search

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
https://www.modsecurity.org
Apache License 2.0
8.24k stars 1.61k forks source link

ModSecurity 2.9.2 Segmentation fault with nginx 1.12.1 #1548

Closed xpflying closed 7 years ago

xpflying commented 7 years ago

Hi: I was build modsecurity 2.9.2 with nginx 1.12.1,when I config nginx proxy_pass, nginx worker process exited on signal 11.

Here is my building process. centos7.3 and modsecurity 2.9.2:

yum install curl-devel  httpd-devel pcre-devel libxml2-devel -y
./configure --enable-standalone-module --disable-mlogc --enable-pcre-jit && make

nginx 1.12.1:

 ./configure --prefix=/usr/local/nginx --add-module=../modsecurity-2.9.2/nginx/modsecurity --with-pcre-jit && make && make install
cp modsecurity-2.9.2/unicode.mapping /usr/local/nginx/conf
cp modsecurity-2.9.2/modsecurity.conf-recommended /usr/local/nginx/conf/modsecurity.conf

sed -i 's/^SecRuleEngine.*/SecRuleEngine On/' /usr/local/nginx/conf/modsecurity.conf
sed -i 's/^SecAuditEngine.*/SecAuditEngine Off/' /usr/local/nginx/conf/modsecurity.conf
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cp -rf owasp-modsecurity-crs /usr/local/nginx/conf/
cd /usr/local/nginx/conf/owasp-modsecurity-crs
cp crs-setup.conf.example crs-setup.conf
vim /usr/local/nginx/conf/modsec_includes.conf
include modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
include owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
include owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf

nginx.conf:

