Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

HTTP Request Smuggling - ERRATA (the IIS 48K buffer phenomenon)

from [Amit Klein (AKsecurity)] Network Security [Permanent Link]
Subject: HTTP Request Smuggling - ERRATA (the IIS 48K buffer phenomenon)
Date: Thu, 22 Sep 2005 13:40:11 +0200 
Hi 

With respect to the IIS/5.0 48K "bug" (see "HTTP Request Smuggling", 
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf, pages 6-7 or 
4-5),
Noam Ben-Yochanan commented that IIS/5.x provides with the programmer with a 
way to consume
the request body (beyond the 48K usually read), thus disabling the HTTP Request 
Smuggling
caused by this anomaly. Noam sent me a link that explains this:

Microsoft Knowledge Base article #810957:
http://support.microsoft.com/default.aspx?scid=kb;en-us;810957

The short story is that IIS reads the body in buffers of 48KB (the default
value of UploadReadAheadSize in the MetaBase registry). It probably always reads
the first buffer. 
Now, the HTTP Request Smuggling trick works by sending any Content-Type
OTHER THAN application/x-www-form-urlencoded. This means that IIS has nobody 
parsing
the data and consuming more data, so it stops reading after those 48K, and 
whatever
comes next is considered the next request (while MS says it is "by design", in 
my
opinion this is still a bug, and with security implications).

As Noam noted, it is possible to "artificially" consume the data using
Request.BinaryRead, e.g. something like:

  Dim data
  data = Request.BinaryRead(Request.TotalBytes) 

And by this, restore order.

So a possible solution is to insert the above code in every ASP page.

However, there is a serious downside to this method: if a page accesses
Request.BinaryRead, it cannot access the Form collection (see the documentation 
of 
BinaryRead in 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/c84b1f88-1a8a-
4370-95de-e907f7fdd5e7.asp).

Here's an improved solution. Note that the Content-Type of the request
must be anything other than application/x-www-form-urlencoded for the attack to 
work (I
understand now that this is due to the fact that in 
application/x-www-form-urlencoded, the 
IIS ASP.dll consumes the request body in fullness). So if a script wants to 
secure itself, 
it should check whether the Content-Type (accessible via 
ServerVariables("HTTP_CONTENT_TYPE") is application/x-www-form-urlencoded.
If it is, then the script can proceed as usual, and access the data through the 
Request.Form collection. If the Content-Type is not
"application/x-www-form-urlencoded", then the script 
should consume the data (as in the above example), and log the event
(since this is probably an attack). Ideally, the script would terminate the TCP
connection, but I don't know whether a script can terminate the TCP connection 
in a
reliable manner. 
Perhaps sending a "Connection: Close" header can do the trick (or a 400
status code?). 

So the proposed solution would be something like (pardon me for any ASP syntax 
error):

If (Request.ServerVariables("HTTP_CONTENT_TYPE") <> _
"application/x-www-form-urlencoded") Then
        ' Log a security error condition
        ' Consume leftover data
        Dim data
        data = Request.BinaryRead(Request.TotalBytes) 
        ' Exit gracefully - do not proceed to normal flow
EndIf
' Work as usual, can access Request.Form

Still, it requires every ASP page to embed this kind of code. I think this
makes the solution infeasible. And frankly I still call this a bug (be it by 
design or
not) - an ASP page should not worry about its content-type or consuming the 
request body.

Thanks again to Noam!
-Amit
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • HTTP Request Smuggling - ERRATA (the IIS 48K buffer phenomenon), Amit Klein (AKsecurity) <=
Previous by Date:  Platinum Secure smartcard security bypass, acidemon
Next by Date:  [Full-disclosure] Call to Arms: Rita Scams, Gadi Evron
Previous by Thread:  Platinum Secure smartcard security bypass, acidemon
Next by Thread:  [Full-disclosure] Call to Arms: Rita Scams, Gadi Evron
Indexes:  [Date] [Thread] [Top] [All Lists]