logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.


Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: mod_security-2.9.5 for handling CVE-2021-42717 vulnerability
Author
gderebas



Joined: 29 Dec 2021
Posts: 1
Location: Russia, Magnitogorsk

PostPosted: Wed 29 Dec '21 8:38    Post subject: mod_security-2.9.5 for handling CVE-2021-42717 vulnerability Reply with quote

At current moment at https://www.apachelounge.com/download/ only mod_security-2.9.3 exists. Is it known when 2.9.5 version will be available?
Back to top
tangent



Joined: 16 Aug 2020
Posts: 215
Location: UK

PostPosted: Thu 30 Dec '21 21:04    Post subject: Reply with quote

@gderebas - If you really want to try 2.9.5 ahead of Steffen releasing it on this site, you could always build it yourself for testing purposes.

I've done this based on the howto at https://www.apachelounge.com/viewtopic.php?t=8609 with a couple of extra build sections for YAJL and ModSecurity, and can post the additional build code if you're interested.

The mod_security2.so file it produces runs with the AL httpd-2.4.52-win64-VS16.zip download, providing you copy over a couple extra DLLs to the Apache bin folder.

Sample execution:
Code:
C:\Apache24\bin>httpd -v
Server version: Apache/2.4.52 (Win64)
Apache Lounge VS16 Server built:   Dec 17 2021 10:17:38

C:\Apache24\bin>httpd -X
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::5927:43d3:379f:cd9d. Set the 'ServerName' directive globally to suppress this message
^C

C:\Apache24\bin>type ..\logs\error.log
[Thu Dec 30 17:30:28.136090 2021] [:notice] [pid 11804:tid 712] ModSecurity for Apache/2.9.5 (http://www.modsecurity.org/) configured.
[Thu Dec 30 17:30:28.137021 2021] [:notice] [pid 11804:tid 712] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
[Thu Dec 30 17:30:28.137021 2021] [:notice] [pid 11804:tid 712] ModSecurity: PCRE compiled version="8.45 "; loaded version="8.45 2021-06-15"
[Thu Dec 30 17:30:28.137021 2021] [:notice] [pid 11804:tid 712] ModSecurity: LUA compiled version="Lua 5.4"
[Thu Dec 30 17:30:28.137021 2021] [:notice] [pid 11804:tid 712] ModSecurity: YAJL compiled version="2.1.0"
[Thu Dec 30 17:30:28.137021 2021] [:notice] [pid 11804:tid 712] ModSecurity: LIBXML compiled version="2.9.12"
[Thu Dec 30 17:30:28.137021 2021] [:notice] [pid 11804:tid 712] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::5927:43d3:379f:cd9d. Set the 'ServerName' directive globally to suppress this message
[Thu Dec 30 17:30:28.152383 2021] [mpm_winnt:notice] [pid 11804:tid 712] AH00354: Child: Starting 64 worker threads.
Back to top
Xing



Joined: 26 Oct 2005
Posts: 46

PostPosted: Fri 31 Dec '21 10:21    Post subject: Reply with quote

Please post the YAYL and ModSecurity build code.
Back to top
tangent



Joined: 16 Aug 2020
Posts: 215
Location: UK

PostPosted: Fri 31 Dec '21 19:42    Post subject: Reply with quote

These instructions to build YAJL and ModSecurity assume you've already built Apache HTTPD following the howto details at https://www.apachelounge.com/viewtopic.php?t=8609

You can either choose to extend the build_all.bat batch file, or alternatively take a copy and edit it to build just the two additional packages. This makes more sense if you want to iterate the build with different versions of ModSecurity, etc. The instructions below assume a batch file copy.

Note, at the time of writing the above howto build assumes LUA 5.4, whereas Steffen's httpd-2.4.52-win64-VS16.zip download is based on LUA 5.2.

Officially, ModSecurity 2.9.5 is only tested with LUA 5.1, 5.2 or 5.3, but the build code below patches the msc_lua.c file to support LUA 5.4. However, I'm so far unable to run the ModSecurity unit and regression tests on Windows, since they're built using Unix based utilities. So choose your preferred version of LUA when building the above howto, noting your ModSecurity mileage may vary with LUA 5.4.
  1. Preparation
    Prepare additional source folders based on the appropriate version of each package you choose to build, e.g..

    Code:

    C:\Development
       └ Apache24
          ├ src
          │   ├ modsecurity-2.9.5
          │   └ yajl-2.1.0
          │
          └ build   

  2. Source Packages
    Download and extract the required YAJL and ModSecurity packages (*.tar.gz or *.zip format) into the appropriate source folders shown above.

  3. Build Extras Batch File
    Copy the build_all.bat file to say build_extras.bat

    Edit the new file and replace the section that defines the build packages and their versions, with the following:
    Code:

    rem Define build packages with their version. This is also the recommended build order.

    set YAJL=yajl-2.1.0                     & rem Used by mod_security
    set MOD_SECURITY=modsecurity-2.9.5

    A little further down the file, remove the large build section from the start of the ZLIB comment to the end of MOD-FCGID, and insert the following replacement build code.

    Code:

    rem ------------------------------------------------------------------------------
    rem
    rem YAJL (for MOD_SECURITY)

    rem Check for package and switch to source folder.
    rem
    call :check_package_source %YAJL%

    if !STATUS! == 0 (
      rem Patch relevant CMakeLists.txt file to adjust install locations.
      rem
      perl -pi.bak -e ^" ^
        s~(RUNTIME DESTINATION^) lib~${1} bin~; ^
        s~(DESTINATION^) share(/pkgconfig^)~${1} lib${2}~; ^
        ^" src\CMakeLists.txt

      set YAJL_CMAKE_OPTS=-DCMAKE_INSTALL_PREFIX=%PREFIX% -DCMAKE_BUILD_TYPE=%BUILD_TYPE%
      call :build_package %YAJL% "!YAJL_CMAKE_OPTS!" & if not !STATUS! == 0 exit /b !STATUS!
    )

    rem ------------------------------------------------------------------------------
    rem
    rem MOD_SECURITY

    rem Check for package and switch to source folder.
    rem
    call :check_package_source %MOD_SECURITY%

    if !STATUS! == 0 (
      echo. & echo Building %MOD_SECURITY%

      rem Build from Makefile.win in apache2 sub-folder.
      rem
      cd /d apache2

      rem Patch msc_lua.c to support LUA == 5.4
      rem
      perl -pi.bak -e ^" ^
        s~(LUA_VERSION_NUM ^)==( 503^)(.+501$^|$^)~${1}^==${2}${3} ^|^| ${1}== 504~; ^
        ^" msc_lua.c

      rem Patch Makefile.win to revise various paths.
      rem
      perl -pi.bak -e ^" ^
        s~(\^)\\^)(pcre.lib^)~${1}lib\\${2}~; ^
        s~(\^)\\^)(libcurl^)(.lib^)~${1}lib\\${2}_imp${3}~; ^
        s~win32\\bin.msvc\\(libxml2^)~lib\\${1}~; ^
        s~(LIBXML2\^)\\include^) ~${1}\\libxml2~; ^
        s~lua5.1~lib\\lua54~; ^
        s~(libinjection^)/~${1}\\~; ^
        s~(APR_INLINE.+VERSION\^)$^)~${1} -DWITH_PCRE_JIT -DWITH_PCRE_STUDY -D_CRT_SECURE_NO_WARNINGS~; ^
        ^" Makefile.win

      set MOD_SECURITY_CONFIGURE_OPTS=APACHE=%PREFIX% PCRE=%PREFIX% LIBXML2=%PREFIX% LUA=%PREFIX% CURL=%PREFIX% YAJL=%PREFIX%

      nmake /f Makefile.win !MOD_SECURITY_CONFIGURE_OPTS! clean 2>nul
      nmake /f Makefile.win !MOD_SECURITY_CONFIGURE_OPTS! & call :get_status
      if !STATUS! == 0 (
        nmake /f Makefile.win !MOD_SECURITY_CONFIGURE_OPTS! install & call :get_status
        if not !STATUS! == 0 (
          echo nmake install for %MOD_SECURITY% failed with status !STATUS!
        ) else (
          rem Some additional manual install is required.
          rem
          if exist "mod_security2.exp" (
            echo -- Installing: "%PREFIX%\lib\mod_security2.exp"
            copy /b /y "mod_security2.exp" "%PREFIX%\lib" 1>nul 2>&1
          )
          if exist "mod_security2.lib" (
            echo -- Installing: "%PREFIX%\lib\mod_security2.lib"
            copy /b /y "mod_security2.lib" "%PREFIX%\lib" 1>nul 2>&1
          )
          if exist "..\modsecurity.conf-recommended" (
            echo -- Installing: "%PREFIX%\conf\extra\modsecurity.conf-recommended"
            mkdir "%PREFIX%\conf\extra\modsecurity" 1>nul 2>&1
            copy /b /y "..\modsecurity.conf-recommended" "%PREFIX%\conf\extra" 1>nul 2>&1
          )
          if exist "..\unicode.mapping" (
            echo -- Installing: "%PREFIX%\conf\extra\unicode.mapping"
            mkdir "%PREFIX%\conf\extra\modsecurity" 1>nul 2>&1
            copy /b /y "..\unicode.mapping" "%PREFIX%\conf\extra" 1>nul 2>&1
          )
        )
      ) else (
        echo nmake for %MOD_SECURITY% failed with status !STATUS!
      )
    )
    exit /b !STATUS!

  4. Build
    Open a command or Powershell window, change to the above build folder, and run the build_extras.bat batch file. Ideally, redirect the build process output to a log file so you can check for errors. If using Powershell, you can use the tee command, viz:

    C:\Development\Apache24\build> .\build_extras.bat 2>&1 | tee build_extras.log

  5. Checks
    When finished search the log file output for fatal errors (noting there will be any number of compiler warnings).

    Confirm the log file shows that yajl.dll has been built and installed below the Apache PREFIX
    Code:

    Install the project...
    -- Install configuration: "Release"
    -- Installing: C:/Apache24/lib/yajl.lib
    -- Installing: C:/Apache24/bin/yajl.dll
    -- Installing: C:/Apache24/lib/yajl_s.lib
    -- Up-to-date: C:/Apache24/include/yajl/yajl_parse.h
    -- Up-to-date: C:/Apache24/include/yajl/yajl_gen.h
    -- Up-to-date: C:/Apache24/include/yajl/yajl_common.h
    -- Up-to-date: C:/Apache24/include/yajl/yajl_tree.h
    -- Installing: C:/Apache24/include/yajl/yajl_version.h
    -- Installing: C:/Apache24/lib/pkgconfig/yajl.pc
    -- Installing: C:/Apache24/bin/json_reformat.exe
    -- Installing: C:/Apache24/bin/json_verify.exe

    and that mod_security2.so has been built and installed into the Apache modules directory
    Code:

    Microsoft (R) Program Maintenance Utility Version 14.29.30137.0
    Copyright (C) Microsoft Corporation.  All rights reserved.

       copy /Y mod_security2.so C:\Apache24\modules
            1 file(s) copied.
    -- Installing: "C:\Apache24\lib\mod_security2.exp"
    -- Installing: "C:\Apache24\lib\mod_security2.lib"
    -- Installing: "C:\Apache24\conf\extra\modsecurity.conf-recommended"
    -- Installing: "C:\Apache24\conf\extra\unicode.mapping"

  6. Testing
    At this point, you can rename the newly built Apache PREFIX folder C:\Apache24 to something else, and reinstate the AL httpd-2.4.52-win64-VS16.zip download to C:\Apache24.

    Copy over the newly built 2.9.5 mod_security2.so file to the AL modules folder, and also yajl.dll and appropriate lua DLL file (e.g. lua54.dll), to the AL bin folder.

    You should now be able to include your ModSecurity configuration file settings and start testing.

    If the ModSecurity module fails to load when you start Apache, it probably means you're missing a dependency DLL. You can use dumpbin to check the dependencies in your module, viz:
    Code:

    C:\>dumpbin /dependents c:\Apache24\modules\mod_security2.so
    Microsoft (R) COFF/PE Dumper Version 14.29.30137.0
    Copyright (C) Microsoft Corporation.  All rights reserved.

    Dump of file c:\Apache24\modules\mod_security2.so

    File Type: DLL

      Image has the following dependencies:

        libhttpd.dll
        libapr-1.dll
        libaprutil-1.dll
        pcre.dll
        libcurl.dll
        libxml2.dll
        WS2_32.dll
        IPHLPAPI.DLL
        lua54.dll
        yajl.dll
        KERNEL32.dll
        VCRUNTIME140.dll
        api-ms-win-crt-utility-l1-1-0.dll
        api-ms-win-crt-convert-l1-1-0.dll
        api-ms-win-crt-stdio-l1-1-0.dll
        api-ms-win-crt-time-l1-1-0.dll
        api-ms-win-crt-runtime-l1-1-0.dll
        api-ms-win-crt-string-l1-1-0.dll
        api-ms-win-crt-heap-l1-1-0.dll
        api-ms-win-crt-environment-l1-1-0.dll
        api-ms-win-crt-filesystem-l1-1-0.dll
Hope this helps.


Last edited by tangent on Sun 02 Jan '22 12:12; edited 1 time in total
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2943
Location: Hilversum, NL, EU

PostPosted: Sat 01 Jan '22 14:04    Post subject: Reply with quote

Nice write up. You miss some options for full use, for example YAJL and LUA are optional and not used now.

Apache Lounge builds with :

-DWITH_LIBXML2 -DWITH_LUA -DWITH_PCRE_JIT -DWITH_PCRE_STUDY -Dinline=APR_INLINE -DWITH_YAJL -D_CRT_SECURE_NO_WARNINGS -DWITH_CURL -DWITH_REMOTE_RULES

Btw. Released 2.9.5
Back to top
tangent



Joined: 16 Aug 2020
Posts: 215
Location: UK

PostPosted: Sun 02 Jan '22 12:12    Post subject: Reply with quote

@Steffen - thanks for the informative feedback.

Having examined the 2.9.5 Makefile.win file, agree that LUA and YAJL are listed as optional.

That file does contain -Dinline=APR_INLINE -DWITH_CURL -DWITH_REMOTE_RULES and requires LIBXML2, but is missing macro options -DWITH_PCRE_JIT -DWITH_PCRE_STUDY. I've updated the above Perl patch code for Makefile.win to add them.

The APR handle leak issue is a concern though, and ahead of APR 1.7.1 ever being released, feel I should update the HTTPD CMake build howto https://www.apachelounge.com/viewtopic.php?t=8609 to include the userinfo.c patch. That patch is non-trivial, so may have to consider using a Windows version of the Unix patch utility, rather than an in-line Perl edit, as I've done with other patches. I'll see what it looks like.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2943
Location: Hilversum, NL, EU

PostPosted: Tue 04 Jan '22 13:47    Post subject: Reply with quote

mod_security does not build with LUA 5.4 fatal error:

error We are only tested under Lua 5.0, 5.1, 5.2, or 5.3.

So tried 5.3.

Build with static LUA and options LUA_COMPAT_5_2 LUA_COMPAT_5_1

So with static build Apache keeps using 5.4.
Back to top
tangent



Joined: 16 Aug 2020
Posts: 215
Location: UK

PostPosted: Wed 05 Jan '22 23:04    Post subject: Reply with quote

That's a neat trick.

The reason I patched msc_lua.c above, to accept LUA 5.4 rather than error, was because I didn't know how to link LUA statically when building the ModSecurity shared object libarary.

Can you reveal the command wizardry you use to link a named static library when building a shared object module / DLL?
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2943
Location: Hilversum, NL, EU

PostPosted: Thu 06 Jan '22 11:10    Post subject: Reply with quote

Patching is a risk, they did not test with 5.4.

Here you go:
Build LUA 5.3.6:
Code:
    CD {Lua \src directory)
    CL /c /nologo /O2 /W3 /MD -DWIN32 -DWINNT -D_CRT_SECURE_NO_DEPRECATE /D LUA_COMPAT_5_2  /D LUA_COMPAT_5_1 *.c
    DEL lua.obj luac.obj
    LIB /OUT:Lua.lib *.obj
For static no DLL needed.

Build mod_security 2.9.5 with the following in makefile.win:
Code:
BASE = ....\Apache24
LIBXML2 = ....\libxml2-2.9.12
LUA = ....\lua-5.3.6\src
PCRE = ....\pcre-8.45
YAJL = ....\yajl-2.1.0\yajl
CURL = ....\curl-7.80.0

DEFS = /nologo /O2 /LD /W3 /wd4244 -DWIN32 -DWINNT -DWITH_LIBXML2 -DWITH_LUA -DWITH_PCRE_JIT -DWITH_PCRE_STUDY -Dinline=APR_INLINE -DWITH_YAJL -D_CRT_SECURE_NO_WARNINGS -DWITH_CURL -DWITH_REMOTE_RULES


LIBS = $(BASE)\lib\libhttpd.lib $(BASE)\lib\libapr-1.lib $(BASE)\lib\libaprutil-1.lib $(CURL)\libcurl.lib $(PCRE)\pcre.lib $(LIBXML2)\lib\libxml2.lib $(LUA)\lua.lib $(YAJL)\lib\yajl.lib "iphlpapi.lib" ws2_32.lib

INCLUDES = -I. -I$(BASE)\include -I$(LIBXML2)\include -I$(LUA) -I$(PCRE) -I$(YAJL)\include -I$(YAJL) -I$(CURL)\include -I$(CURL)
Removed the LUA, Yajl/Json is optional lines
Back to top


Reply to topic   Topic: mod_security-2.9.5 for handling CVE-2021-42717 vulnerability View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules