AFL fuzzer reports

[chenuduss]

ModSecurity 3.0.14

Initializing ModSecurity and RulesSet...
Rules loaded successfully.
Attempting to initialize ModSecurity collections via temp Transaction...
Collections initialization attempt completed.
__AFL_INIT()...
__AFL_INIT() done.
Entering __AFL_LOOP...
Processing transaction with size: 2781
=================================================================
==3852341==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000095c9 at pc 0x58e2bae3cafc bp 0x7ffd52f8b8a0 sp 0x7ffd52f8b898
READ of size 1 at 0x6110000095c9 thread T0
    #0 0x58e2bae3cafb in cstrcasecmp_with_null /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:530:14
    #1 0x58e2bae3bec1 in is_black_attr /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:660:21
    #2 0x58e2bae3812e in libinjection_is_xss /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:749:20
    #3 0x58e2bae3f02c in libinjection_xss /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:844:9
    #4 0x58e2bad08423 in modsecurity::operators::DetectXSS::evaluate(modsecurity::Transaction*, modsecurity::RuleWithActions*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, modsecurity::RuleMessage&) /FuZZ/CPP/ModSecurity/ModSecurity/src/operators/detect_xss.cc:32:14
    #5 0x58e2bad1a042 in modsecurity::operators::Operator::evaluateInternal(modsecurity::Transaction*, modsecurity::RuleWithActions*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, modsecurity::RuleMessage&) /FuZZ/CPP/ModSecurity/ModSecurity/src/operators/operator.cc:75:16
    #6 0x58e2bab44487 in modsecurity::RuleWithOperator::executeOperatorAt(modsecurity::Transaction*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, modsecurity::RuleMessage&) /FuZZ/CPP/ModSecurity/ModSecurity/src/rule_with_operator.cc:117:29
    #7 0x58e2bab3945d in modsecurity::RuleWithOperator::evaluate(modsecurity::Transaction*, modsecurity::RuleMessage&) /FuZZ/CPP/ModSecurity/ModSecurity/src/rule_with_operator.cc:299:34
    #8 0x58e2baaff6a1 in modsecurity::RuleWithActions::evaluate(modsecurity::Transaction*) /FuZZ/CPP/ModSecurity/ModSecurity/src/rule_with_actions.cc:183:12
    #9 0x58e2ba7ef9f7 in modsecurity::RulesSet::evaluate(int, modsecurity::Transaction*) /FuZZ/CPP/ModSecurity/ModSecurity/src/rules_set.cc:210:19
    #10 0x58e2ba74c97a in modsecurity::Transaction::processRequestBody() /FuZZ/CPP/ModSecurity/ModSecurity/src/transaction.cc:869:20
    #11 0x58e2ba6e739e in ExecuteTransactionLogic(unsigned char const*, unsigned long) /FuZZ/CPP/ModSecurity/ModSecurity/modsec_persistent_fuzzer.cc:44:9
    #12 0x58e2ba6ebcd1 in main /FuZZ/CPP/ModSecurity/ModSecurity/modsec_persistent_fuzzer.cc:163:13
    #13 0x7f1dd1c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #14 0x7f1dd1c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #15 0x58e2ba621334 in _start (/FuZZ/Check-crushes/modsec/modsec_persistent_fuzzer+0x40d334) (BuildId: 500fae1eca47252b)

