coreruleset: copy, time and more false positives
Description
In #1991, some false positives were found with commonly occurring English words copy
, time
and more
.
curl localhost -d "foo=--I think it would; copy should"
curl localhost -d 'foo=time he came'
curl localhost -d "foo=a hero; more than"
Audit Logs / Triggered Rule Numbers
copy
:
[2021-07-16 08:27:28.301498] [-:error] 127.0.0.1:55372 YPEm0By0s3c8Xzd5uRp5MQAAABY [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i)(?:;|\\\\{|\\\\||\\\\|\\\\||&|&&|\\\\n|\\\\r|`)\\\\s*[\\\\(,@\\\\'\\"\\\\s]*(?:[\\\\w'\\"\\\\./]+/|[\\\\\\\\'\\"\\\\^]*\\\\w[\\\\\\\\'\\"\\\\^]*:.*\\\\\\\\|[\\\\^\\\\.\\\\w '\\"/\\\\\\\\]*\\\\\\\\)?[\\"\\\\^]*(?:m[\\"\\\\^]*(?:y[\\"\\\\^]*s[\\"\\\\^]*q[\\"\\\\^]*l(?:[\\"\\\\^]*(?:d[\\"\\\\^]*u[\\"\\\\^]*m[\\"\\\\^]*p(?:[\\"\\\\^]*s[\\"\\\\^ ..." at ARGS:foo. [file "/home/dune73/data/git/crs-official/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "259"] [id "932110"] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ; copy found within ARGS:foo: --I think it would; copy should"] [severity "CRITICAL"] [ver "OWASP_CRS/3.4.0-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "YPEm0By0s3c8Xzd5uRp5MQAAABY"]
time
:
[2021-07-16 08:18:09.376018] [-:error] 127.0.0.1:55142 YPEkoRy0s3c8Xzd5uRp5MQAAABU [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?:^|=)\\\\s*(?:{|\\\\s*\\\\(\\\\s*|\\\\w+=(?:[^\\\\s]*|\\\\$.*|\\\\$.*|<.*|>.*|\\\\'.*\\\\'|\\".*\\")\\\\s+|!\\\\s*|\\\\$)*\\\\s*(?:'|\\")*(?:[\\\\?\\\\*\\\\[\\\\]\\\\(\\\\)\\\\-\\\\|+\\\\w'\\"\\\\./\\\\\\\\]+/)?[\\\\\\\\'\\"]*(?:l[\\\\\\\\'\\"]*(?:s(?:[\\\\\\\\'\\"]*(?:b[\\\\\\\\'\\"]*_[\\\\\\\\'\\"]*r[\\\\\\\\'\\"]*e[\\\\\\\\'\\"]*l[\\\\\\\\' ..." at ARGS:foo. [file "/home/dune73/data/git/crs-official/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "467"] [id "932150"] [msg "Remote Command Execution: Direct Unix Command Execution"] [data "Matched Data: time found within ARGS:foo: time he came"] [severity "CRITICAL"] [ver "OWASP_CRS/3.4.0-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "YPEkoRy0s3c8Xzd5uRp5MQAAABU"]
more
:
[2021-07-16 08:29:29.784520] [-:error] 127.0.0.1:55400 YPEnSRy0s3c8Xzd5uRp5MgAAABc [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?:;|\\\\{|\\\\||\\\\|\\\\||&|&&|\\\\n|\\\\r|\\\\$\\\\(|\\\\$\\\\(\\\\(|`|\\\\${|<\\\\(|>\\\\(|\\\\(\\\\s*\\\\))\\\\s*(?:{|\\\\s*\\\\(\\\\s*|\\\\w+=(?:[^\\\\s]*|\\\\$.*|\\\\$.*|<.*|>.*|\\\\'.*\\\\'|\\".*\\")\\\\s+|!\\\\s*|\\\\$)*\\\\s*(?:'|\\")*(?:[\\\\?\\\\*\\\\[\\\\]\\\\(\\\\)\\\\-\\\\|+\\\\w'\\"\\\\./\\\\\\\\]+/)?[\\\\\\\\'\\"]*(?:l[\\\\\\\\'\\"]* ..." at ARGS:foo. [file "/home/dune73/data/git/crs-official/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "124"] [id "932100"] [msg "Remote Command Execution: Unix Command Injection"] [data "Matched Data: ; more than found within ARGS:foo: a hero; more than"] [severity "CRITICAL"] [ver "OWASP_CRS/3.4.0-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "YPEnSRy0s3c8Xzd5uRp5MgAAABc"]
[2021-07-16 08:29:29.784646] [-:error] 127.0.0.1:55400 YPEnSRy0s3c8Xzd5uRp5MgAAABc [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i)(?:;|\\\\{|\\\\||\\\\|\\\\||&|&&|\\\\n|\\\\r|`)\\\\s*[\\\\(,@\\\\'\\"\\\\s]*(?:[\\\\w'\\"\\\\./]+/|[\\\\\\\\'\\"\\\\^]*\\\\w[\\\\\\\\'\\"\\\\^]*:.*\\\\\\\\|[\\\\^\\\\.\\\\w '\\"/\\\\\\\\]*\\\\\\\\)?[\\"\\\\^]*(?:m[\\"\\\\^]*(?:y[\\"\\\\^]*s[\\"\\\\^]*q[\\"\\\\^]*l(?:[\\"\\\\^]*(?:d[\\"\\\\^]*u[\\"\\\\^]*m[\\"\\\\^]*p(?:[\\"\\\\^]*s[\\"\\\\^ ..." at ARGS:foo. [file "/home/dune73/data/git/crs-official/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "259"] [id "932110"] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ; more than found within ARGS:foo: a hero; more than"] [severity "CRITICAL"] [ver "OWASP_CRS/3.4.0-dev"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "YPEnSRy0s3c8Xzd5uRp5MgAAABc"]
Your Environment
N/A
- CRS version (e.g., v3.2.0): v3.4.0-dev
- Paranoia level setting: 1
Confirmation
[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
Possible solutions
-
copy
can only be used to leak data if it’s copied toCON
(standard output). so we could create a separate rule and look forcopy\s+.*\s+[cC][oO][nN]
(and remove it from the word list) -
time
can be used to execute any command (e.g.time ls
). We could amend the existing RCE rules so they havetime
as an optional prefix to the wordlist e.g.(?:time\s+)?
-
more
displays a file and is more tricky as it accepts multiple arguments. This is not really thought through but maybe if we look for dots and slashes we can shave off some FP?
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 18 (18 by maintainers)
@franbuehler could you check out the status here? Chances are this is done now. If not we need to prioritize it.
On the bright side, rule 931130 is being triggered by this payload.
The minium to trigger 931130 is
maybe we need to look for
${}
too, otherwise, it could be bypassed by using prefix or suffix pattern in bash/dash. Something like:more ${PATH:0:1}etc${PATH:0:1}passwd