Synapse windows command injection false positive #2998

fuomag9 · 2022-11-13T17:59:52Z

Description

---wxhp0Kfp---B--
PUT /_matrix/federation/v1/send/1668004491987 HTTP/1.1
Content-Length: 1058
User-Agent: Synapse/1.71.0
Content-Type: application/json
Authorization: X-Matrix origin CENSOR
Host: chat.fuo.fi:443

---wxhp0Kfp---C--
{"origin":"libera.chat","origin_server_ts":1668361864315,"pdus":[{"auth_events":["CENSOR","$CENSOR"],"content":{"body":"it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just say \"type this one line and you are good\"","format":"org.matrix.custom.html","formatted_body":"it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just say &quot;type this one line and you are good&quot;","msgtype":"m.text"},"depth":552560,"hashes":{"sha256":"CENSOR"},"origin":"libera.chat","origin_server_ts":1668361864211,"prev_events":["CENSOR"],"room_id":"CENSOR","sender":"@Whiskey`:libera.chat","signatures":{"libera.chat":{"ed25519:t4fjCr":"CENSOR"}},"type":"m.room.message","unsigned":{"age_ts":1668361864211}}]}

---wxhp0Kfp---F--
HTTP/1.1 200
Server:
Server:
Date: Sun, 13 Nov 2022 17:51:04 GMT
Content-Type: application/json
Access-Control-Allow-Origin: *
Connection: keep-alive
Cache-Control: no-cache, no-store, must-revalidate
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: X-Requested-With, Content-Type, Authorization, Date
Strict-Transport-Security: max-age=63072000

---wxhp0Kfp---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)(?:[;\n\r`]|t[\"\^]*i[\"\^]*m[\"\^]*e|(?:\|)?\||&?&|\{)\s*(?:['(,@\"\s])*(?:(?:(?:[\x5c'\"\^]*\w[\x5c'\"\^]*:.*|[\^\.\w '\"/\x5c]*)\x5c|[\w'\"\./]+\/))?[\"\^]*(?:s[\"\^]*(?:y[\"\^]*s[\"\^]*(?:t[\" (5113 characters omitted)' against variable `ARGS:json.pdus.array_0.content.formatted_body' (Value: `it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just say &quot;type  (36 characters omitted)' ) [file "/etc/nginx/modsec/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "229"] [id "932115"] [rev ""] [msg "Remote Command Execution: Windows Command Injection"] [data "Matched Data: ;type this one line and you are good&quot found within ARGS:json.pdus.array_0.content.formatted_body: it was, you want a cache server. no go RTFM, its FAR to complex of a subject to just (52 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-windows"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/88"] [tag "PCI/6.5.2"] [hostname "CENSOR"] [uri "/_matrix/federation/v1/send/1668004491987"] [unique_id "166836186474.987131"] [ref "o94,41v41,136"]

Audit Logs / Triggered Rule Numbers

932115

Your Environment

CRS version (e.g., v3.2.0): 4.0-dev
Paranoia level setting:
ModSecurity version (e.g., 2.9.3): latest
Web Server and version (e.g., apache 2.4.41): nginx
Operating System and version: ubuntu

Confirmation

[x] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

The text was updated successfully, but these errors were encountered:

azurit · 2022-11-14T07:12:53Z

@fuomag9 Hi and thanks for reporting this. We will look into it shortly.

The problem here is with type keyword (included in data file of rule 932115) which is prefixed with a " HTML encoded to " resulting into:
"type

azurit · 2023-03-05T09:34:31Z

What about to use htmlEntityDecode transformation function in rule 932115? It should resolve FPs like this.

dune73 · 2023-03-06T07:15:30Z

Could you give it a try and see whether all the tests still pass? Also: Does it really solve the issue?

Other than that there are of course also 3 PL2 findings.

azurit · 2023-03-06T09:25:25Z

Tested on my local copy: It resolved the issue. Will send a PR.

dune73 · 2023-03-06T09:32:11Z

Don't rush into this. It's a major change to an important rule. We need to discuss this with the team first.

Do all the tests still pass? (Or do you want to do for easy execution of the tests?)

azurit · 2023-03-06T09:37:54Z

I meant i will send a PR so tests can run.

azurit · 2023-03-06T09:59:20Z

Looks good: #3151

RedXanadu · 2023-03-06T11:59:09Z

It's very cool to see CRS used in front of a Matrix service!

It looks like the formatted_body parameter contains an HTML-formatted message string. So, I guess it will need a lot of tuning for false positives anyway.

This looks like the same situation as working with WordPress, DokuWiki, etc., and handling arbitrary HTML input ('Save wiki page', 'Publish blog post', etc.) and all of HTML's combinations of tags, angle brackets, semi-colons…

dune73 · 2023-03-06T12:06:59Z

What is a Matrix service? (asking for a friend)

RedXanadu · 2023-03-06T12:33:51Z

@dune73 It's a FOSS service/protocol for secure, decentralised, real-time messaging. It bridges together IRC, Slack, WhatsApp etc. into a single logical channel/service. I heard it was gaining lots of traction in European government circles, who like the idea of self-hosted, end-to-end encrypted communications with auditable code… Also the Matrix developers consistently deliver really cool talks at FOSDEM.

https://matrix.org/

dune73 · 2023-03-06T12:44:04Z

Thank you

theseion · 2023-03-06T19:37:00Z

I think that using htmlEntityDecode might make it possible to sumggle & and ; through the WAF, such that the application would receive &type or ;type.

dune73 · 2023-03-06T19:39:53Z

My thinking goes in a similar direction:

Conceptually, there is a loss of information in the decoding step: Multi-Byte strings are reduced to a single-byte string.
This is a problem if an attacker manages to create a payload that is not really HTML, but it tricks ModSec into decoding the attacking payload, losing the attack pattern, ModSec thinks it's benign, but the backend receives the full payload and the attack succeeds.

