PHP/Java Floating Point DoS Protection

Recently a floating point DoS vulnerability surfaced in both PHP and Java. The crux of the problem is that PHP and Java apps go into an infinite loop and hang when trying to process numeric values in the (approximate) range of 2.2250738585072011E-208 to 2.2250738585072013E-208. For more information see here, here and here. Ryan Barnett (TrustWave) and I ported Adobe's suggested fix into ModSecurity.

To implement the patch we:

1. Detect payloads that are potentially vulnerable
2. Clean the variables received and compare them against the attack pattern
3. Detect and block an attack

Detecting payloads

Its important to note that there are several ways an attacker can submit the payload in this attack. The attack does not need to use scientific notation. While there is no single number that we can look for, the potential attack strings will all start with the same pattern 2.225073858507201. The decimal point can be anywhere within the string, thus we use the following ModSecurity rule to find potential attacks:

 
SecRule ARGS|REQUEST_HEADERS "[0-9\.]{17}" \ "phase:2,t:none, \
  nolog,pass,exec:/opt/modsecurity/etc/lua/FloatingPointDoSAttack.lua"

Clean the variables received and compare them against the attack pattern

Due to the various string possiblities, the ModSecurity rules language is limited in its ability to properly identify the attack thus we use a Lua script to help us. The Lua script below grabs the ARGS and REQUEST_HEADERS collections. Removes the decimal point from the variable and matches the new variable against the pattern. If there's a match we set a transactional variable with the name of the variable containing the attack and return a message.

function main() local Pattern = 2225073858507201; -- Get the ModSec collections local Headers = m.getvars("REQUEST_HEADERS"); local Args = m.getvars("ARGS"); for i = 1, #Headers do FilteredPattern,NumChanges=string.gsub(Headers[i].value, "[.]", "") if string.gmatch(FilteredPattern, Pattern) then m.setvar("tx.floatingpointdos", Headers[i].name) return ("Potential Floating Point DoS Attack via variable: " ..Headers[i].name .. "."); end end for i = 1, #Args do FilteredPattern,NumChanges=string.gsub(Args[i].value, "[.]", "") if string.gmatch(FilteredPattern, Pattern) then m.setvar("tx.floatingpointdos", Args[i].name) return ("Potential Floating Point DoS Attack via variable: " ..Args[i].name .. "."); end end return nil; end

Detect and block an attack

Once an attack is detected by the Lua script, a transactional variable is set. In the ModSecurity rule below we simply look for that variable and block and log if it's set.

 
SecRule &TX:FLOATINGPOINTDOS "@eq 1" "phase:2,t:none,log,block, \
  msg:'Floating Point DoS Payload Found.', \
  logdata:'Location: %{matched_var}', \
  tag:'CVE-2010-4476'"