolog,pass,chain"
> SecRule REMOTE_ADDR "@ipMatch 127.0.0.1"
> "t:none,ctl:ruleRemoveTargetById=960017"
>
> As apache.con is included after OWASP rules I suppose it is loaded, and
> so placed, after the rule I¡¯m trying to remove
>
>
>
>
> > On 27 Jun 2016, at 20:49, Chaim Sanders <CSanders@trustwave.com> wrote:
> >
> > Hey Marco,
> > Just checking, did you place those ctl: rules before or after the rule
> > you
> > are trying to remove?
> > --
> > Chaim Sanders
> > Security Researcher
> >
> > Trustwave | SMART SECURITY ON DEMAND
> > www.trustwave.com <http://www.trustwave.com/>
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On 6/27/16, 7:25 AM, "Marco A. Carcano" <marco.carcano@itc4u.ch> wrote:
> >
> > > Hi,
> > >
> > > I start claiming that I©öm a newbie with mod_security, so please forgive
> > > me if I made a stupid error, but I©öm facing this weird problem:
> > >
> > > I have the following configuration of apache
> > >
> > > <Location "/server-status">
> > > SetHandler server-status
> > > Require ip 127.0.0.1
> > > </Location>
> > >
> > > What I want is to add an exception to the rule 960017 - "Host header
> > > is a
> > > numeric IP address©÷ if the request comes from the server itself and the
> > > request is "/server-status©÷
> > >
> > > So I added the following rule:
> > >
> > > SecRule REQUEST_URI "/server-status"
> > > "id:8,phase:1,t:none,nolog,pass,chain©÷
> > > SecRule REMOTE_ADDR "@ipMatch 127.0.0.1"
> > > "t:none,ctl:ruleRemoveTargetById=960017©÷
> > >
> > > The problem is that when I try to access /server-status apache crashes
> > > with a sigsev. This is what I got in Apache error log
> > >
> > > Mon Jun 27 12:52:48.000750 2016] [core:notice] [pid 26173] AH00052:
> > > child
> > > pid 26174 exit signal Segmentation fault (11)
> > > [Mon Jun 27 12:52:48.000823 2016] [core:notice] [pid 26173] AH00052:
> > > child pid 26175 exit signal Segmentation fault (11)
> > > [Mon Jun 27 12:52:48.000833 2016] [core:notice] [pid 26173] AH00052:
> > > child pid 26176 exit signal Segmentation fault (11)
> > > [Mon Jun 27 12:52:48.000858 2016] [core:notice] [pid 26173] AH00052:
> > > child pid 26177 exit signal Segmentation fault (11)
> > > [Mon Jun 27 12:52:48.000864 2016] [core:notice] [pid 26173] AH00052:
> > > child pid 26178 exit signal Segmentation fault (11)
> > > [Mon Jun 27 12:52:49.003472 2016] [core:notice] [pid 26173] AH00052:
> > > child pid 26181 exit signal Segmentation fault (11)
> > >
> > > I tried both the rules one by one, that is
> > >
> > > SecRule REMOTE_ADDR "@ipMatch 127.0.0.1"
> > > "id:84937272,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=960017©÷
> > >
> > > When I try to access /server-status it works
> > >
> > > SecRule REQUEST_URI "/server-status"
> > > "id:84937272,phase:1,t:none,nolog,pass,ctl:ruleRemoveById=960017©÷
> > >
> > > When I try to access /server-status it works
> > >
> > > Software versions are:
> > >
> > > CentOS 7.2, Selinux permissive, firewalld disabled
> > > Apache httpd-2.4.6
> > > mod_security mod_security-2.7.3
> > > OWASP latest (520a94b), I enabled only base_rules
> > >
> > > By the way I tried also compiling latest version of mod_security
> > > (2.9.1)
> > > and I face exactly the same problem
> > >
> > > Anybody that has any idea to what could be happening?
> > >
> > > Thanks
> > >
> > > ------------------------------------------------------------------------
> > > --
> > > ----
> > > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> > > Francisco, CA to explore cutting-edge tech and listen to tech
> > > luminaries
> > > present their vision of the future. This family event has something for
> > > everyone, including kids. Get more information and register today.