    upstream tomcat {
       server 127.0.0.1:8080;
    }
    server {
        listen       80;
        server_name  localhost;
        location / {
           ModSecurityEnabled on;
           ModSecurityConfig  modsec_includes.conf;
           proxy_pass http://tomcat;
        }
[root@localhost tmp]# gdb /usr/local/nginx/sbin/nginx core.15955
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-94.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/nginx/sbin/nginx...done.
[New LWP 15955]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `nginx: worker process      '.
Program terminated with signal 11, Segmentation fault.
#0  ngx_http_upstream_copy_allow_ranges (r=0x20e2b60, h=0x7ffd3296efd0, offset=<optimized out>) at src/http/ngx_http_upstream.c:5128
5128        if (r->upstream->conf->force_ranges) {
(gdb) bt
#0  ngx_http_upstream_copy_allow_ranges (r=0x20e2b60, h=0x7ffd3296efd0, offset=<optimized out>) at src/http/ngx_http_upstream.c:5128
#1  0x00000000004830d6 in ngx_http_modsecurity_save_headers_out_visitor (data=0x20e2b60, key=<optimized out>, value=<optimized out>) at ../modsecurity-2.9.2/nginx/modsecurity/ngx_http_modsecurity.c:795
#2  0x00007f9c540ec1ad in apr_table_vdo (comp=0x483014 <ngx_http_modsecurity_save_headers_out_visitor>, rec=0x20e2b60, t=<optimized out>, vp=vp@entry=0x7ffd3296f0a0) at tables/apr_tables.c:980
#3  0x00007f9c540ec26f in apr_table_do (comp=comp@entry=0x483014 <ngx_http_modsecurity_save_headers_out_visitor>, rec=rec@entry=0x20e2b60, t=<optimized out>) at tables/apr_tables.c:915
#4  0x00000000004849f4 in ngx_http_modsecurity_save_headers_out (r=0x20e2b60) at ../modsecurity-2.9.2/nginx/modsecurity/ngx_http_modsecurity.c:737
#5  ngx_http_modsecurity_body_filter (r=<optimized out>, in=<optimized out>) at ../modsecurity-2.9.2/nginx/modsecurity/ngx_http_modsecurity.c:1220
#6  0x00000000004178ea in ngx_output_chain (ctx=ctx@entry=0x38480b0, in=in@entry=0x7ffd3296f360) at src/core/ngx_output_chain.c:74
#7  0x00000000004677d2 in ngx_http_copy_filter (r=0x20e2b60, in=0x7ffd3296f360) at src/http/ngx_http_copy_filter_module.c:152
#8  0x000000000045ef61 in ngx_http_range_body_filter (r=0x20e2b60, in=<optimized out>) at src/http/modules/ngx_http_range_filter_module.c:627
#9  0x000000000044103f in ngx_http_output_filter (r=r@entry=0x20e2b60, in=in@entry=0x7ffd3296f360) at src/http/ngx_http_core_module.c:1986
#10 0x0000000000444479 in ngx_http_send_special (r=r@entry=0x20e2b60, flags=flags@entry=1) at src/http/ngx_http_request.c:3355
#11 0x000000000045321a in ngx_http_upstream_finalize_request (r=r@entry=0x20e2b60, u=u@entry=0x20dc140, rc=rc@entry=0) at src/http/ngx_http_upstream.c:4375
#12 0x0000000000453f29 in ngx_http_upstream_process_request (r=r@entry=0x20e2b60, u=u@entry=0x20dc140) at src/http/ngx_http_upstream.c:3963
#13 0x00000000004540ed in ngx_http_upstream_process_upstream (r=r@entry=0x20e2b60, u=u@entry=0x20dc140) at src/http/ngx_http_upstream.c:3875
#14 0x0000000000455c8d in ngx_http_upstream_send_response (u=0x20dc140, r=0x20e2b60) at src/http/ngx_http_upstream.c:3172
#15 ngx_http_upstream_process_header (r=0x20e2b60, u=0x20dc140) at src/http/ngx_http_upstream.c:2334
#16 0x00000000004532b8 in ngx_http_upstream_handler (ev=<optimized out>) at src/http/ngx_http_upstream.c:1245
#17 0x000000000043923b in ngx_epoll_process_events (cycle=<optimized out>, timer=<optimized out>, flags=<optimized out>) at src/event/modules/ngx_epoll_module.c:902
#18 0x0000000000430f18 in ngx_process_events_and_timers (cycle=cycle@entry=0x20d8010) at src/event/ngx_event.c:242
#19 0x0000000000437619 in ngx_worker_process_cycle (cycle=0x20d8010, data=<optimized out>) at src/os/unix/ngx_process_cycle.c:749
#20 0x0000000000435e76 in ngx_spawn_process (cycle=cycle@entry=0x20d8010, proc=proc@entry=0x4375a8 <ngx_worker_process_cycle>, data=data@entry=0x0, name=name@entry=0x4cd4e5 "worker process",
    respawn=respawn@entry=-3) at src/os/unix/ngx_process.c:198
#21 0x00000000004369db in ngx_start_worker_processes (cycle=cycle@entry=0x20d8010, n=1, type=type@entry=-3) at src/os/unix/ngx_process_cycle.c:358
#22 0x0000000000437d16 in ngx_master_process_cycle (cycle=cycle@entry=0x20d8010) at src/os/unix/ngx_process_cycle.c:130
