modsecurity seg fault caused - OWASP 901 Initialisation

[danielwrayois]

Hi,

I am seeing a seg fault in Nginx when mod_security v3 is enabled, and the OWASP version 3.0.0 REQUEST-901-INITIALIZATION.conf file is under the rules directory.

This setup has been running for a few months now, however after several penetration test attempts using Burp the system is now having segmentation faults that are causing an empty response to be returned from the server - A restart of the service or server does not impact anything, including moving the VM to another host (performed in case of corrupt memory.)

Commenting out the following rule under the REQUEST-901 file seems to stop the segmentation faults:

SecRule &TX:REAL_IP "@eq 0" \
  "id:901321, \
  phase:1, \
  t:none, \
  initcol:global=global, \
  initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
  setvar:tx.real_ip=%{remote_addr}, \
  nolog, \
  pass"

Nginx Version:
nginx version: nginx/1.11.9

Nginx Configuration:
nginx version: nginx/1.11.9
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
built with OpenSSL 1.1.1-dev xx XXX xxxx
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --add-module=/srv/ModSecurity-nginx --add-module=/srv/headers-more-nginx-module --with-openssl=/srv/openssl --with-http_ssl_module --with-http_realip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-file-aio --with-http_v2_module

Segmentation Fault:
Dec 19 10:54:14 localhost kernel: [ 3631.073401] nginx[6643]: segfault at 357d000 ip 00007f998ff46116 sp 00007ffc35786be8 error 4 in libc-2.23.so[7f998fdf8000+1c0000]

Nginx error:
2017/12/19 10:54:14 [alert] 6638#6638: worker process 6643 exited on signal 11 (core dumped)

I have a debian file for the Nginx version, and mod_security version, and can provide the CRS rule-set I am using if the issue needs to be replicated to find the route cause.

Kind Regards,

[defanator]

@danielwrayois could you please provide full backtrace from the coredump?

[danielwrayois]

Hi Defanator,

I do not have the debugging symbols enabled by the looks of it:

GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/nginx...(no debugging symbols found)...done.
"/var/tmp/core_dumps/" is not a core dump: Is a directory

Is there anyway to provide more information without recompiling nginx with the debug symbols enabled?

[defanator]

@danielwrayois if issue can be reproduced in your environment, it would be better if you recompile nginx/libmodsecurity with debug symbols, reproduce an issue, and provide full backtrace.

Also it would help if you try to reproduce an issue with nginx from official packages [1], building modsecurity connector as a dynamic module, excluding all other 3rd-party modules, and having openssl provided by OS (I see that you have custom openssl 1.1.1 in nginx).

[1] http://nginx.org/en/linux_packages.html#mainline

[zimmerle]

As it was not replicated by us, I am afraid we need to closed this until we hear from @danielwrayois.