Home / exploits SOPHOS WAF JSON Filter Bypass
Posted on 28 May 2015
SECURITYLABS INTELLIGENT RESEARCH - SECURITY ADVISORY http://www.securitylabs.com.br/ ADVISORY/0115 - SOPHOS WAF (WEBSERVER PROTECTION) DOES NOT ANALYZE JSON DATA PRIORITY: MEDIUM TYPE: WAF Bypass 1 - About SecurityLabs Intelligent Research ----------------------------------------------- SecurityLabs Intelligent Researh is a team specialized in projects of penetration test(Pentests), security audits and cryptanalysis. It has a group of researchers with more than 15 years of experience. All penetration tests (Pen-Test) conducted by Intruders Tiger Team Security have 100% of success. All cryptanalysis and security audits performed by the team were also well effective. This vulnerability was discovery during a penetration test. 2 - Introduction ------------------ Sophos Webserver Protection uses mod_security. From "http://www.modsecurity.org/": "ModSecurity is a toolkit for real-time web application monitoring, logging, and access control. I like to think about it as an enabler: there are no hard rules telling you what to do; instead, it is up to you to choose your own path through the available features. That's why the title of this section asks what ModSecurity can do, not what it does." We can see yet from Sophos WebServer Protection Site ( https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophosutmwebserverprotectiondsna.pdf?la=en ): "Web Application Firewall Our Web Application Firewall intercepts traffic to your servers to protect them from tampering and hacking attempts. It secures your web applications against more than 350 attack patterns including SQL injection, cross-site scripting and directory traversal. We also scan all inbound files and content with our dual antivirus agents to keep infected content off your network." 3 - Description ---------------- SecurityLabs Intelligent Research has found some conditions of bypass of the default signatures of mod_security on Sophos WebServer Protection(ModSecurity) that allows execution of SQL Injection attacks in JSON Requests. Sophos WebServer Protection don't analyze payload when Content-type is JSON. In default instalation, there is no "requestBodyProcessor" defined to check HTTP POST REQUEST BODY when Content-Type is "application/json". 4 - Analysis --------------- There are several ways to analyze this problem, including hacking production's environment, but the simplest way is sent HTTP requests with JSON data in body like this: POST /[URI] HTTP/1.1 Host: [TARGET] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive X-Requested-With: XMLHttpRequest Content-Type: application/json; charset=utf-8 Referer: http://[TARGET]/ Content-Length: 27 Cookie: ASP.NET_SessionId=d0dusce1rrsgx4rvvtwj0br0; _ga=GA1.3.234022554.1429121838; _gat=1 Pragma: no-cache Cache-Control: no-cache {"id":"SQL INJECTION HERE"} 5 - Detection -------------- SecurityLabs Intelligent Research has found this vulnerability in Sophos UTM version 9.310. It is possible that previous versions have the same problem. 6 - Workaround ---------------- Add the follow rule in file '/var/storage/chroot-reverseproxy/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf' to check JSON data too: SecRule REQUEST_HEADERS:Content-Type "application/json" "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=URLENCODED" 7 - Credits ------------- SecurityLabs Intelligent Research and Glaudson Ocampos has discovered this vulnerability. -- Atenciosamente, Glaudson Ocampos Pesquisador de Segurança da Informação SecurityLabs Intelligent Research