#23 0x0000000000413da0 in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:375
(gdb) bt full
#0  ngx_http_upstream_copy_allow_ranges (r=0x20e2b60, h=0x7ffd3296efd0, offset=<optimized out>) at src/http/ngx_http_upstream.c:5128
        ho = <optimized out>
#1  0x00000000004830d6 in ngx_http_modsecurity_save_headers_out_visitor (data=0x20e2b60, key=<optimized out>, value=<optimized out>) at ../modsecurity-2.9.2/nginx/modsecurity/ngx_http_modsecurity.c:795
        r = 0x20e2b60
        h = 0x7ffd3296efd0
        he = {hash = 5215665306198305595, key = {len = 13, data = 0x38481b0 "Accept-Ranges"}, value = {len = 5, data = 0x38481be "bytes"}, lowcase_key = 0x3848918 "accept-ranges"}
        hh = <optimized out>
        umcf = 0x20dab48
#2  0x00007f9c540ec1ad in apr_table_vdo (comp=0x483014 <ngx_http_modsecurity_save_headers_out_visitor>, rec=0x20e2b60, t=<optimized out>, vp=vp@entry=0x7ffd3296f0a0) at tables/apr_tables.c:980
        rv = <optimized out>
        i = 0
        argp = 0x0
        elts = 0x20ddac0
        vdorv = 1
#3  0x00007f9c540ec26f in apr_table_do (comp=comp@entry=0x483014 <ngx_http_modsecurity_save_headers_out_visitor>, rec=rec@entry=0x20e2b60, t=<optimized out>) at tables/apr_tables.c:915
        rv = <optimized out>
        vp = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7ffd3296f180, reg_save_area = 0x7ffd3296f0c0}}
#4  0x00000000004849f4 in ngx_http_modsecurity_save_headers_out (r=0x20e2b60) at ../modsecurity-2.9.2/nginx/modsecurity/ngx_http_modsecurity.c:737
        ctx = 0x20e3a70
        upstream = 0x20dc140
#5  ngx_http_modsecurity_body_filter (r=<optimized out>, in=<optimized out>) at ../modsecurity-2.9.2/nginx/modsecurity/ngx_http_modsecurity.c:1220
        cf = <optimized out>
        ctx = 0x20e3a70
        rc = <optimized out>
        content_length = 19089
        cl = <optimized out>
        out = 0x3848148
        last_buf = 1
#6  0x00000000004178ea in ngx_output_chain (ctx=ctx@entry=0x38480b0, in=in@entry=0x7ffd3296f360) at src/core/ngx_output_chain.c:74
        bsize = <optimized out>
        last = <optimized out>
        cl = <optimized out>
        out = 0x101
        last_out = <optimized out>
#7  0x00000000004677d2 in ngx_http_copy_filter (r=0x20e2b60, in=0x7ffd3296f360) at src/http/ngx_http_copy_filter_module.c:152
        rc = <optimized out>
        c = 0x7f9c4e5ff1d0
        ctx = 0x38480b0
        clcf = <optimized out>
---Type <return> to continue, or q <return> to quit---
        conf = <optimized out>
#8  0x000000000045ef61 in ngx_http_range_body_filter (r=0x20e2b60, in=<optimized out>) at src/http/modules/ngx_http_range_filter_module.c:627
        ctx = 0x0
#9  0x000000000044103f in ngx_http_output_filter (r=r@entry=0x20e2b60, in=in@entry=0x7ffd3296f360) at src/http/ngx_http_core_module.c:1986
        rc = 0
        c = 0x7f9c4e5ff1d0
#10 0x0000000000444479 in ngx_http_send_special (r=r@entry=0x20e2b60, flags=flags@entry=1) at src/http/ngx_http_request.c:3355
        b = <optimized out>
        out = {buf = 0x3848158, next = 0x0}
#11 0x000000000045321a in ngx_http_upstream_finalize_request (r=r@entry=0x20e2b60, u=u@entry=0x20dc140, rc=rc@entry=0) at src/http/ngx_http_upstream.c:4375
        flush = 0
#12 0x0000000000453f29 in ngx_http_upstream_process_request (r=r@entry=0x20e2b60, u=u@entry=0x20dc140) at src/http/ngx_http_upstream.c:3963
        tf = <optimized out>
        p = 0x20dc5e0
#13 0x00000000004540ed in ngx_http_upstream_process_upstream (r=r@entry=0x20e2b60, u=u@entry=0x20dc140) at src/http/ngx_http_upstream.c:3875
        rev = <optimized out>
        p = <optimized out>
        c = <optimized out>
#14 0x0000000000455c8d in ngx_http_upstream_send_response (u=0x20dc140, r=0x20e2b60) at src/http/ngx_http_upstream.c:3172
        c = 0x7f9c4e5ff1d0
        clcf = 0x21027c8
        tcp_nodelay = 32668
        n = <optimized out>
        rc = <optimized out>
        p = 0x20dc5e0
#15 ngx_http_upstream_process_header (r=0x20e2b60, u=0x20dc140) at src/http/ngx_http_upstream.c:2334
        n = <optimized out>
        rc = <optimized out>
        c = <optimized out>
#16 0x00000000004532b8 in ngx_http_upstream_handler (ev=<optimized out>) at src/http/ngx_http_upstream.c:1245
