nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

[BUG] certain requests/regex cause infinite loop #397

Closed hex2a closed 11 months ago

hex2a commented 7 years ago

the following requests/rules seem to trigger an infinite loop (calling pcre_exec) in ngx_http_process_basic_rule_buffer.

HTTP request: GET /favicon.ico%0d%0aBCC%weiphohgh5chez5ukachaipiPuPooH8oor6wuv0du7@test.example.com%0d%0afffl%3a%20b

decoded request evaluated by naxsi: /favicon.ico\r\nBCC:weiphohgh5chez5ukachaipiPuPooH8oor6wuv0du7@test.example.com\r\nfff: b

rule: BasicRule "msg:block All URLs" "rx:.*" "mz:URL" "s:$GENERIC:3" id:2000;

gdb and ltrace show that the start_offset argument for pcre_exec remains 13 (\r) and is not increased.

https://github.com/nbs-system/naxsi/blob/6a0378ee7cf0c53df719a1895717c5fa5278a660/naxsi_src/naxsi_runtime.c#L181

buixor commented 7 years ago

It seems to be a pcre issue no ?

atomsnc commented 5 years ago

This issue comes due to flag issue with pcre_compile and pcre_exec.

%0d%0a becomes /r/n when un-escaped. Newlines are not matched by pcre_exec. Hence you see start_offset stuck at 13.

PCRE_DOTALL can be added to pcre_compile rgc->options = PCRE_CASELESS|PCRE_MULTILINE|PCRE_DOTALL;

and PCRE_NOTEMPTY to pcre_exec match = pcre_exec(rl->br->rx->regex->code, 0, (const char *) str->data, str->len, tmp_idx, PCRE_NOTEMPTY, captures, 30)) >= 0

It may or may not affect your whitelisting.

Reference: https://www.pcre.org/original/doc/html/pcre_exec.html https://www.pcre.org/original/doc/html/pcre_compile.html