0x6110000095c9 is located 0 bytes to the right of 201-byte region [0x611000009500,0x6110000095c9)
allocated by thread T0 here:
    #0 0x58e2ba6a4d42 in malloc (/FuZZ/Check-crushes/modsec/modsec_persistent_fuzzer+0x490d42) (BuildId: 500fae1eca47252b)
    #1 0x7f1dd20bb903 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xbb903) (BuildId: ca77dae775ec87540acd7218fa990c40d1c94ab1)
    #2 0x58e2ba711f99 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*, std::forward_iterator_tag) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/basic_string.tcc:229:14
    #3 0x58e2bab2d179 in std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, true>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_pair.h:688:4
    #4 0x58e2bab2cf28 in void std::__new_allocator<std::_List_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >::construct<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >(std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/new_allocator.h:191:23
    #5 0x58e2bab2cf28 in void std::allocator_traits<std::allocator<std::_List_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > >::construct<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >(std::allocator<std::_List_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >&, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/alloc_traits.h:538:8
 #6 0x58e2bab2cf28 in std::_List_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >* std::__cxx11::list<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >::_M_create_node<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_list.h:713:4
    #7 0x58e2bab2c648 in void std::__cxx11::list<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >::_M_insert<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >(std::_List_iterator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_list.h:2005:18
    #8 0x58e2bab26f35 in std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >& std::__cxx11::list<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >::emplace_back<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >&&) /usr/lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/stl_list.h:1321:10
    #9 0x58e2bab269b3 in modsecurity::RuleWithActions::executeTransformations(modsecurity::Transaction const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::list<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::shared_ptr<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > >&) /FuZZ/CPP/ModSecurity/ModSecurity/src/rule_with_actions.cc:438:13
    #10 0x58e2bab3911e in modsecurity::RuleWithOperator::evaluate(modsecurity::Transaction*, modsecurity::RuleMessage&) /FuZZ/CPP/ModSecurity/ModSecurity/src/rule_with_operator.cc:294:13
    #11 0x58e2baaff6a1 in modsecurity::RuleWithActions::evaluate(modsecurity::Transaction*) /FuZZ/CPP/ModSecurity/ModSecurity/src/rule_with_actions.cc:183:12
    #12 0x58e2ba7ef9f7 in modsecurity::RulesSet::evaluate(int, modsecurity::Transaction*) /FuZZ/CPP/ModSecurity/ModSecurity/src/rules_set.cc:210:19
    #13 0x58e2ba74c97a in modsecurity::Transaction::processRequestBody() /FuZZ/CPP/ModSecurity/ModSecurity/src/transaction.cc:869:20
    #14 0x58e2ba6e739e in ExecuteTransactionLogic(unsigned char const*, unsigned long) /FuZZ/CPP/ModSecurity/ModSecurity/modsec_persistent_fuzzer.cc:44:9
    #15 0x58e2ba6ebcd1 in main /FuZZ/CPP/ModSecurity/ModSecurity/modsec_persistent_fuzzer.cc:163:13
    #16 0x7f1dd1c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #17 0x7f1dd1c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #18 0x58e2ba621334 in _start (/FuZZ/Check-crushes/modsec/modsec_persistent_fuzzer+0x40d334) (BuildId: 500fae1eca47252b)
SUMMARY: AddressSanitizer: heap-buffer-overflow /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:530:14 in cstrcasecmp_with_null
Shadow bytes around the buggy address:
  0x0c227fff9260: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c227fff9270: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fff9280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff9290: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff92b0: 00 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa
  0x0c227fff92c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3852341==ABORTING

[airween]

Hi @chenuduss,

thanks again for the report.

Please explain how did you get this result.

Btw I think this is not a libmodsecurity3 issue, but a libinjection:

READ of size 1 at 0x6110000095c9 thread T0
    #0 0x58e2bae3cafb in cstrcasecmp_with_null /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:530:14
    #1 0x58e2bae3bec1 in is_black_attr /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:660:21
    #2 0x58e2bae3812e in libinjection_is_xss /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:749:20
    #3 0x58e2bae3f02c in libinjection_xss /FuZZ/CPP/ModSecurity/ModSecurity/others/libinjection/src/libinjection_xss.c:844:9

Note, that the mentioned file (libinejction_xss.c) was changed recently several times, probably this bug is already fixed.

Please also add to your report the libinjection's version.

[chenuduss]

I apologize! So, we need to close the issue.

[airween]

No worries, and feel free to report any suspicious thing.

Have you tested your setup with the modified libinjection?