        c = 0x7f9c4e5ff1d0
        r = <optimized out>
        u = <optimized out>
#17 0x000000000043923b in ngx_epoll_process_events (cycle=<optimized out>, timer=<optimized out>, flags=<optimized out>) at src/event/modules/ngx_epoll_module.c:902
        events = 1
        revents = 8197
        instance = <optimized out>
        i = 0
        level = <optimized out>
---Type <return> to continue, or q <return> to quit---
        err = <optimized out>
        rev = <optimized out>
        wev = <optimized out>
        queue = <optimized out>
        c = 0x7f9c4e5ff470
#18 0x0000000000430f18 in ngx_process_events_and_timers (cycle=cycle@entry=0x20d8010) at src/event/ngx_event.c:242
        flags = 1
        timer = 59987
        delta = 1503760025731
#19 0x0000000000437619 in ngx_worker_process_cycle (cycle=0x20d8010, data=<optimized out>) at src/os/unix/ngx_process_cycle.c:749
        worker = <optimized out>
#20 0x0000000000435e76 in ngx_spawn_process (cycle=cycle@entry=0x20d8010, proc=proc@entry=0x4375a8 <ngx_worker_process_cycle>, data=data@entry=0x0, name=name@entry=0x4cd4e5 "worker process",
    respawn=respawn@entry=-3) at src/os/unix/ngx_process.c:198
        on = 1
        pid = 0
        s = 0
#21 0x00000000004369db in ngx_start_worker_processes (cycle=cycle@entry=0x20d8010, n=1, type=type@entry=-3) at src/os/unix/ngx_process_cycle.c:358
        i = 0
        ch = {command = 1, pid = 0, slot = 0, fd = 0}
#22 0x0000000000437d16 in ngx_master_process_cycle (cycle=cycle@entry=0x20d8010) at src/os/unix/ngx_process_cycle.c:130
        title = 0x37e29b8 "master process /usr/local/nginx/sbin/nginx"
        p = <optimized out>
        size = <optimized out>
        i = <optimized out>
        n = <optimized out>
        sigio = <optimized out>
        set = {__val = {0 <repeats 16 times>}}
        itv = {it_interval = {tv_sec = 58599672, tv_usec = 0}, it_value = {tv_sec = 0, tv_usec = 0}}
        live = <optimized out>
        delay = <optimized out>
        ls = <optimized out>
        ccf = 0x20d9b40
#23 0x0000000000413da0 in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:375
        b = <optimized out>
        log = <optimized out>
        i = <optimized out>
        cycle = 0x20d8010
        init_cycle = {conf_ctx = 0x0, pool = 0x20d7420, log = 0x74f4e0 <ngx_log>, new_log = {log_level = 0, file = 0x0, connection = 0, disk_full_time = 0, handler = 0x0, data = 0x0, writer = 0x0,
            wdata = 0x0, action = 0x0, next = 0x0}, log_use_stderr = 0, files = 0x0, free_connections = 0x0, free_connection_n = 0, modules = 0x0, modules_n = 0, modules_used = 0,
---Type <return> to continue, or q <return> to quit---
          reusable_connections_queue = {prev = 0x0, next = 0x0}, reusable_connections_n = 0, listening = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0}, paths = {elts = 0x0, nelts = 0, size = 0,
            nalloc = 0, pool = 0x0}, config_dump = {elts = 0x0, nelts = 0, size = 0, nalloc = 0, pool = 0x0}, config_dump_rbtree = {root = 0x0, sentinel = 0x0, insert = 0x0}, config_dump_sentinel = {key = 0,
            left = 0x0, right = 0x0, parent = 0x0, color = 0 '\000', data = 0 '\000'}, open_files = {last = 0x0, part = {elts = 0x0, nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0},
          shared_memory = {last = 0x0, part = {elts = 0x0, nelts = 0, next = 0x0}, size = 0, nalloc = 0, pool = 0x0}, connection_n = 0, files_n = 0, connections = 0x0, read_events = 0x0, write_events = 0x0,
          old_cycle = 0x0, conf_file = {len = 32, data = 0x20d7470 ""}, conf_param = {len = 0, data = 0x0}, conf_prefix = {len = 22, data = 0x20d7470 ""}, prefix = {len = 17,
            data = 0x4c9256 "/usr/local/nginx/"}, lock_file = {len = 0, data = 0x0}, hostname = {len = 0, data = 0x0}}
        cd = <optimized out>
        ccf = <optimized out>
(gdb)
zimmerle commented 7 years ago

Hi @xpflying,

This is a known issue on nginx for 2.x family. You may want to use the ModSecurity-nginx connector. www.github.com/SpiderLabs/ModSecurity-nginx

365moods commented 7 years ago

Hi @xpflying .

Try use branch https://github.com/SpiderLabs/ModSecurity/archive/nginx_refactoring.

xpflying commented 7 years ago

@365moods Thanks,it works.