Insights

A MySQL bug that causes a misconfiguration in the WAF service on the AWS Cloud

A quick read on how a decade old MySQL/MariaDB bug caused by the inability to parse a malformed scientific notation literal could be used to bypass Web Application Firewalls on-prem and more dangerously on the cloud.

A MySQL bug that causes a misconfiguration in the WAF service on the AWS Cloud
Riyaz Walikar
October 29, 2021

Background

Way back in 2013, Roberto Salgado’s BlackHat talk titled “SQLi Optimization and Obfuscation Techniques” showed how you could obfuscate strings and numerous other data types in ways that could be used to trick middleware and interpreters. The folks at GoSecure found that one of the tricks from the BH presentation could be used to trick Web Application Firewalls protecting applications vulnerable to SQL Injection with a MySQL or MariaDB backend. The trick involves MySQL and MariaDB ignoring numeric literals represented in scientific notation format when used in an invalid context. This allows for all sorts of interesting security things to happen.

What's the security implication of this?

Although not a security problem in itself, the bug can be used in many security contexts to bypass controls. The usage of this bug to bypass the AWS Web Application Firewall, as shown in the blog, is a prime example of how data can be interpreted by different systems differently based on context.

Examples of valid literals are “12.E-2”, “66.55E12” and “36.96e-15”. These numeric literals are broken down by the MySQL parser into three parts; before the dot, after the dot but before the E and after the E. The bug arises due to improper verification of the part after the E where the code simply ignores the user input when provided with an invalid literal like 1234.567E().

Almost all decent Web Application Firewalls detect SQL Injections. Some more aggressively than others. SQL Injection occurs when user-provided input is parsed as part of the command on the SQL server allowing characters provided by the user to be interpreted as part of the query which allows the user to manipulate the query in unintended ways.

A web application firewall detects characters that could potentially be used to alter the meaning of the backend query, but this detection is heavily based on string matches and regular expressions.

The researchers found that the protection offered by the AWS Web Application Firewall could be bypassed using invalid and out of context scientific notation numeric literals. Hence, a request such as the following would get blocked

curl "http://example.cloudfront.net/index.php?x=1' or '1'='1"

But the following request would go through

curl "http://example.cloudfront.net/index.php?x=1' or 1.1e(0) '1'='1"

Even in the case of ModSecurity, a popular Web Application Firewall for Apache and nginx was unable to detect a malicious string if it contained the scientific notation when it was running at a paranoia level of 1 (PL1) which is the default. The SQL Injection attempt was detected when ModSecurity was running on Paranoia level 2 (PL2).

The software running the services on all major cloud platforms have the same bugs that software running on a standalone data centre. The difference is that there are restrictive controls in place by the cloud providers to ensure user input does not reach the underlying software layer for services that are meant to expose only APIs. 

Not understanding the context of the data passing through a layer raises questions about the design implications of a service. Allowing data to be inspected can also be a privacy nightmare even if it is for security reasons. In this case (if there was) the SSL termination happens at or before the WAF, allowing the data to be inspected but because the system has no context to the data, it failed to be detected as malicious).

A layered approach to security works best in practice, ensuring user data is processed as malicious regardless of source before consuming it is one way to go about (which is also a common SQL injection fix). It would be interesting to see what other cloud based web application firewalls have insufficient rules.

A MySQL bug that causes a misconfiguration in the WAF service on the AWS Cloud
ABOUT THE AUTHOR

Riyaz Walikar

Riyaz is a security evangelist, offensive security expert and researcher with over a decade of experience in the cyber security industry. His passion to break into some of the most well defended networks and systems in his career spanning 15 years has earned him a lot respect within the security industry. He has led Security Assessment and Penetration Testing teams at Pricewaterhouse Coopers (PwC) and Appsecco, and the Product Security Team at Citrix before co-founding Kloudle. Riyaz now specializes in cloud native, container and cloud security in general, helping build an easy to use security management platform to help companies enhance their visibility in the cloud, identify security misconfigurations and automate remediation for security gaps enabling compliance and operational security in multi-cloud environments. He is also an avid speaker and trainer and presents his research and findings at security conferences and community meetups around the world including BlackHat USA, BH Europe, BH Asia, nullcon and OWASP AppsecUSA.Specialties: Cloud (AWS, GCP, Azure, IBM, Others) Security, Cloud-Native Security, Kubernetes, Container Security, Web Application Security, Network and System Penetration Testing, Wireless Network Security, Malware Analysis and Reverse Engineering, Threat Modelling, Windows Forensics, Security Code Review, Vulnerability Research, Exploit Development and Reverse Engineering. Certifications: CKA, CKAD, OSCP

Enjoyed this read?

Subscribe to our newsletter and stay ahead with more great insights and resources on cloud security!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.