@theseion : The decoding is only for the WAF, is not it? The application would receive the original payload.

theseion · 2023-03-06T19:41:17Z

The decoding is only for the WAF, is not it? The application would receive the original payload.

Exactly. So if the entity is transformed into an a for example, the rule wouldn't trigger but the application would receive the injection string.

dune73 · 2023-03-06T19:42:39Z

This!

RedXanadu · 2023-03-06T22:49:06Z

Hi @fuomag9,

The formatted_body parameter is what caused your issue / false positive. It looks like formatted_body contains an HTML representation of a given message. HTML is well-known for causing false positives when using the Core Rule Set, unfortunately.

We discussed this issue at our project meeting this evening (starting from 20:41:38 UTC, if you want to read the chat history). In line with previous issues we've handled regarding passing HTML through CRS, we agreed that this false positive isn't something we can safely or realistically resolve by changing the offending CRS rule itself. To resolve this false positive you'll need to tune it away in your CRS/ModSecurity configuration. We have some great documentation on this subject. Let us know if you'd like any help with this or getting started.

Is the service that you had the issue with the Matrix bridge for libera.chat? Are you maintaining a ModSecurity+CRS WAF in front of it?

We would potentially be interested in helping to create a CRS plugin for Matrix, if there is interest in the wider community for this. Such a plugin would resolve false positives like the one you ran into here before they occur. Do you know of anyone else running CRS in front of a Matrix bridge?

fuomag9 · 2023-03-07T06:43:08Z

Hi @fuomag9,

The formatted_body parameter is what caused your issue / false positive. It looks like formatted_body contains an HTML representation of a given message. HTML is well-known for causing false positives when using the Core Rule Set, unfortunately.

We discussed this issue at our project meeting this evening (starting from 20:41:38 UTC, if you want to read the chat history). In line with previous issues we've handled regarding passing HTML through CRS, we agreed that this false positive isn't something we can safely or realistically resolve by changing the offending CRS rule itself. To resolve this false positive you'll need to tune it away in your CRS/ModSecurity configuration. We have some great documentation on this subject. Let us know if you'd like any help with this or getting started.

Is the service that you had the issue with the Matrix bridge for libera.chat? Are you maintaining a ModSecurity+CRS WAF in front of it?

We would potentially be interested in helping to create a CRS plugin for Matrix, if there is interest in the wider community for this. Such a plugin would resolve false positives like the one you ran into here before they occur. Do you know of anyone else running CRS in front of a Matrix bridge?

Hi, I do not run modsecurity anymore as I’ve switched to caddy and coraza is still not production ready for what I’ve seen. The issue I had was with my own server as I do self host a Matrix server and I was running modsecurity+crs in front of it. As far as I know the matrix.org team runs cloudflare in front of it, which if I remember correctly uses their version of CRS rules and allows custom rules as well. Maybe they could help you better than me?

RedXanadu · 2023-03-20T16:14:28Z

Sorry for the delayed reply @fuomag9.

Thank you for the information in your previous message.

The issue I had was with my own server as I do self host a Matrix server…

I see, so your self-hosted Matrix instance was syncing messages with the libera.chat instance. That makes sense 🙂 Thanks for clarifying.

Did you manage to resolve the false positive? Let us know if you need any help with that.

fuomag9 · 2023-03-21T10:04:45Z

Sorry for the delayed reply @fuomag9.

Thank you for the information in your previous message.

The issue I had was with my own server as I do self host a Matrix server…

I see, so your self-hosted Matrix instance was syncing messages with the libera.chat instance. That makes sense 🙂 Thanks for clarifying.

Did you manage to resolve the false positive? Let us know if you need any help with that.

Hi, I do not run modsecurity anymore as I’ve switched to caddy and coraza is still not production ready for what I’ve seen.

Unfortunately I am not able to debug this issue anymore :(

RedXanadu · 2023-03-21T11:51:46Z

I understand. Thanks for letting us know. Feel free to re-open this issue if you need to take it further in the future.

Closing now.

fuomag9 changed the title ~~Synapse command injection false positive~~ Synapse windows command injection false positive Nov 13, 2022

azurit self-assigned this Mar 6, 2023

dune73 mentioned this issue Mar 6, 2023

Monthly Chat Agenda March 2023 (2023-03-06 and 2022-03-20) #3039

Closed

RedXanadu added the ⏳ awaiting feedback CRS dev asked feedback label Mar 20, 2023

RedXanadu closed this as completed Mar 21, 2023

RedXanadu removed the ⏳ awaiting feedback CRS dev asked feedback label Mar 21, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Synapse windows command injection false positive #2998

Synapse windows command injection false positive #2998

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Synapse windows command injection false positive #2998

Synapse windows command injection false positive #2998

Comments

Description

Audit Logs / Triggered Rule Numbers

Your Environment

Confirmation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!