Skip to content
This repository was archived by the owner on May 14, 2020. It is now read-only.
This repository was archived by the owner on May 14, 2020. It is now read-only.

Regarding the ReDOS exploit strings & the un-reproducibility #1372

Closed
@s0md3v

Description

@s0md3v

Hi there,

I am submitting this issue as the team is unable to see any impact by using the "exploit strings" i provided.
Look at the following regular expression:

(?i:(?:(?:(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+|(?:^[\"'`\\\\]*?[\d\"'`]+)+)\s*?(?:n(?:and|ot)|
(?:x?x)?or|between|\|\||like|and|div|&&)\s*?[\w\"'`][+&!@(),.-]|\@(?:[\w-]+\s(?:between|like|
x?or|and|div)\s*?[^\w\s]|\w+\s+(?:between|like|x?or|and|div)\s*?[\"'`\d]+)|[\"'`]\s*?(?:b
etween|like|x?or|and|div)\s*?[\"'`]?\d|[^\w\s:]\s*?\d\W+[^\w\s]\s*?[\"'`].|[^\w\s]\w+\s*?[|-]\s*
?[\"'`]\s*?\w|\Winformation_schema|\\\\x(?:23|27|3d)|table_name\W|^.?[\"'`]$))

This is indeed a very long regular expression to reverse into a string by hand when you are looking at tons of such regular expressions.
However, the only vulnerable part of the regular expression is the following:

(?:^[\"'`\\\\]*?[^\"'`]+[\"'`])+|(?:^[\"'`\\\\]*?[\d\"'`]+)+)\s*?(?:n(?:and|ot)

This part will cause the regex engine to backtrack a lot because of the alternate and adjacent sub-patterns and character classes matching the same characters.
I focused only on finding vulnerabilities and not on writing exploits and that way, I was able to find and verify 5 vulnerabilities under and hour.
I assumed you guys would understand what I was trying to convey without making a ready-to-use exploit public, open to abuse.

The strings I mentioned are exploits for the vulnerable parts of the regular expressions, they aren't complete attack vectors as I mentioned in my interview with Portswigger:

The researcher added: “It should be noted that I haven’t released the full exploit strings yet because the vulnerabilities still exist and can be abused. The exploits mentioned in my blog are just for the vulnerable parts of the regular expressions and won’t have any effect on an implementation of ModSecurity.”

I hope it makes sense now.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Stale issueThis issue has been open 120 days with no activity.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions