Skip to content

IIS8.5 - ModSecurity 2.8 - Access denied folder loop handling prevents proper config loading #812

New issue
New issue
Open
Open
IIS8.5 - ModSecurity 2.8 - Access denied folder loop handling prevents proper config loading#812
Assignees
victorhora
Labels
2.xRelated to ModSecurity version 2.xPlatform - IISbugIt is a confirmed bug
Milestone
 
v2.9.4
@sAnexeh

Description

@sAnexeh
sAnexeh
opened on Dec 9, 2014

ModSecurity seems to be incorrectly handling Access Denied errors on the filesystem in Windows, preventing from properly loading modsecurity.conf.

For example in modsecurity.conf:
SecTmpDir c:\foo\bar

Let's say I'm running an application pool with the user "User1". User1 does not have access on c:. It does not have access to c:\foo. It does have access to c:\foo\bar. Process Monitor will show the following result:

11:23:41,4833987 w3wp.exe 2156 QueryOpen C:\Program Files\ModSecurity IIS\modsecurity_iis.conf SUCCESS CreationTime: 15-4-2014 10:30:08, LastAccessTime: 27-10-2014 10:52:46, LastWriteTime: 15-4-2014 10:30:08, ChangeTime: 27-10-2014 10:53:13, AllocationSize: 104, EndOfFile: 102, FileAttributes: ANCI
11:23:41,4835172 w3wp.exe 2156 CreateFile C:\Program Files\ModSecurity IIS\modsecurity_iis.conf SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
11:23:41,4835720 w3wp.exe 2156 QueryInformationVolume C:\Program Files\ModSecurity IIS\modsecurity_iis.conf BUFFER OVERFLOW VolumeCreationTime: 5-6-2014 23:41:33, VolumeSerialNumber: 1E50-4C9A, SupportsObjects: True, VolumeLabel: TEM?
11:23:41,4835907 w3wp.exe 2156 QueryAllInformationFile C:\Program Files\ModSecurity IIS\modsecurity_iis.conf BUFFER OVERFLOW CreationTime: 15-4-2014 10:30:08, LastAccessTime: 27-10-2014 10:52:46, LastWriteTime: 15-4-2014 10:30:08, ChangeTime: 27-10-2014 10:53:13, FileAttributes: ANCI, AllocationSize: 104, EndOfFile: 102, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x8000000009143, EaSize: 0, Access: Generic Read, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Long
11:23:41,4836237 w3wp.exe 2156 ReadFile C:\Program Files\ModSecurity IIS\modsecurity_iis.conf SUCCESS Offset: 0, Length: 102, Priority: Normal
11:23:41,4837360 w3wp.exe 2156 CreateFile C:\Program Files\ModSecurity IIS\modsecurity.conf SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
11:23:41,4837689 w3wp.exe 2156 QueryInformationVolume C:\Program Files\ModSecurity IIS\modsecurity.conf BUFFER OVERFLOW VolumeCreationTime: 5-6-2014 23:41:33, VolumeSerialNumber: 1E50-4C9A, SupportsObjects: True, VolumeLabel: TEM?
11:23:41,4837812 w3wp.exe 2156 QueryAllInformationFile C:\Program Files\ModSecurity IIS\modsecurity.conf BUFFER OVERFLOW CreationTime: 15-4-2014 10:30:08, LastAccessTime: 27-10-2014 10:52:46, LastWriteTime: 27-10-2014 11:15:00, ChangeTime: 27-10-2014 11:15:00, FileAttributes: ANCI, AllocationSize: 12.288, EndOfFile: 8.816, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0xa00000000491f, EaSize: 0, Access: Generic Read, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Long
11:23:41,4837946 w3wp.exe 2156 ReadFile C:\Program Files\ModSecurity IIS\modsecurity.conf SUCCESS Offset: 0, Length: 4.096, Priority: Normal
11:23:41,4841653 w3wp.exe 2156 ReadFile C:\Program Files\ModSecurity IIS\modsecurity.conf SUCCESS Offset: 4.096, Length: 4.096
11:23:41,4842574 w3wp.exe 2156 CreateFile C:\ ACCESS DENIED Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:23:41,4843174 w3wp.exe 2156 CreateFile C:\ ACCESS DENIED Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:23:41,4844201 w3wp.exe 2156 CreateFile C:\ ACCESS DENIED Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
11:23:41,4845137 w3wp.exe 2156 CloseFile C:\Program Files\ModSecurity IIS\modsecurity.conf SUCCESS
11:23:41,4845342 w3wp.exe 2156 CloseFile C:\Program Files\ModSecurity IIS\modsecurity_iis.conf SUCCESS

ModSecurity will try to access c:. If it fails, it's not even going to try to get into c:\foo.

