SECURITYLABS INTELLIGENT RESEARCH - SECURITY ADVISORY
http://www.securitylabs.com.br/


ADVISORY/0115 - SOPHOS WAF (WEBSERVER PROTECTION) DOES NOT ANALYZE JSON DATA


PRIORITY: MEDIUM
TYPE: WAF Bypass


1 - About SecurityLabs Intelligent Research
-----------------------------------------------

SecurityLabs Intelligent Researh is a team specialized in projects of
penetration test(Pentests),
security audits and cryptanalysis.

It has a group of researchers with more than 15 years of experience.

All penetration tests (Pen-Test) conducted by Intruders Tiger Team Security
have 100% of success.
All cryptanalysis and security audits performed by the team were also well
effective.

This vulnerability was discovery during a penetration test.


2 - Introduction
------------------

Sophos Webserver Protection uses mod_security.

From "http://www.modsecurity.org/":

"ModSecurity is a toolkit for real-time web application monitoring,
logging, and access control.
I like to think about it as an enabler: there are no hard rules telling you
what to do; instead,
it is up to you to choose your own path through the available features.
That's why the title of this
section asks what ModSecurity can do, not what it does."

We can see yet from Sophos WebServer Protection Site
(
https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophosutmwebserverprotectiondsna.pdf?la=en
):

"Web Application Firewall

Our Web Application Firewall intercepts traffic to your servers to protect
them from
tampering and hacking attempts. It secures your web applications against
more than 350
attack patterns including SQL injection, cross-site scripting and directory
traversal. We also
scan all inbound files and content with our dual antivirus agents to keep
infected content off
your network."



3 - Description
----------------


SecurityLabs Intelligent Research has found some conditions of bypass of
the default signatures of mod_security
on Sophos WebServer Protection(ModSecurity) that allows execution of SQL
Injection attacks in JSON Requests.

Sophos WebServer Protection don't analyze payload when Content-type is JSON.

In default instalation, there is no "requestBodyProcessor" defined to check
HTTP POST REQUEST BODY
when Content-Type is "application/json".


4 -  Analysis
---------------

There are several ways to analyze this problem, including hacking
production's environment, but
the simplest way is sent HTTP requests with JSON data in body like this:


POST /[URI] HTTP/1.1
Host: [TARGET]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101
Firefox/15.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
Content-Type: application/json; charset=utf-8
Referer: http://[TARGET]/
Content-Length: 27
Cookie: ASP.NET_SessionId=d0dusce1rrsgx4rvvtwj0br0;
_ga=GA1.3.234022554.1429121838; _gat=1
Pragma: no-cache
Cache-Control: no-cache

{"id":"SQL INJECTION HERE"}


5 - Detection
--------------

SecurityLabs Intelligent Research has found this vulnerability in Sophos
UTM version 9.310.

It is possible that previous versions have the same problem.


6 - Workaround
----------------

Add the follow rule in file
'/var/storage/chroot-reverseproxy/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf'
to check JSON data
too:

SecRule REQUEST_HEADERS:Content-Type "application/json"
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=URLENCODED"


7 - Credits
-------------

SecurityLabs Intelligent Research and Glaudson Ocampos
has discovered this vulnerability.


-- 
Atenciosamente,

Glaudson Ocampos
Pesquisador de Segurança da Informação
SecurityLabs  Intelligent Research