coreruleset: copy, time and more false positives

Description

In #1991, some false positives were found with commonly occurring English words copy, time and more.

curl localhost -d "foo=--I think it would; copy should"
curl localhost -d 'foo=time he came'
curl localhost -d "foo=a hero; more than"

Audit Logs / Triggered Rule Numbers

copy:

[2021-07-16 08:27:28.301498] [-:error] 127.0.0.1:55372 YPEm0By0s3c8Xzd5uRp5MQAAABY [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i)(?:;|\\\\{|\\\\||\\\\|\\\\||&|&&|\\\\n|\\\\r|`)\\\\s*[\\\\(,@\\\\'\\"\\\\s]*(?:[\\\\w'\\"\\\\./]+/|[\\\\\\\\'\\"\\\\^]*\\\\w[\\\\\\\\'\\"\\\\^]*:.*\\\\\\\\|[\\\\^\\\\.\\\\w '\\"/\\\\\\\\]*\\\\\\\\)?[\\"\\\\^]*(?:m[\\"\\\\^]*(?:y[\\"\\\\^]*s[\\"\\\\^]*q[\\"\\\\^]*l(?:[\\"\\\\^]*(?:d[\\"\\\\^]*u[\\"\\\\^]*m[\\"\\\\^]*p(?:[\\"\\\\^]*s[\\"\\\\^ ..." at ARGS:foo. [file "/home/dune73/data/git/crs-official/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "259"] [id "932110"] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ; copy found within ARGS:foo: --I think it would; copy should"] [severity "CRITICAL"] [ver "OWASP_CRS/3.4.0-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "YPEm0By0s3c8Xzd5uRp5MQAAABY"]

time:

[2021-07-16 08:18:09.376018] [-:error] 127.0.0.1:55142 YPEkoRy0s3c8Xzd5uRp5MQAAABU [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?:^|=)\\\\s*(?:{|\\\\s*\\\\(\\\\s*|\\\\w+=(?:[^\\\\s]*|\\\\$.*|\\\\$.*|<.*|>.*|\\\\'.*\\\\'|\\".*\\")\\\\s+|!\\\\s*|\\\\$)*\\\\s*(?:'|\\")*(?:[\\\\?\\\\*\\\\[\\\\]\\\\(\\\\)\\\\-\\\\|+\\\\w'\\"\\\\./\\\\\\\\]+/)?[\\\\\\\\'\\"]*(?:l[\\\\\\\\'\\"]*(?:s(?:[\\\\\\\\'\\"]*(?:b[\\\\\\\\'\\"]*_[\\\\\\\\'\\"]*r[\\\\\\\\'\\"]*e[\\\\\\\\'\\"]*l[\\\\\\\\' ..." at ARGS:foo. [file "/home/dune73/data/git/crs-official/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "467"] [id "932150"] [msg "Remote Command Execution: Direct Unix Command Execution"] [data "Matched Data: time found within ARGS:foo: time he came"] [severity "CRITICAL"] [ver "OWASP_CRS/3.4.0-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "YPEkoRy0s3c8Xzd5uRp5MQAAABU"]

more:

[2021-07-16 08:29:29.784520] [-:error] 127.0.0.1:55400 YPEnSRy0s3c8Xzd5uRp5MgAAABc [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?:;|\\\\{|\\\\||\\\\|\\\\||&|&&|\\\\n|\\\\r|\\\\$\\\\(|\\\\$\\\\(\\\\(|`|\\\\${|<\\\\(|>\\\\(|\\\\(\\\\s*\\\\))\\\\s*(?:{|\\\\s*\\\\(\\\\s*|\\\\w+=(?:[^\\\\s]*|\\\\$.*|\\\\$.*|<.*|>.*|\\\\'.*\\\\'|\\".*\\")\\\\s+|!\\\\s*|\\\\$)*\\\\s*(?:'|\\")*(?:[\\\\?\\\\*\\\\[\\\\]\\\\(\\\\)\\\\-\\\\|+\\\\w'\\"\\\\./\\\\\\\\]+/)?[\\\\\\\\'\\"]*(?:l[\\\\\\\\'\\"]* ..." at ARGS:foo. [file "/home/dune73/data/git/crs-official/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "124"] [id "932100"] [msg "Remote Command Execution: Unix Command Injection"] [data "Matched Data: ; more than found within ARGS:foo: a hero; more than"] [severity "CRITICAL"] [ver "OWASP_CRS/3.4.0-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "YPEnSRy0s3c8Xzd5uRp5MgAAABc"]

[2021-07-16 08:29:29.784646] [-:error] 127.0.0.1:55400 YPEnSRy0s3c8Xzd5uRp5MgAAABc [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i)(?:;|\\\\{|\\\\||\\\\|\\\\||&|&&|\\\\n|\\\\r|`)\\\\s*[\\\\(,@\\\\'\\"\\\\s]*(?:[\\\\w'\\"\\\\./]+/|[\\\\\\\\'\\"\\\\^]*\\\\w[\\\\\\\\'\\"\\\\^]*:.*\\\\\\\\|[\\\\^\\\\.\\\\w '\\"/\\\\\\\\]*\\\\\\\\)?[\\"\\\\^]*(?:m[\\"\\\\^]*(?:y[\\"\\\\^]*s[\\"\\\\^]*q[\\"\\\\^]*l(?:[\\"\\\\^]*(?:d[\\"\\\\^]*u[\\"\\\\^]*m[\\"\\\\^]*p(?:[\\"\\\\^]*s[\\"\\\\^ ..." at ARGS:foo. [file "/home/dune73/data/git/crs-official/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "259"] [id "932110"] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ; more than found within ARGS:foo: a hero; more than"] [severity "CRITICAL"] [ver "OWASP_CRS/3.4.0-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "YPEnSRy0s3c8Xzd5uRp5MgAAABc"]

Your Environment

N/A

  • CRS version (e.g., v3.2.0): v3.4.0-dev
  • Paranoia level setting: 1

Confirmation

[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.

Possible solutions

  • copy can only be used to leak data if it’s copied to CON (standard output). so we could create a separate rule and look for copy\s+.*\s+[cC][oO][nN] (and remove it from the word list)
  • time can be used to execute any command (e.g. time ls). We could amend the existing RCE rules so they have time as an optional prefix to the wordlist e.g. (?:time\s+)?
  • more displays a file and is more tricky as it accepts multiple arguments. This is not really thought through but maybe if we look for dots and slashes we can shave off some FP?

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 18 (18 by maintainers)

Most upvoted comments

@franbuehler could you check out the status here? Chances are this is done now. If not we need to prioritize it.

On the bright side, rule 931130 is being triggered by this payload.

$ curl localhost -d 'foo=more ${PATH:0:1}etc${PATH:0:1}passwd'

The minium to trigger 931130 is

$ curl localhost -d 'foo=${PATH:0:1}' -H "PL: 1"

more displays a file and is more tricky as it accepts multiple arguments. This is not really thought through but maybe if we look for dots and slashes we can shave off some FP?

maybe we need to look for ${} too, otherwise, it could be bypassed by using prefix or suffix pattern in bash/dash. Something like: more ${PATH:0:1}etc${PATH:0:1}passwd