8000 New PL2/3 rule that catches mail (SMTP) injections · Issue #2206 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

New PL2/3 rule that catches mail (SMTP) injections #2206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dune73 opened this issue Sep 19, 2021 · 11 comments · Fixed by #2322
Closed

New PL2/3 rule that catches mail (SMTP) injections #2206

dune73 opened this issue Sep 19, 2021 · 11 comments · Fixed by #2322
Assignees
@fzipi
Labels
➖ False Negative - Evasion

Comments

@dune73
Copy link
Member
dune73 commented Sep 19, 2021

Description

CRS lacks a rule that detects SMTP protocol.

See #1991.
@dune73 dune73 mentioned this issue Sep 19, 2021
Closed
@xiaoxiaofeiduo
Copy link
Contributor
xiaoxiaofeiduo commented Oct 9, 2021
edited by azurit
Loading

I once wrote a rule for SMTP injection, maybe you can refer to it.

SecRule ARGS "(?s)\r\n.*?\b(CREATE|DELETE|RENAME|LIST|APPEND|SELECT|FETCH|COPY|CAPABILITY|STORE|CLOSE|SEARCH|STATUS|EXPUNGE|LOGOUT|EXAMINE|SUBSCRIBE|UNSUBSCRIBE|LSUB|CHECK|NOOP)\b" \
	"msg:'IMAP/SMTP Inject Attack!',\
	phase:request,\
	rev:'1',\
	capture,\
	ver:'OWASP_CRS/3.0.0',\
	maturity:'1',\
	accuracy:'8',\
	t:none,t:htmlEntityDecode,t:urlDecodeUni,\
	ctl:auditLogParts=+E,\
	block,\
	id:932827,\
	tag:'strategy-level/3',\
	tag:'application-multi',\
	tag:'language-multi',\
	tag:'platform-linux',\
	tag:'attack-rce',\
	tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
	tag:'WASCTC/WASC-31',\
	tag:'OWASP_TOP_10/A1',\
	tag:'PCI/6.5.2',\
	tag:'paranoia-level/2',\
	logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
	severity:'CRITICAL',\
	setvar:'tx.msg=%{rule.msg}',\
	setvar:tx.rce_score=+%{tx.critical_anomaly_score},\
	setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
	setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{matched_var_name}=%{tx.0}"

@azurit
Copy link
Member
azurit commented Oct 9, 2021

@NiceYouKnow Thank you very much for sharing your rule, we will definitely look at it! Anyway, it seems to be for IMAP, not SMTP.

@xiaoxiaofeiduo
Copy link
Contributor

@NiceYouKnow Thank you very much for sharing your rule, we will definitely look at it! Anyway, it seems to be for IMAP, not SMTP.

OK,that should be my mistake. I hope it can help.

@fzipi
Copy link
Member
fzipi commented Oct 9, 2021

A quick pass at the SMTP standard gives me the commands EHLO|HELO|STARTTLS|AUTH|MAIL FROM|RCPT TO|DATA|RSET|VRFY|EXPN|HELP|NOOP|QUIT.

Other commands like SOML|SAML|TURN (from https://www.ietf.org/rfc/rfc1869.txt) should be deprecated (but we might want to include them to avoid bypasses), and there is an extension for SIZE (from https://www.ietf.org/rfc/rfc1870.txt).

@fzipi
Copy link
Member
fzipi commented Oct 9, 2021

I would say that if we add POP3 also, we are mostly covered (SMTP + IMAP4 + POP3).

@dune73
Copy link
Member Author
dune73 commented Oct 10, 2021

Brillant idea. And really doable.

@fzipi
Copy link
Member
fzipi commented Oct 13, 2021

For POP3, here is the commands list:

USER <name>|PASS string|APOP name digest|QUIT|STAT|LIST [msg]|RETR msg|DELE msg|UIDL [msg]|TOP msg n|NOOP|RSET|QUIT

where [msg] is an optional number, and msg is a number. Also this might be relevant from the RFC:

Commands in the POP3 consist of a keyword, possibly followed by one or more arguments. All commands are terminated by a CRLF pair. Keywords and arguments consist of printable ASCII characters. Keywords and arguments are each separated by a single SPACE character. Keywords are three or four characters long. Each argument may be up to 40 characters long.

@dune73
Copy link
Member Author
dune73 commented Nov 15, 2021

Good. We now have the full list of keywords.

@NiceYouKnow is opening his regex with (?s)\r\n.*?\b.

Is this necessary?

I do not really know IMAP that well, but AFAICS, all 3 protocols end commands with CRLF. That means we can cut this down to something like this:

(^|[\r\n])HELO\s

(Feel free to fix my regex. I'm sure we have a fancier way of expressing this these days, but I'm stuck in regex stone age.)

It's still possible to cause FPs this way. So it's probably a good idea to use the non-English keywords like EHLO and RETR in PL2 and then do a stricter sibling at PL3 with the keywords such as FROM, MAIL, PASS, etc.

@dune73 dune73 mentioned this issue Nov 15, 2021
Closed
@fzipi fzipi self-assigned this Nov 15, 2021
@fzipi fzipi mentioned this issue Dec 5, 2021
Closed
@fzipi fzipi linked a pull request Dec 6, 2021 that will close this issue
Email ruleset #2322
Merged
@fzipi
Copy link
Member
fzipi commented Dec 17, 2021

@dune73 I'm doing the first tests, and for now I'm seeing this: maybe splitting in protocols is better than having just one rule per PL for all. Some of the commands have required parameters in SMTP. Some have a required tag like IMAP. Do you think we ignore this and just go for the command, or getting a more precise match will help lower FPs?

@dune73
Copy link
Member Author
dune73 commented Dec 17, 2021

It will definitely help lower FPs, but it's also more work. I'll let those who do the work take this decision.

@dune73
Copy link
Member Author
dune73 commented Dec 20, 2021

Closing in favor of PR at #2322.

@dune73 dune73 closed this as completed Dec 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fzipi fzipi

Labels
➖ False Negative - Evasion
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Email ruleset fzipi/coreruleset
4 participants
@dune73 @azurit @fzipi @xiaoxiaofeiduo
0