Bug 8292 - apache-mod_security new security issue CVE-2012-4528
: apache-mod_security new security issue CVE-2012-4528
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/527913/
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-12-04 00:18 CET by David Walser
Modified: 2012-12-31 23:24 CET (History)
5 users (show)

See Also:
Source RPM: apache-mod_security-2.6.7-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-12-04 00:18:52 CET
Fedora has issue an advisory on November 16:
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093619.html

An update for apache-mod_security-crs also references this issue:
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093620.html

Fixed upstream in 2.7.0, and a patch is linked from the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=867424
Comment 1 David Walser 2012-12-23 17:07:41 CET
Fixed in Cauldron by Oden.
Comment 2 Oden Eriksson 2012-12-23 18:04:53 CET
Fix added in r334303 (mga2, updates_testing, apache-mod_security-2.6.3-3.3.mga2). Test with the PoC from http://seclists.org/fulldisclosure/2012/Oct/113
Comment 3 David Walser 2012-12-23 18:37:08 CET
Thanks Oden!  I'm guessing crs doesn't need an update for 2.

Advisory:
========================

Updated apache-mod_security packages fix security vulnerability:

ModSecurity before 2.7.0 is vulnerable to multipart/invalid part ruleset
bypass (CVE-2012-4528).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4528
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093619.html
========================

Updated packages in core/updates_testing:
========================
apache-mod_security-2.6.3-3.3.mga2
mlogc-2.6.3-3.3.mga2

from apache-mod_security-2.6.3-3.3.mga2.src.rpm
Comment 4 claire robinson 2012-12-27 11:56:04 CET
I'm not having any luck with the PoC, can you give any insight into how to use it please.

Tried with curl (-d and -H) and using 'postit' firefox extension.

I put the PoC data into a file called 8292

$ curl -v -X POST http://localhost/wut.php -d @8292
* About to connect() to localhost port 80 (#0)
*   Trying 127.0.0.1...
* connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> POST /wut.php HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-mageia-linux-gnu) libcurl/7.24.0 OpenSSL/1.0.0j zlib/1.2.6 libidn/1.24 libssh2/1.3.0
> Host: localhost
> Accept: */*
> Content-Length: 244
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 244 out of 244 bytes
< HTTP/1.1 200 OK
< Date: Thu, 27 Dec 2012 10:40:23 GMT
< Server: Apache/2.2.23 (Mageia/PREFORK-1.mga2)
< X-Powered-By: PHP/5.3.19
< Content-Length: 0
< Content-Type: text/html
< 
* Connection #0 to host localhost left intact
* Closing connection #0

$ curl -v -X POST http://localhost/wut.php -H @8292
* About to connect() to localhost port 80 (#0)
*   Trying 127.0.0.1...
* connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> POST /wut.php HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-mageia-linux-gnu) libcurl/7.24.0 OpenSSL/1.0.0j zlib/1.2.6 libidn/1.24 libssh2/1.3.0
> Host: localhost
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 27 Dec 2012 10:40:42 GMT
< Server: Apache/2.2.23 (Mageia/PREFORK-1.mga2)
< X-Powered-By: PHP/5.3.19
< Content-Length: 0
< Content-Type: text/html
<
* Connection #0 to host localhost left intact
* Closing connection #0

/var/log/httpd/access_log shows

127.0.0.1 - - [27/Dec/2012:10:54:28 +0000] "POST /wut.php HTTP/1.1" 200 - "-" "curl/7.24.0 (x86_64-mageia-linux-gnu) libcurl/7.24.0 OpenSSL/1.0.0j zlib/1.2.6 libidn/1.24 libssh2/1.3.0"
127.0.0.1 - - [27/Dec/2012:10:54:32 +0000] "POST /wut.php HTTP/1.1" 200 - "-" "curl/7.24.0 (x86_64-mageia-linux-gnu) libcurl/7.24.0 OpenSSL/1.0.0j zlib/1.2.6 libidn/1.24 libssh2/1.3.0"

or with postit

127.0.0.1 - - [27/Dec/2012:10:48:40 +0000] "POST /wut.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20100101 Firefox/10.0.11"
Comment 5 Dave Hodgins 2012-12-30 19:58:03 CET
Claire, POST is  a command.
$ rpm -q -f /usr/bin/POST
perl-libwww-perl-6.40.0-1.mga2

Even with that though, I'm not having much luck with the POC yet either.
Still looking into it.
Comment 6 Dave Hodgins 2012-12-30 22:45:10 CET
[dave@i2v ~]$ POST /wut.php HTTP/1.1
Please enter content (application/x-www-form-urlencoded) to be POSTed:
Content-Type: multipart/form-data; boundary=A
Content-Length: 161

--A
Content-Disposition: form-data; name="xxx"[\r][\r][\n]
--A
Content-Disposition: form-data; name="yyy"; filename="z"

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--

--A--
forbidden[dave@i2v ~]$

I pressed enter, then ctrl+d after pasting in the content.

Without a working POC, I'd rather just test that the updated package
works.  We don't have any packages that require apache-mod_security,
and as this is a security update, just testing that the updated module
loads with ...
# httpd -M 2>/dev/null |grep security
 security_module (shared)

Testing complete on Mageia 2 i586 and x86-64.

Could someone from the sysadmin team push the srpm
apache-mod_security-2.6.3-3.3.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated apache-mod_security packages fix security vulnerability:

ModSecurity before 2.7.0 is vulnerable to multipart/invalid part ruleset
bypass (CVE-2012-4528).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4528
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/093619.html

https://bugs.mageia.org/show_bug.cgi?id=8292
Comment 7 Thomas Backlund 2012-12-31 23:24:43 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0371

Note You need to log in before you can comment on or make changes to this bug.