From b932020c94c70135fe5521e38eaf327d9d8ca727 Mon Sep 17 00:00:00 2001 From: Menin Andrea Date: Mon, 21 Oct 2019 15:40:38 +0200 Subject: [PATCH] 932200 PL1 RCE bypass uninitialized var --- rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf index b4f7ca95a..94ef0e69c 100644 --- a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +++ b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf @@ -600,6 +600,40 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" +# +# -=[ Rule 932200 ]=- +# +# Intercept RCE Bypass using uninitialized variables +# Refer to: https://www.secjuice.com/web-application-firewall-waf-evasion/ +# +# Examples: +# - foo;cat$u/etc$u/passwd +# - bar;cd+/etc;/bin$u/ca*+passwd +# +# (remove this line) Regex notes: https://regex101.com/r/JgZFRi/2/ +# +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:bin|boot|dev|etc|home|lib|media|mnt|opt|proc|root|run|sbin|srv|sys|tmp|usr|var|[a-z]\*|\*[a-z]+)\$[a-zA-Z@]" \ + "id:932200,\ + phase:2,\ + block,\ + capture,\ + t:none,t:lowercase,\ + msg:'RCE Bypass using Uninitialized Variable',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ + tag:'language-multi',\ + tag:'platform-multi',\ + tag:'attack-rce',\ + tag:'OWASP_CRS',\ + tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\ + tag:'WASCTC/WASC-31',\ + tag:'OWASP_TOP_10/A1',\ + tag:'PCI/6.5.2',\ + ver:'OWASP_CRS/3.2.0',\ + severity:'CRITICAL',\ + setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\ + setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'" + SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"