mod_security RESPONSE_BODY

IrPr

Well-Known Member
#21
I doubt that safe_mode exploit will ever be fixed seeing as how PHP 6.0 will not have safe_mode. At least that's what was said back when 6.0 was in early development. openbase_dir although useful if someone does get around it in theory they should be unable to do any damage. PHP is running as their user they're going to need to find folders that have read and write for everyone to do any damage. So really not a ton they can do and considering suPHP which a lot of people use does not support openbase_dir and we're not reading about people suggesting mod_php is better.
suPHP has a lot of advantages in security but performances
suPHP breaks EA/xCache/MMCache/etc opcode cache support, then will reduces io for PHP sources in huge traffics which leads to load increase and page generate latency

the same trade off betnween security and performances! if you worry about mod_security RESPONSE_BODY disadvantages the same issue is here for suPHP, to me

Plus as I said if your server supports Perl then these c99, r57 ect. ect. shells are just a php entry point. If they can get a perl version up they do not have openbase_dir restrictions anyways and can run shell commands.
CGI attacks could be patched by chroot either ;)

You know that php shells are using lots of php functions which are using by otner normal php scripts (etc oscommerce, joomla)
If we disable this functions other customers scripts has been blocking.
If we disable this, it can break any php script?
As i said, i disable malicious functions not all

PHP shells are using a lot of functions, is_array for example
i never disable is_array function, i just disable common exploit functions such as exec/system/shell

Here is c99 exec function, take a look:
PHP:
function myshellexec($cmd)
{
 global $disablefunc;
 $result = "";
 if (!empty($cmd))
 {
  if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
  elseif (($result = `$cmd`) !== FALSE) {}
  elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
  elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
  elseif (is_resource($fp = popen($cmd,"r")))
  {
   $result = "";
   while(!feof($fp)) {$result .= fread($fp,1024);}
   pclose($fp);
  }
 }
 return $result;
}
If you know PHP language, you will find that c99 myshellexec function requires at least one of exec, system or passthru
so patching c99 execute function can be done by disabling these 3 functions, same for all attack methods implemented in all common php shells

So, why Joomla or Wordpress or vBulletin or PHPBB should use execute functions? there is no need for execute functions in most of common PHP scripts
Indeed just in some special cases such as FFMPEG convert exec functions are needed, believe me

And finally, gotroot paid and real time rules, blocking %99 of php exploits on milw0rm and packetstorm. Did you try it?
The exploit that i posted doesnt have any args and could be renamed easily, then how could mod_security detect and defect it?

In fact mod_security just sniffs request header, and a good hacker can easily change args and filename then bypass mod_security rules ;)

If you would like i can modify c99 php shell and send it to you, then you check your security rules against modified c99 version, however securing php will break all phpshell functionality like a charm
 
Last edited:

Tony

Well-Known Member
#23
If you know PHP language, you will find that c99 myshellexec function requires at least one of exec, system or passthru
so patching c99 execute function can be done by disabling these 3 functions, same for all attack methods implemented in all common php shells

So, why Joomla or Wordpress or vBulletin or PHPBB should use execute functions? there is no need for execute functions in most of common PHP scripts
Indeed just in some special cases such as FFMPEG convert exec functions are needed, believe me
imagemagick is another that requires access to these commands.

So really you're out of luck about supporting applications when a lot of them use these functions. You're damned if you do damned if you don't type of situation.


As for suPHP my point was it has no openbase_dir protection at all. The LSWS implementation does have this while also running PHP as the user. There should be no 777 folders and so doing things outside of your folder is going to be very difficult. It would be quite difficult to do much past the users account unless they're aware of a privilege escalation exploit the system is vulnerable to. If this is the case there are numerous entry points besides PHP or Perl. You have SSH of the user if enabled. You have cron jobs if users can set those. There are several which could be the entry point. I've never seen it attempted via cron but I'm pretty sure it could be done.

I believe cron could be the next way to do this because I've noticed viruses targeting FTP accounts and actually being used to replace index files or mass produce spam systems. It would not surprise me to see it used as an exploit mechanism. If it's not viruses there have also been exploits on popular web hosting billing systems that if the system was storing FTP passwords of users they've probably been compromised. Most of them do store the users original FTP password and most do not change it so probably lots of hosts with users ftp and control panel accounts compromised.


A little off topic from the web server side but there are heck of a lot of potential places to run shells. The response body scanning is just something I'm weary of and I'd rather wait for a really solid solution for handling it rather than a quick one that could be improved with refinement.
 
#24
suPHP has a lot of advantages in security but performances
suPHP breaks EA/xCache/MMCache/etc opcode cache support, then will reduces io for PHP sources in huge traffics which leads to load increase and page generate latency

the same trade off betnween security and performances! if you worry about mod_security RESPONSE_BODY disadvantages the same issue is here for suPHP, to me


CGI attacks could be patched by chroot either ;)


As i said, i disable malicious functions not all

PHP shells are using a lot of functions, is_array for example
i never disable is_array function, i just disable common exploit functions such as exec/system/shell

Here is c99 exec function, take a look:
PHP:
function myshellexec($cmd)
{
 global $disablefunc;
 $result = "";
 if (!empty($cmd))
 {
  if (is_callable("exec") and !in_array("exec",$disablefunc)) {exec($cmd,$result); $result = join("\n",$result);}
  elseif (($result = `$cmd`) !== FALSE) {}
  elseif (is_callable("system") and !in_array("system",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); system($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
  elseif (is_callable("passthru") and !in_array("passthru",$disablefunc)) {$v = @ob_get_contents(); @ob_clean(); passthru($cmd); $result = @ob_get_contents(); @ob_clean(); echo $v;}
  elseif (is_resource($fp = popen($cmd,"r")))
  {
   $result = "";
   while(!feof($fp)) {$result .= fread($fp,1024);}
   pclose($fp);
  }
 }
 return $result;
}
If you know PHP language, you will find that c99 myshellexec function requires at least one of exec, system or passthru
so patching c99 execute function can be done by disabling these 3 functions, same for all attack methods implemented in all common php shells

So, why Joomla or Wordpress or vBulletin or PHPBB should use execute functions? there is no need for execute functions in most of common PHP scripts
Indeed just in some special cases such as FFMPEG convert exec functions are needed, believe me


The exploit that i posted doesnt have any args and could be renamed easily, then how could mod_security detect and defect it?

In fact mod_security just sniffs request header, and a good hacker can easily change args and filename then bypass mod_security rules ;)

If you would like i can modify c99 php shell and send it to you, then you check your security rules against modified c99 version, however securing php will break all phpshell functionality like a charm
For example from this shell;

Mod security response body rules checking "@ob_get_contents();@ob_clean()" this part of code. And blocking this shell.

All gotroot staff working on shells body.

We have disabled this functions. But it is very good to see 404 page when hacker runs a php exploit :) And mod_security response body rules makes this
 

muiruri

Well-Known Member
#25
For some reason customers with joomla sites when they try to log on to their joomla administrator section/control panel...

http://customer-domain.com/administrator/

get following error;

---

406 Not Acceptable
This request is not acceptable

---

Found this is related to mod_security therefore when I add following lines in .htaccess for this specific domain.

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

All works fine.

My questions are;

(a) Is there a place in LSWS 4.0.2 menu options to turn mod_sec off for specific host or domain? Or any better ideas to deal with this one pl'se ?

(b) On this server last thing we did was to upgrading openSSL to latest verion 0.9.8k, and starting getting this problem.
 
Top