coreruleset: Synapse windows command injection false positive
Description
---wxhp0Kfp---B--
PUT /_matrix/federation/v1/send/1668004491987 HTTP/1.1
Content-Length: 1058
User-Agent: Synapse/1.71.0
Content-Type: application/json
Authorization: X-Matrix origin CENSOR
Host: chat.fuo.fi:443
---wxhp0Kfp---C--
{"origin":"libera.chat","origin_server_ts":1668361864315,"pdus":[{"auth_events":["CENSOR","$CENSOR"],"content":{"body":"it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just say \"type this one line and you are good\"","format":"org.matrix.custom.html","formatted_body":"it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just say "type this one line and you are good"","msgtype":"m.text"},"depth":552560,"hashes":{"sha256":"CENSOR"},"origin":"libera.chat","origin_server_ts":1668361864211,"prev_events":["CENSOR"],"room_id":"CENSOR","sender":"@Whiskey`:libera.chat","signatures":{"libera.chat":{"ed25519:t4fjCr":"CENSOR"}},"type":"m.room.message","unsigned":{"age_ts":1668361864211}}]}
---wxhp0Kfp---F--
HTTP/1.1 200
Server:
Server:
Date: Sun, 13 Nov 2022 17:51:04 GMT
Content-Type: application/json
Access-Control-Allow-Origin: *
Connection: keep-alive
Cache-Control: no-cache, no-store, must-revalidate
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: X-Requested-With, Content-Type, Authorization, Date
Strict-Transport-Security: max-age=63072000
---wxhp0Kfp---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[;\n\r`]|t[\"\^]*i[\"\^]*m[\"\^]*e|(?:\|)?\||&?&|\{)\s*(?:['(,@\"\s])*(?:(?:(?:[\x5c'\"\^]*\w[\x5c'\"\^]*:.*|[\^\.\w '\"/\x5c]*)\x5c|[\w'\"\./]+\/))?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\" (5113 characters omitted)' against variable `ARGS:json.pdus.array_0.content.formatted_body' (Value: `it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just say "type (36 characters omitted)' ) [file "/etc/nginx/modsec/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "229"] [id "932115"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ;type this one line and you are good" found within ARGS:json.pdus.array_0.content.formatted_body: it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just (52 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "CENSOR"] [uri "/_matrix/federation/v1/send/1668004491987"] [unique_id "166836186474.987131"] [ref "o94,41v41,136"]
Audit Logs / Triggered Rule Numbers
932115
Your Environment
- CRS version (e.g., v3.2.0): 4.0-dev
- Paranoia level setting:
- ModSecurity version (e.g., 2.9.3): latest
- Web Server and version (e.g., apache 2.4.41): nginx
- Operating System and version: ubuntu
Confirmation
[x] I have removed any personal data (email addresses, IP addresses, passwords, domain names) from any logs posted.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 20 (18 by maintainers)
I understand. Thanks for letting us know. Feel free to re-open this issue if you need to take it further in the future.
Closing now.
Hi @fuomag9,
The
formatted_body
parameter is what caused your issue / false positive. It looks likeformatted_body
contains an HTML representation of a given message. HTML is well-known for causing false positives when using the Core Rule Set, unfortunately.We discussed this issue at our project meeting this evening (starting from 20:41:38 UTC, if you want to read the chat history). In line with previous issues we’ve handled regarding passing HTML through CRS, we agreed that this false positive isn’t something we can safely or realistically resolve by changing the offending CRS rule itself. To resolve this false positive you’ll need to tune it away in your CRS/ModSecurity configuration. We have some great documentation on this subject. Let us know if you’d like any help with this or getting started.
Is the service that you had the issue with the Matrix bridge for libera.chat? Are you maintaining a ModSecurity+CRS WAF in front of it?
We would potentially be interested in helping to create a CRS plugin for Matrix, if there is interest in the wider community for this. Such a plugin would resolve false positives like the one you ran into here before they occur. Do you know of anyone else running CRS in front of a Matrix bridge?
I meant i will send a PR so tests can run.