As many of you may have heard, there is an interesting Java DoS scenario out -
http://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308/ http://blog.fortify.com/blog/2011/02/08/Double-Trouble http://blogs.adobe.com/asset/2011/02/year-of-the-snail.html When I first saw this issue, I quickly tweeted out a modsec rule that would identify if anyone submitted the example payload being shown in many PoC payloads - SecRule ARGS|REQUEST_HEADERS "@contains 2.2250738585072012e-308" "phase:2,block,msg:'Java Floating Point DoS Attack',tag:'CVE-2010-4476'" While this provides some protection, it was by no means comprehensive. So here is an updated ModSecurity ruleset. With the use of the ModSecurity Lua API, we (myself and Josh Zatlin/Jamuse of PureHacking) came up with a new Generation 2 detection mechanism similar to what Brian Sullivan (Adobe) presented below. First step is to inspect the ARGS and REQUEST_HEADERS data using a regex to match on potential floating point payloads - SecRule ARGS|REQUEST_HEADERS "[0-9\.]{12,}e-[0-9]{3,}" "phase:2,t:none,t:lowercase,nolog,pass,exec:/usr/local/apache/conf/modsec_c urrent/base_rules/FloatingPointDoSAttack.lua" If a payload is found that matches the regex check, ModSecurity will execute an external Lua script. The lua script then extracts out payloads, strips out the "." and then searches for the MagicDoSNumber. If this is found, then a TX variable is exported - ################################# #!/opt/local/bin/lua function main() local Pattern = 2225073858507201; -- Get the ModSec collections local Headers = m.getvars("REQUEST_HEADERS"); local Args = m.getvars("ARGS"); for i = 1, #Headers do FilteredPattern,NumChanges=string.gsub(Headers[i].value, "[.]", "") if string.gmatch(FilteredPattern, Pattern) then m.setvar("tx.floatingpointdos", Headers[i].name) return ("Potential Floating Point DoS Attack via variable: " ..Headers[i].name .. "."); end end for i = 1, #Args do FilteredPattern,NumChanges=string.gsub(Args[i].value, "[.]", "") if string.gmatch(FilteredPattern, Pattern) then m.setvar("tx.floatingpointdos", Args[i].name) return ("Potential Floating Point DoS Attack via variable: " ..Args[i].name .. "."); end end return nil; end ################################# Then we have one follow-up rule that checks if the TX:FLOATINGPOINTDOS variable is set - SecRule TX:FLOATINGPOINTDOS ".*" "phase:2,t:none,log,block,msg:'Floating Point DoS Payload Found.',logdata:'Location: %{matched_var}',tag:'CVE-2010-4476'" We have conducted some tests with different payloads and this appears to work pretty well. If you find any issues please let me know. Cheers, Ryan ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
