False-positive triggering of OWASP CRS rule 920420 with libmodsecurity 3.0.0-rc1

[defanator]

Configuration - nginx/1.13.4 + ModSecurity-nginx + libmodsecurity (3.0.0-rc1 / 04f7009), with OWASP CRS v3.0.2.

Request:

$ curl -XPOST -d 'd=b'  -v http://localhost/modsec-full/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> POST /modsec-full/ HTTP/1.1
> Host: localhost
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Length: 3
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 3 out of 3 bytes
< HTTP/1.1 403 Forbidden
< Server: nginx/1.13.4
< Date: Thu, 31 Aug 2017 16:09:28 GMT
< Content-Type: text/html
< Content-Length: 169
< Connection: keep-alive
< 
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.13.4</center>
</body>
</html>
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact

Logs:

2017/08/31 16:09:28 [info] 15815#15815: *2 [client 127.0.0.1] ModSecurity: Warning. Matched "Operator `Rx' with parameter `^%{tx.allowed_request_content_type}$' against variable `TX:0' (Value: `application/x-www-form-urlencoded' ) [file "/etc/nginx/modsec/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "911"] [id "920420"] [rev "2"] [msg "Request content type is not allowed by policy"] [data "application/x-www-form-urlencoded"] [severity "2"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [ref "v0,4o0,33o0,33v112,33"] [hostname "127.0.0.1"] [uri "/modsec-full/"] [unique_id "150419576835.295343"], client: 127.0.0.1, server: , request: "POST /modsec-full/ HTTP/1.1", host: "localhost"
2017/08/31 16:09:28 [info] 15815#15815: *2 [client 127.0.0.1] ModSecurity: Access denied with code %d (phase 2). Matched "Operator `Ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "127.0.0.1"] [uri "/modsec-full/"] [unique_id "150419576835.295343"] [ref ""], client: 127.0.0.1, server: , request: "POST /modsec-full/ HTTP/1.1", host: "localhost"
2017/08/31 16:09:28 [warn] 15815#15815: *2 [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "36"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "127.0.0.1"] [uri "/modsec-full/"] [unique_id "150419576835.295343"] [ref ""], client: 127.0.0.1, server: , request: "POST /modsec-full/ HTTP/1.1", host: "localhost"
2017/08/31 16:09:28 [info] 15815#15815: *2 [client 127.0.0.1] ModSecurity: Warning. Matched "Operator `Ge' with parameter `%{tx.inbound_anomaly_score_threshold}' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/owasp-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "61"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Request content type is not allowed by policy'"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [ref ""] [hostname "127.0.0.1"] [uri "/modsec-full/"] [unique_id "150419576835.295343"] while logging request, client: 127.0.0.1, server: , request: "POST /modsec-full/ HTTP/1.1", host: "localhost"

So far I tracked this down to the following changeset: 039bd2c

Library built from previous changeset (ca9cbf4) works fine with the same configuration/request:

$ curl -XPOST -d 'd=b'  -v http://localhost/modsec-full/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> POST /modsec-full/ HTTP/1.1
> Host: localhost
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Length: 3
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 3 out of 3 bytes
< HTTP/1.1 200 OK
< Server: nginx/1.13.4
< Date: Thu, 31 Aug 2017 16:23:38 GMT
< Content-Type: text/plain
< Content-Length: 39
< Connection: keep-alive
< 
Thank you for requesting /modsec-full/
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact

[defanator]

Debug logs for both cases are here: https://gist.github.com/defanator/0a9658a07ed6eb005fe94162cebfba1d

Diff show something strange with variable saving parts:

--- modsec-debug-ok.log 2017-08-31 16:46:54.998207164 +0000
+++ modsec-debug-fail.log       2017-08-31 16:50:40.620265147 +0000
@@ -188,7 +188,7 @@
 [9] Matched vars updated.
 [9] Rule contains a `pass' action
 [4] Running [independent] (non-disruptive) action: setvar
-[8] Saving variable: TX:allowed_methods with value: GET HEAD POST OPTIONS'
+[8] Saving variable: TX:allowed_methods with value: GET HEAD POST OPTIONS
 [4] Rule returned 1.
 [9] (SecDefaultAction) Running action: log
 [9] Saving transaction to logs
@@ -203,7 +203,7 @@
 [9] Matched vars updated.
 [9] Rule contains a `pass' action
 [4] Running [independent] (non-disruptive) action: setvar
-[8] Saving variable: TX:allowed_request_content_type with value: application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'
+[8] Saving variable: TX:allowed_request_content_type with value: application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain
 [4] Rule returned 1.
 [9] (SecDefaultAction) Running action: log
 [9] Saving transaction to logs
@@ -218,7 +218,7 @@
 [9] Matched vars updated.
 [9] Rule contains a `pass' action
 [4] Running [independent] (non-disruptive) action: setvar
-[8] Saving variable: TX:allowed_http_versions with value: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'
+[8] Saving variable: TX:allowed_http_versions with value: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
 [4] Rule returned 1.
...

[victorhora]

Hi @defanator

So you're right when mentioning that change set 039bd2c is when the issue started happening here. Indeed this fixes the implicit negated operator used by a few CRS rules (including 920420) but then this leads into another issue.

After a while debugging the issue I finally realized that the problem was that the last condition in that chained rule was matching simply because macro expansion for the @rx operator (which is implicit there) is not working :(

So this immediately reminded me of issue #1528. I've read and tested PR #1536 and confirm that issue is fixed when macro expansion is enabled for @rx.

Thanks a lot for that comprehensive bug report :)