ModSecurity
ModSecurity copied to clipboard
owasp-modsecurity
AFL fuzzer reports
ModSecurity 3.0.14
Initializing ModSecurity and RulesSet...
Rules loaded successfully.
Attempting to initialize ModSecurity collections via temp Transaction...
Collections initialization attempt completed.
__AFL_INIT()...
__AFL_INIT() done.
Entering __AFL_LOOP...
Processing transaction with size: 2781
=================================================================
==3852341==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000095c9 at pc 0x58e2bae3cafc bp 0x7ffd52f8b8a0 sp 0x7ffd52f8b898
READ of size 1 at 0x6110000095c9 thread T0
#0 0x58e2bae3cafb in cstrcasecmp_with_null /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:530:14
#1 0x58e2bae3bec1 in is_black_attr /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:660:21
#2 0x58e2bae3812e in libinjection_is_xss /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:749:20
#3 0x58e2bae3f02c in libinjection_xss /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:844:9
#4 0x58e2bad08423 in modsecurity::operators::DetectXSS::evaluate(modsecurity::Transaction*, modsecurity::RuleWithActions*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, modsecurity::RuleMessage&) /FuZZ/CPP/ModSecurity/ModSecurity/src/operators/detect_xss.cc:32:14
#5 0x58e2bad1a042 in modsecurity::operators::Operator::evaluateInternal(modsecurity::Transaction*, modsecurity::RuleWithActions*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, modsecurity::RuleMessage&) /FuZZ/CPP/ModSecurity/ModSecurity/src/operators/operator.cc:75:16
#6 0x58e2bab44487 in modsecurity::RuleWithOperator::executeOperatorAt(modsecurity::Transaction*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, modsecurity::RuleMessage&) /FuZZ/CPP/ModSecurity/ModSecurity/src/rule_with_operator.cc:117:29
#7 0x58e2bab3945d in modsecurity::RuleWithOperator::evaluate(modsecurity::Transaction*, modsecurity::RuleMessage&) /FuZZ/CPP/ModSecurity/ModSecurity/src/rule_with_operator.cc:299:34
#8 0x58e2baaff6a1 in modsecurity::RuleWithActions::evaluate(modsecurity::Transaction*) /FuZZ/CPP/ModSecurity/ModSecurity/src/rule_with_actions.cc:183:12
#9 0x58e2ba7ef9f7 in modsecurity::RulesSet::evaluate(int, modsecurity::Transaction*) /FuZZ/CPP/ModSecurity/ModSecurity/src/rules_set.cc:210:19
#10 0x58e2ba74c97a in modsecurity::Transaction::processRequestBody() /FuZZ/CPP/ModSecurity/ModSecurity/src/transaction.cc:869:20
#11 0x58e2ba6e739e in ExecuteTransactionLogic(unsigned char const*, unsigned long) /FuZZ/CPP/ModSecurity/ModSecurity/modsec_persistent_fuzzer.cc:44:9
#12 0x58e2ba6ebcd1 in main /FuZZ/CPP/ModSecurity/ModSecurity/modsec_persistent_fuzzer.cc:163:13
#13 0x7f1dd1c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#14 0x7f1dd1c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#15 0x58e2ba621334 in _start (/FuZZ/Check-crushes/modsec/modsec_persistent_fuzzer+0x40d334) (BuildId: 500fae1eca47252b)
0x6110000095c9 is located 0 bytes to the right of 201-byte region [0x611000009500,0x6110000095c9)
allocated by thread T0 here:
#0 0x58e2ba6a4d42 in malloc (/FuZZ/Check-crushes/modsec/modsec_persistent_fuzzer+0x490d42) (BuildId: 500fae1eca47252b)
#1 0x7f1dd20bb903 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xbb903) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
#2 0x58e2ba711f99 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*, std::forward_iterator_tag) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/basic_string.tcc:229:14
#3 0x58e2bab2d179 in std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, true>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_pair.h:688:4
#4 0x58e2bab2cf28 in void std::__new_allocator<std::_List_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >::construct<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >(std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/new_allocator.h:191:23
#5 0x58e2bab2cf28 in void std::allocator_traits<std::allocator<std::_List_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > >::construct<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >(std::allocator<std::_List_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >&, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/alloc_traits.h:538:8
#6 0x58e2bab2cf28 in std::_List_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >* std::__cxx11::list<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >::_M_create_node<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_list.h:713:4
#7 0x58e2bab2c648 in void std::__cxx11::list<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >::_M_insert<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >(std::_List_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_list.h:2005:18
#8 0x58e2bab26f35 in std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >& std::__cxx11::list<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >::emplace_back<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_list.h:1321:10
#9 0x58e2bab269b3 in modsecurity::RuleWithActions::executeTransformations(modsecurity::Transaction const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::list<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >&) /FuZZ/CPP/ModSecurity/ModSecurity/src/rule_with_actions.cc:438:13
#10 0x58e2bab3911e in modsecurity::RuleWithOperator::evaluate(modsecurity::Transaction*, modsecurity::RuleMessage&) /FuZZ/CPP/ModSecurity/ModSecurity/src/rule_with_operator.cc:294:13
#11 0x58e2baaff6a1 in modsecurity::RuleWithActions::evaluate(modsecurity::Transaction*) /FuZZ/CPP/ModSecurity/ModSecurity/src/rule_with_actions.cc:183:12
#12 0x58e2ba7ef9f7 in modsecurity::RulesSet::evaluate(int, modsecurity::Transaction*) /FuZZ/CPP/ModSecurity/ModSecurity/src/rules_set.cc:210:19
#13 0x58e2ba74c97a in modsecurity::Transaction::processRequestBody() /FuZZ/CPP/ModSecurity/ModSecurity/src/transaction.cc:869:20
#14 0x58e2ba6e739e in ExecuteTransactionLogic(unsigned char const*, unsigned long) /FuZZ/CPP/ModSecurity/ModSecurity/modsec_persistent_fuzzer.cc:44:9
#15 0x58e2ba6ebcd1 in main /FuZZ/CPP/ModSecurity/ModSecurity/modsec_persistent_fuzzer.cc:163:13
#16 0x7f1dd1c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#17 0x7f1dd1c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#18 0x58e2ba621334 in _start (/FuZZ/Check-crushes/modsec/modsec_persistent_fuzzer+0x40d334) (BuildId: 500fae1eca47252b)
SUMMARY: AddressSanitizer: heap-buffer-overflow /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:530:14 in cstrcasecmp_with_null
Shadow bytes around the buggy address:
0x0c227fff9260: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c227fff9270: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c227fff9280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fff9290: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff92a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff92b0: 00 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa
0x0c227fff92c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff92d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff92e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff92f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff9300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3852341==ABORTING
Hi @chenuduss,
thanks again for the report.
Please explain how did you get this result.
Btw I think this is not a libmodsecurity3 issue, but a libinjection:
READ of size 1 at 0x6110000095c9 thread T0
#0 0x58e2bae3cafb in cstrcasecmp_with_null /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:530:14
#1 0x58e2bae3bec1 in is_black_attr /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:660:21
#2 0x58e2bae3812e in libinjection_is_xss /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:749:20
#3 0x58e2bae3f02c in libinjection_xss /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:844:9
Note, that the mentioned file (libinejction_xss.c) was changed recently several times, probably this bug is already fixed.
Please also add to your report the libinjection's version.
No worries, and feel free to report any suspicious thing.
Have you tested your setup with the modified libinjection?