> > >
> > > http://scanmail.trustwave.com/?c=4062&d=45Hx1_KGsGIfyvVgb5stmSCtECTkks-g
> > > zJ
> > > UD9QHFLg&s=5&u=http%3a%2f%2fsdm%2elink%2fattshape
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod-security-users@lists.sourceforge.net
> > >
> > > http://scanmail.trustwave.com/?c=4062&d=45Hx1_KGsGIfyvVgb5stmSCtECTkks-g
> > > zJ
> > >
> > > JY8gKQfQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinf
> > > o%
> > > 2fmod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > >
> > > http://scanmail.trustwave.com/?c=4062&d=45Hx1_KGsGIfyvVgb5stmSCtECTkks-g
> > > zM
> > >
> > > AKplvEeQ&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommerc
> > > ia
> > > l%2frules%2f
> > >
> > > http://scanmail.trustwave.com/?c=4062&d=45Hx1_KGsGIfyvVgb5stmSCtECTkks-g
> > > zM
> > >
> > > EO9FeQLA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommerc
> > > ia
> > > l%2fsupport%2f
> >
> >
> > ________________________________
> >
> > This transmission may contain information that is privileged,
> > confidential, and/or exempt from disclosure under applicable law. If you
> > are not the intended recipient, you are hereby notified that any
> > disclosure, copying, distribution, or use of the information contained
> > herein (including any reliance thereon) is strictly prohibited. If you
> > received this transmission in error, please immediately contact the
> > sender and destroy the material in its entirety, whether in electronic
> > or hard copy format.
> >
> >
> > -------------------------------------------------------------------------
> > -----
> > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> > Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> > present their vision of the future. This family event has something for
> > everyone, including kids. Get more information and register today.
> >
> > http://scanmail.trustwave.com/?c=4062&d=1o3y194dRIrfY5I7b0aWw77AGhh5GsM7w
> > AUey8V_zg&s=5&u=http%3a%2f%2fsdm%2elink%2fattshape
> > _______________________________________________
> > mod-security-users mailing list
> > mod-security-users@lists.sourceforge.net
> >
> > http://scanmail.trustwave.com/?c=4062&d=1o3y194dRIrfY5I7b0aWw77AGhh5GsM7w
> > AJFzMYqnQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinf
> > o%2fmod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> >
> > http://scanmail.trustwave.com/?c=4062&d=1o3y194dRIrfY5I7b0aWw77AGhh5GsM7w
> > FAXmJ9-mQ&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommerc
> > ial%2frules%2f
> >
> > http://scanmail.trustwave.com/?c=4062&d=1o3y194dRIrfY5I7b0aWw77AGhh5GsM7w
> > FETypMqzA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommerc
> > ial%2fsupport%2f
>
>
> --------------------------------------------------------------------------
> ----
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://scanmail.trustwave.com/?c=4062&d=1o3y194dRIrfY5I7b0aWw77AGhh5GsM7wA
> Uey8V_zg&s=5&u=http%3a%2f%2fsdm%2elink%2fattshape
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> http://scanmail.trustwave.com/?c=4062&d=1o3y194dRIrfY5I7b0aWw77AGhh5GsM7wA
> JFzMYqnQ&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%
> 2fmod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://scanmail.trustwave.com/?c=4062&d=1o3y194dRIrfY5I7b0aWw77AGhh5GsM7wF
> AXmJ9-mQ&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercia
> l%2frules%2f
> http://scanmail.trustwave.com/?c=4062&d=1o3y194dRIrfY5I7b0aWw77AGhh5GsM7wF
> ETypMqzA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercia
> l%2fsupport%2f
________________________________
This transmission may contain information that is privileged, confidential, and/or \
exempt from disclosure under applicable law. If you are not the intended recipient, \
you are hereby notified that any disclosure, copying, distribution, or use of the \
information contained herein (including any reliance thereon) is strictly prohibited. \
If you received this transmission in error, please immediately contact the sender and \
destroy the material in its entirety, whether in electronic or hard \
copy format.
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic