SecHash buffer overflow #1198
Comments
|
Hi @szingg, Most likely you have a apr version mismatch. This happens when you compile ModSecurity using a APR version and uses another one during the run time. Do you mind to paste here the first lines of the ModSecurity initialization logs? It contains the versions numbers (compiled and loaded). |
|
Hi @zimmerle The event log contains following entries: |
|
Hi @szingg, Did you managed to reproduce the exactly same problem in another computer? Did you compile ModSecurity IIS by yourself? |
|
Hi @zimmerle Yes I could reproduce the error on another computer (Windows Server 2012 R2 64bit). |
|
The issue is due to buffer overflow of msc_crypt.c # hmac() function. There is no memory to copy '\0' in hex_digest. Due to that apr_pstrdup () crashes . To fix the issue, hex_digest buffer should be increased to hex_digest[APR_SHA1_DIGESTSIZE * 2 + 1] --- a/apache2/msc_crypt.c
|
Hi
I'm trying to configure protected links according to this article: https://www.trustwave.com/Resources/SpiderLabs-Blog/Reducing-web-application-attack-surface/
SecDisableBackendCompression On
SecContentInjection On
SecStreamOutBodyInspection On
SecHashEngine On
SecHashKey rand SessionID
SecHashParam "hmac"
SecHashMethodRx "HashHref" ".(aspx?|php)"
I remarked i also had to set SecResponseBodyAccess On
If i request a page where SecHashMethodRx doesn't match everything works perfect. But as soon the rule is matching i get an "Unhandled exception at 0x72641F2A (ModSecurityIIS.dll) in w3wp.exe: Stack cookie instrumentation code detected a stack-based buffer overrun".
The environment is an embedded installation on IIS. ModSecurity is running on a 32-bit application pool.
Thank you very much.
The text was updated successfully, but these errors were encountered: