ReJeCtAll / naxsi

Automatically exported from code.google.com/p/naxsi
Other
0 stars 0 forks source link

WAF Bypass (Issue posted to Bugtraq) #65

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
From Bugtraq (http://www.securityfocus.com/archive/1/526093/30/0/threaded)

Delivered-To: xxx@gmail.com
Received: by 10.220.33.69 with SMTP id g5csp83461vcd;
        Tue, 26 Mar 2013 07:07:04 -0700 (PDT)
X-Received: by 10.50.20.135 with SMTP id n7mr1390788ige.31.1364306823931;
        Tue, 26 Mar 2013 07:07:03 -0700 (PDT)
Return-Path: <bugtraq-return-50936-xxx=gmail.com@securityfocus.com>
Received: from sf01smtp2.securityfaocus.com (smtp.securityfocus.com. 
[143.127.139.113])
        by mx.google.com with ESMTP id s2si3531767igj.54.2013.03.26.07.07.03;
        Tue, 26 Mar 2013 07:07:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of 
bugtraq-return-50936-xxx=gmail.com@securityfocus.com designates 143.127.139.113 
as permitted sender) client-ip=143.127.139.113;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of bugtraq-return-50936-xxx=gmail.com@securityfocus.com designates 143.127.139.113 as permitted sender) smtp.mail=bugtraq-return-50936-xxx=gmail.com@securityfocus.com
Received: from lists.securityfocus.com (lists.securityfocus.com 
[192.168.120.36])
    by sf01smtp2.securityfocus.com (Postfix) with QMQP
    id 835478036D; Tue, 26 Mar 2013 08:01:23 -0700 (PDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 27216 invoked from network); 26 Mar 2013 02:07:32 -0000
Date: Tue, 26 Mar 2013 02:00:16 GMT
Message-Id: <201303260200.r2Q20GWa019407@sf01web1.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: safe3q@gmail.com
To: bugtraq@securityfocus.com
Subject: Report OWASP WAF Naxsi bypass Vulnerability

OWASP WAF Naxsi bypass Vulnerability

Certain unspecified input is not properly handed in
naxsi_src/naxsi_utils.c naxsi_unescape_uri(u_char **dst, u_char **src,
size_t size, ngx_uint_t type) before being used to filtered. This can
be exploited to bypass some WAF rules.

Naxsi site
https://code.google.com/p/naxsi/

Affected
All the version

My site
http://safe3.com.cn/

My nick name is Safe3

It happens like that,the naxsi_unescape_uri function process the % url
decode,if the next char after the % is a hex char and not after the
hex char,then it will drop the % and the next char.So if we input a
sql keyword "s%elect",it will come to "slect" instead,this is not the
standard url decode way.Such as the IIS asp,it will process the
"s%elect" as a result of "select",so we can bypass some
WAF rules just like that.

I afford a standard url decode function patch as the follow to fix this issue:
void
ngx_unescape_uri(u_char **dst, u_char **src, size_t size, ngx_uint_t type)
{
    u_char  *d, *s, ch, c, decoded;
    enum {
        sw_usual = 0,
        sw_quoted,
        sw_quoted_second
    } state;

    d = *dst;
    s = *src;

    state = 0;
    decoded = 0;

    while (size--) {

        ch = *s++;

        switch (state) {
        case sw_usual:
            if (ch == '?'
                && (type & (NGX_UNESCAPE_URI|NGX_UNESCAPE_REDIRECT)))
            {
                *d++ = ch;
                goto done;
            }

            if (ch == '%'&&size>1) {
                ch=*s;
                c = (u_char) (ch | 0x20);
                if ((ch >= '0' && ch <= '9')||(c >= 'a' && c <= 'f')) {
                ch=*(s+1);
                c = (u_char) (ch | 0x20);
                if ((ch >= '0' && ch <= '9')||(c >= 'a' && c <= 'f')) {
                state = sw_quoted;
                break;
                }
                }
                *d++ = '%';
                break;
            }

            if (ch == '+') {
                *d++ = ' ';
                break;
            }

            *d++ = ch;
            break;

        case sw_quoted:

            if (ch >= '0' && ch <= '9') {
                decoded = (u_char) (ch - '0');
                state = sw_quoted_second;
                break;
            }

            c = (u_char) (ch | 0x20);
            if (c >= 'a' && c <= 'f') {
                decoded = (u_char) (c - 'a' + 10);
                state = sw_quoted_second;
                break;
            }

            /* the invalid quoted character */

            state = sw_usual;

            *d++ = ch;

            break;

        case sw_quoted_second:

            state = sw_usual;

            if (ch >= '0' && ch <= '9') {
                ch = (u_char) ((decoded << 4) + ch - '0');

                if (type & NGX_UNESCAPE_REDIRECT) {
                    if (ch > '%' && ch < 0x7f) {
                        *d++ = ch;
                        break;
                    }

                    *d++ = '%'; *d++ = *(s - 2); *d++ = *(s - 1);

                    break;
                }

                *d++ = ch;

                break;
            }

            c = (u_char) (ch | 0x20);
            if (c >= 'a' && c <= 'f') {
                ch = (u_char) ((decoded << 4) + c - 'a' + 10);

                if (type & NGX_UNESCAPE_URI) {
                    if (ch == '?') {
                        *d++ = ch;
                        goto done;
                    }

                    *d++ = ch;
                    break;
                }

                if (type & NGX_UNESCAPE_REDIRECT) {
                    if (ch == '?') {
                        *d++ = ch;
                        goto done;
                    }

                    if (ch > '%' && ch < 0x7f) {
                        *d++ = ch;
                        break;
                    }

                    *d++ = '%'; *d++ = *(s - 2); *d++ = *(s - 1);
                    break;
                }

                *d++ = ch;

                break;
            }

            /* the invalid quoted character */

            break;
        }
    }

done:

    *dst = d;
    *src = s;
}

Original issue reported on code.google.com by noloa...@gmail.com on 26 Mar 2013 at 2:27

GoogleCodeExporter commented 8 years ago
Hello,

Even we are not really interested into asp/iis security, a 2-lines patch is 
coming within minutes ;)

Original comment by ori...@gmail.com on 26 Mar 2013 at 2:30

GoogleCodeExporter commented 8 years ago
Patch is commited,

Regarding the vulnerability, the exploitation window is limited to quote less 
SQL injections with two field (max) selected.
The attack can be used to bypass filtering on SQL keywords (mostly, or only), 
but naxsi will still match on other characters, so even without the patch, a :
--------------------------------------------
bla u%nion s%elect foo,bar,baz fr%om bar
--------------------------------------------
or a
--------------------------------------------
bla' ... 
--------------------------------------------

will be still catched (as naxsi matches as well on quotes, commas etc.)

Original comment by ori...@gmail.com on 26 Mar 2013 at 2:57

GoogleCodeExporter commented 8 years ago
some keywords such as and with %and could bypass too, %and union s%elect a  
from b

Original comment by Saf...@gmail.com on 27 Mar 2013 at 2:49

GoogleCodeExporter commented 8 years ago
I appreciate your soon response to fix it.Naxsi is a nice project,hope it will 
be better.

Original comment by Saf...@gmail.com on 27 Mar 2013 at 2:52