Now, when I give User1 access to c:, Process Monitor will show the following:

11:39:43,3675985 w3wp.exe 3928 QueryOpen C:\Program Files\ModSecurity IIS\modsecurity_iis.conf SUCCESS CreationTime: 15-4-2014 10:30:08, LastAccessTime: 27-10-2014 10:52:46, LastWriteTime: 15-4-2014 10:30:08, ChangeTime: 27-10-2014 10:53:13, AllocationSize: 104, EndOfFile: 102, FileAttributes: ANCI
11:39:43,3677135 w3wp.exe 3928 CreateFile C:\Program Files\ModSecurity IIS\modsecurity_iis.conf SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
11:39:43,3677679 w3wp.exe 3928 QueryInformationVolume C:\Program Files\ModSecurity IIS\modsecurity_iis.conf BUFFER OVERFLOW VolumeCreationTime: 5-6-2014 23:41:33, VolumeSerialNumber: 1E50-4C9A, SupportsObjects: True, VolumeLabel: TEM?
11:39:43,3677824 w3wp.exe 3928 QueryAllInformationFile C:\Program Files\ModSecurity IIS\modsecurity_iis.conf BUFFER OVERFLOW CreationTime: 15-4-2014 10:30:08, LastAccessTime: 27-10-2014 10:52:46, LastWriteTime: 15-4-2014 10:30:08, ChangeTime: 27-10-2014 10:53:13, FileAttributes: ANCI, AllocationSize: 104, EndOfFile: 102, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x8000000009143, EaSize: 0, Access: Generic Read, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Long
11:39:43,3677985 w3wp.exe 3928 ReadFile C:\Program Files\ModSecurity IIS\modsecurity_iis.conf SUCCESS Offset: 0, Length: 102, Priority: Normal
11:39:43,3678942 w3wp.exe 3928 CreateFile C:\Program Files\ModSecurity IIS\modsecurity.conf SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
11:39:43,3679276 w3wp.exe 3928 QueryInformationVolume C:\Program Files\ModSecurity IIS\modsecurity.conf BUFFER OVERFLOW VolumeCreationTime: 5-6-2014 23:41:33, VolumeSerialNumber: 1E50-4C9A, SupportsObjects: True, VolumeLabel: TEM?
11:39:43,3679395 w3wp.exe 3928 QueryAllInformationFile C:\Program Files\ModSecurity IIS\modsecurity.conf BUFFER OVERFLOW CreationTime: 15-4-2014 10:30:08, LastAccessTime: 27-10-2014 10:52:46, LastWriteTime: 27-10-2014 11:38:00, ChangeTime: 27-10-2014 11:38:00, FileAttributes: ANCI, AllocationSize: 12.288, EndOfFile: 8.788, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0xa00000000491f, EaSize: 0, Access: Generic Read, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Long
11:39:43,3679524 w3wp.exe 3928 ReadFile C:\Program Files\ModSecurity IIS\modsecurity.conf SUCCESS Offset: 0, Length: 4.096, Priority: Normal
11:39:43,3683116 w3wp.exe 3928 ReadFile C:\Program Files\ModSecurity IIS\modsecurity.conf SUCCESS Offset: 4.096, Length: 4.096
11:39:43,3684018 w3wp.exe 3928 CreateFile C:\ SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
11:39:43,3684312 w3wp.exe 3928 QueryDirectory C:\foo SUCCESS Filter: foo, 1: foo
11:39:43,3684578 w3wp.exe 3928 CloseFile C:\ SUCCESS
11:39:43,3685355 w3wp.exe 3928 CreateFile C:\foo SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
11:39:43,3685704 w3wp.exe 3928 QueryDirectory C:\foo\bar SUCCESS Filter: bar, 1: bar

The same goes for SecAuditLog. If ModSecurity is unable to get into that folder, it will write something like this to the event viewer:

Syntax error in config file C:\Program Files\ModSecurity IIS\modsecurity.conf, line 194: Command failed to execute (check file/folder permissions, syntax, etc.).

So even though ACL might be correct, ModSecurity seems want everything to be okay in the entire folder loop.

I hope someone is willing to look into this issue and fix this (or correct me if I'm wrong ;)), as in my scenario I do not want to lower security by adding the user ACL to the root disk.

TL;DR: If you want to use a folder like this: SecTmpDir c:\foo\bar, not just the folder 'bar' needs correct ACL, but also c:\foo and c:\ for ModSecurity to be able to work.

Metadata

Metadata

Assignees

Labels

2.xRelated to ModSecurity version 2.xPlatform - IISbugIt is a confirmed bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions