For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Russell_E_Glaue's avatar
Russell_E_Glaue
Icon for Nimbostratus rankNimbostratus
Dec 09, 2013

Matching ASCII codes %00 - %1f in HTTP::uri

According to: http://www.w3schools.com/tags/ref_urlencode.asp

 

"The ASCII device control characters %00-%1f were originally designed to control hardware devices. Control characters have nothing to do inside a URL."

 

A vendor software has a bug that actually interprets %00-%1f and does some fateful things on the system as a result. I have the vendor software behind the LTM, and want to close the TCP connection for all URLs with these ASCII codes, particularly "%00".

 

What is the best approach to do this? I tried the below block of code, but the request with "%00" in the URI is not being caught in the IF statement.

 

when HTTP_REQUEST {
    if { [HTTP::uri] contains "%00" }{
        HTTP::close
        TCP::close
    }
}
application delivery
ascii device control characters
devops
http::uri
http_request
iRules

3 Replies

  • Steven_Filisko_'s avatar
    Steven_Filisko_
    Icon for Nimbostratus rankNimbostratus
    Dec 09, 2013

    I am not an expert-level iRuler at this point (yet), so someone may have a better, more direct answer, but... I would add the "log" lines below. The output will show in the "Local Traffic" log (or /var/log/ltm on the F5 itself). It will give you a better idea of what is going on.

    I did find a package that is supposed to "test iRules" but it isn't quite very intuitive (from what I have seen so far).

    when HTTP_REQUEST {
    log local0. "Checking URI: [HTTP::uri]"
    if { [HTTP::uri] contains "%00" } {
        log local0. "Illegal URI: Closing Connection."
        HTTP::close
        TCP::close
    }
}
  • Steven_Filisko_'s avatar
    Steven_Filisko_
    Icon for Nimbostratus rankNimbostratus
    Dec 09, 2013

    And actually, if you wanted to trap ALL of the control characters from %00 to %1f...

    Note that %1, %2, etc would pass through unmatched as the regex is looking for percent, followed by single digit 0 or 1, followed by single digit 0 through 9 or a though f or A through F.

    when HTTP_REQUEST {
    log local0. "Checking URI: [HTTP::uri]"
    if { [regexp {%[0-1][0-9a-fA-F]} [HTTP::uri]] } {
        log local0. "Illegal URI: Closing Connection."
        HTTP::close
        TCP::close
    }
}
  • Russell_E_Glaue's avatar
    Russell_E_Glaue
    Icon for Nimbostratus rankNimbostratus
    Dec 09, 2013

    The browser was stripping the ASCII device control characters in URLs I tested after the first request. Then loading from browser cache after that. No way to force with shift-reload when that happens. The code worked every time when using curl or wget to test the offensive URLs.