Mod_security @inspectFile rule is not working

[jegan]

Hello,

SecRule FILES_TMPNAMES "@inspectFile /usr/local/lsws/cxscgi.sh" "id:351000,rev:1,severity:2,msg:'Upload Malware Scanner:Malicious File upload attempt detected and blocked',log,deny,auditlog,status:403,t:none" this rule is not working properly.

modsecurity on
modsecurity_rules `
SecRuleEngine On
SecDebugLog /tmp/auditlog-debug.txt
SecAuditLog /tmp/modsec_audit.log
SecRule REQUEST_URI "@pm phpinfo.php" "phase:1,id:'200001',log,deny,status:403"
SecRule FILES_TMPNAMES "@inspectFile /usr/local/lsws/cxscgi.sh" "id:351000,rev:1,severity:2,msg:'Upload Malware Scanner:Malicious File upload attempt detected and blocked',log,deny,auditlog,status:403,t:none"
`
modsecurity_rules_file /usr/local/lsws/modsec/owasp/crs30/owasp-master.conf

OS: Centos 7
LiteSpeed/1.6.13 Open
module versions:
modgzip 1.1
cache 1.62
modinspector 1.1
uploadprogress 1.1
mod_security 1.3
(built: Thu Apr 30 13:36:22 UTC 2020)
module versions:
modgzip 1.1
cache 1.62
modinspector 1.1
uploadprogress 1.1
mod_security 1.3

 

[rperper]

Hi, my name is Bob Perper and I'm a developer and support technician here at Litespeed Technologies.
When it comes to mod_security, OpenLiteSpeed simply passes the rule to the engine, it's up to the mod_security engine to run your program.
So since there are not any known problems with running regular programs, I think we can assume that the problem is likely to be in your script: /usr/local/lsws/cxscgi.sh. What I might suggest you do it append to some file as part of your processing to show that you were called, what your parameters were and what return code you will pass back. The doc for @inspectFile is here: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#inspectFile And of course verify basic things like the script having the execute bit on and stuff like that. Let us know if this continues to vex you. Thanks,
Bob Perper

 

[jegan]

Hi, I am jegan and thanks for your reply

/usr/local/lsws/cxscgi.sh
In this script, just I try to print the "test the output".
and also I didn't get any output on this /usr/local/lsws/cxscgi.log log file.

I guess , shell execution is not happening.

[root@demo upload]# cat /usr/local/lsws/cxscgi.sh
#!/bin/bash
echo "test the output";
echo "demo" >> /usr/local/lsws/cxscgi.log
return 0;

log file /tmp/auditlog-debug.txt

[159133048257.285040] [/upload.php] [4] (Rule: 200001) Executing operator "Pm" with param "phpinfo.php" against REQUEST_URI.
[159133048257.285040] [/upload.php] [9] Target value: "/upload.php" (Variable: REQUEST_URI)
[159133048257.285040] [/upload.php] [4] Rule returned 0.
[159133048257.285040] [/upload.php] [9] Matched vars cleaned.
[159133048257.285040] [/upload.php] [4] (Rule: 351000) Executing operator "InspectFile" with param "/usr/local/lsws/cxscgi.sh" against FILES_TMPNAMES.
[159133048257.285040] [/upload.php] [4] Rule returned 0.
[159133048257.285040] [/upload.php] [9] Matched vars cleaned.
[159133048257.285040] [/upload.php] [4] (Rule: 900990) Executing unconditional rule...
[159133048257.285040] [/upload.php] [4] Running [independent] (non-disruptive) action: setvar
[159133048257.285040] [/upload.php] [8] Saving variable: TX:crs_setup_version with value: 302
[159133048257.285040] [/upload.php] [9] Running action: log
[159133048257.285040] [/upload.php] [9] Saving transaction to logs
[159133048257.285040] [/upload.php] [9] Running action: auditlog
[159133048257.285040] [/upload.php] [9] Running action: nolog
[159133048257.285040] [/upload.php] [4] Running (disruptive) action: pass.
[159133048257.285040] [/upload.php] [8] Running action pass

=================================================================================

/usr/local/lsws/logs/error.log

2020-06-05 09:44:42.803155 [DEBUG] [103.120.179.199:60384#krdem37] preUriMap check serving by static url file cache: 0
2020-06-05 09:44:42.803164 [DEBUG] [103.120.179.199:60384#krdem37] [URI_MAP] run Hook function for [Module:mod_security] session=0x36896f8
2020-06-05 09:44:42.803711 [DEBUG] [103.120.179.199:60384#krdem37] [Module:Mod_Security] Calling msc_process_uri with POST /upload.php v1.1.
2020-06-05 09:44:42.809186 [DEBUG] [103.120.179.199:60384#krdem37] [Module:Mod_Security] RequestBodyAccess: NO ResponseBodyAccess: NO
2020-06-05 09:44:42.809204 [DEBUG] [mod_security] enable_hook, enable 1, num indices 4, return 0
2020-06-05 09:44:42.809229 [DEBUG] [103.120.179.199:60384#krdem37] [URI_MAP] [Module:mod_security] session=0x36896f8 ret 0
2020-06-05 09:44:42.809235 [DEBUG] [103.120.179.199:60384#krdem37] runEventHkpt(): HSPS_HKPT_URI_MAP -> HSPS_FILE_MAP
2020-06-05 09:44:42.809287 [DEBUG] [103.120.179.199:60384] Check Symbolic link for [/home/krdem37/public_html/upload.php] is successful, access to target [/home/krdem37/public_html/upload.php] is granted

 

[rperper]

Jegan,
Good job getting the auditlog. That shows that ModSecurity claimed to run your script. Let me try to reproduce it here and I'll get back to you.
Bob

 

[rperper]

I had an inspectFile test I used with Enterprise LiteSpeed Web Server so I modified it to run with OpenLiteSpeed, turned on debug logging as you did and ran into the same issue:
```
[1591380817] [/?b=inspectfail] [4] Executing chained rule.
[1591380817] [/?b=inspectfail] [4] (Rule: 0) Executing operator "InspectFile" with param "/usr/local/lsws/cxscgi.sh" against FILES_TMPNAMES.
[1591380817] [/?b=inspectfail] [4] Rule returned 0.
```
So this sure looks like a ModSecurity library failure. If you open a problem with the ModSecurity people, please refer to this post. I'll open an issue as well and also refer to this post, since we both have run into the same problem.
Great find!

Bob Perper
rperper@litespeedtech.com

 

[rperper]

Posting is here: https://github.com/SpiderLabs/ModSecurity/issues/2332
If you learn anything, please post it here, if I learn anything, I'll also post it here. Thanks!

Bob Perper
rperper@litespeedtech.com

 

[rperper]

There have been a number of updates to my mod_security posting already. Looks like they're taking it on...

 

[jegan]

thanks Bob Perper, I will post same things in mod_security forum and also here https://github.com/SpiderLabs/ModSecurity/issues/2332

 

[jegan]

module mod_security {
modsecurity on
modsecurity_rules `
SecRuleEngine On
SecDebugLog /tmp/auditlog-debug.txt
SecDebugLogLevel 9
SecAuditLogParts AB
SecAuditLog /tmp/auditlog.txt
SecAuditLogType Serial
SecAuditLogStorageDir /tmp/
SecRule REQUEST_URI "@pm phpinfo.php" "phase:1,id:'200001',log,deny,status:403"
SecRule FILES_TMPNAMES "@inspectFile /usr/local/lsws/cxscgi.sh" "id:159,phase:2,log,deny"
`
ls_enabled 1
}


we debug is problem and we added log message is /tmp/openlitespeed/src/modules/modsecurity-ls/ModSecurity/src/rule_with_operator.cc file, we print key value.

For the first rule log is gets completed,

[1592846136] [/upload.php] [4] (Rule: 200001) JEGAN 1 Executing operator "Pm" with param "phpinfo.php" against REQUEST_URI.
[1592846136] [/upload.php] [4] Mani 001
[1592846136] [/upload.php] [4] Mani 002
[1592846136] [/upload.php] [4] Mani 003
[1592846136] [/upload.php] [4] Mani 003 Vlaue %s/upload.php
[1592846136] [/upload.php] [4] Mani 003 Key %s REQUEST_URI
[1592846136] [/upload.php] [4] Mani 004
[1592846136] [/upload.php] [4] Mani 005
[1592846136] [/upload.php] [4] Mani 006
[1592846136] [/upload.php] [9] Target value: "/upload.php" (Variable: REQUEST_URI)
[1592846136] [/upload.php] [4] Rule returned 0.

For second rule logs is break in between,

[1592846136] [/upload.php] [4] (Rule: 159) JEGAN 1 Executing operator "InspectFile" with param "/usr/local/lsws/cxscgi.sh" against FILES_TMPNAMES.
[1592846136] [/upload.php] [4] Mani 001
[1592846136] [/upload.php] [4] Mani 002
[1592846136] [/upload.php] [4] Mani 003
[1592846136] [/upload.php] [4] Rule returned 0.
[1592846136] [/upload.php] [9] Matched vars cleaned.
[1592846136] [/upload.php] [4] Mani => Starting phase RESPONSE_HEADERS. (SecRules 3)
[1592846136] [/upload.php] [9] This phase consists of 0 rule(s).
[1592846136] [/upload.php] [4] Mani => Starting phase RESPONSE_BODY. (SecRules 4)
[1592846136] [/upload.php] [4] Response body is disabled, returning... 2
[1592846136] [/upload.php] [4] Mani => Starting phase LOGGING. (SecRules 5)
[1592846136] [/upload.php] [9] This phase consists of 0 rule(s).


So, I think Openlitespeed is not passing the value property to Modsecurity.

 

[David]

Hi Jegan,

I am David, a developer of this module. I checked your log and will want you to do these,

1, if there is a bug in our code?
Since our conf is line by line, but the rules is multi line, there may be error, we can do this way to avoid.
As you said, you conf is

modsecurity on
modsecurity_rules `
SecRuleEngine On
SecDebugLog /tmp/auditlog-debug.txt
SecAuditLog /tmp/modsec_audit.log
SecRule REQUEST_URI "@pm phpinfo.php" "phase:1,id:'200001',log,deny,status:403"
SecRule FILES_TMPNAMES "@inspectFile /usr/local/lsws/cxscgi.sh" "id:351000,rev:1,severity:2,msg:'Upload Malware Scanner:Malicious File upload attempt detected and blocked',log,deny,auditlog,status:403,t:none"
`
modsecurity_rules_file /usr/local/lsws/modsec/owasp/crs30/owasp-master.conf

We can put the rules into a file and use rulefile directive to avoid the parsing.
So, cat /usr/local/lsws/modsec/myrule.conf

SecRuleEngine On
SecDebugLog /tmp/auditlog-debug.txt
SecAuditLog /tmp/modsec_audit.log
SecRule REQUEST_URI "@pm phpinfo.php" "phase:1,id:'200001',log,deny,status:403"
SecRule FILES_TMPNAMES "@inspectFile /usr/local/lsws/cxscgi.sh" "id:351000,rev:1,severity:2,msg:'Upload Malware Scanner:Malicious File upload attempt detected and blocked',log,deny,auditlog,status:403,t:none"

Then in you conf

modsecurity_rules_file /usr/local/lsws/modsec/myrule.conf
modsecurity_rules_file /usr/local/lsws/modsec/owasp/crs30/owasp-master.conf

2, Change your errorlog level to DEBUG/HIGH, and do a upload, let us see what is in the error log about the rule.

Thanks
David

 

[rperper]

Jegan,
Don't do anything quite yet, as I didn't properly describe the issue to David. I'll reproduce it here and give it to him.
Thanks,

Bob Perper

 

[jegan]

I have sent personal message to you, Kindly check it.

 

[rperper]

Jegan,
A couple of things I learned in testing with David today:
- I was using curl to do my testing. In the request, the file being requested (not the one being executed) must be a dynamic file - in the case we tested here a php file. I saw in your testing that you were testing with phpinfo.php so you shouldn't have seen the static file problem I saw. David is going to fix it so that it properly deals with static files too, but for now, at least we understand what is going on.
- I was testing with the latest 1.6 version. You might want to install that. Currently it's 1.6.14.
- To cause a failure, your script has to output the number '1' as the first character. Here's mine:
```
#!/bin/bash
echo "1 FAIL!";
echo $(date) >> /usr/local/lsws/cxscgi.log
echo " Script and it returned it failed" >> /usr/local/lsws/cxscgi.log
exit 1
```
- Here's my curl command:
```
curl --http1.1 -F file=@/usr/local/lsws/cxscgi.sh 'http://127.0.0.1:8088/phpinfo.php?b=inspectfail' -v -s > /usr/local/lsws/403error-3.txt 2>&1
```
- Here are my rules:
```
SecRule ARGS:b "@strmatch inspectfail" "chain,phase:request,log,deny,id:159"
SecRule FILES_TMPNAMES "@inspectFile /usr/local/lsws/cxscgi.sh"
```
Try those things and let me know where that takes you.

Thanks for your patience!

Bob Perper
rperper@litespeedtech.com