Next Page >>
headers
Security Advisory
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Multiple Cisco CSS / ACE Client Certificate and HTTP Header
Manipulation Vulnerabilities
Release Date: 2010-07-02
Application: Cisco Content Services Switch (CSS) / ACE Products
Versions: Cisco CSS 11500 - 08.20.1.01
Cisco ACE 4710 - Version A3(2.5) [build 3.0(0)A3(2.5)
//Lets try downloading the index page again:
$ wget http://$GoogleHost/ -O /dev/null -T 5
- --2009-08-16 21:15:58-- http://74.125.65.106/
Connecting to 74.125.65.106:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed
out) in headers.
Retrying.
- --2009-08-16 21:16:04-- (try: 2) http://74.125.65.106/
Connecting to 74.125.65.106:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed
such attacks.
I Introduction
====================================================
Mime or Content Type sniffing[1] is a standard functionality in browsers to find
an appropriate way to render data where the HTTP headers sent by the server are
either inconclusive or missing. Especially the Internet Explorer browser is
known to use this technique even in cases where the server sends a specific
content type header[2].
Internet explorer resorts to mime sniffing when either the
Content-Type header and
* CONTACT: gmdarkfig@gmail.com (french / english)
* GREETZ: Sparah, Ddx39
*
* DESCRIPTION:
* The phpsploit is a class implementing a web user agent.
* You can add cookies, headers, use a proxy server with (or without) a
* basic authentification. It supports the GET and the POST method. It can
* also be used like a browser with the cookiejar() function (which allow
* a server to add several cookies for the next requests) and the
* allowredirection() function (which allow the script to follow all
* redirections sent by the server). It can return the content (or the
To be clear, the CONNECT request is a single request/response cycle between the client and the proxy. Any request body is nonsensical and should be ignored by the proxy (or the request can be rejected if the proxy wants to be pedantic). There is nothing that explicitly disallows inclusion of the host header in a CONNECT request. Granted, including the host header incurs some degree of ambiguity (the FQDN may resolve to the IP address, but the IP address is not guaranteed to resolve to the FQDN), but this is clearly a debatable choice on the developer's part as to whether it should be used to determine traffic policy applicability for this request.
The proxy should only ignore further data between the client and remote if the proxy successfully established a TCP connection between them on the specified destination port.
IOW, if the client sends a CONNECT request that the proxy policy allows, the proxy should either queue or reject further communication from the client until the TCP connection has been successfully established and the proxy has responded to the client with "HTTP 200".
If the connection attempt fails, the proxy should provide an HTTP error response to the client and close the client-to-proxy connection.
Likewise, while the proxy does establish the end-to-end TCP connection between the client and upstream server, it is not responsible for any part of the encryption that may be involved in that communication - unless it specifically offers a "trusted MitM" feature such as TMG HTTPS Inspection or Juniper SSL Forward Proxy (other vendors have similar features).
Also, whether the McAffee proxy allows translating normal HTTP methods to CONNECT, then tunneling them to the upstream proxy is irrelevant to the question of whether the local proxy actually uses the host header or the host portion of the CONNECT request to determine policy applicability.
current implementation. Microsoft decided to filter "Type 1 XSS" which is
free text send to the server being reflected to the user and therefore
injecting HTML code into the website's page. They chose not to handle
certain situations such as injection into a JavaScript tag space, which
would be extremely difficult to filter. The software giant also chose not
to filter injection into HTTP headers, which will drive hackers to focus on
discovering CRLF vulnerabilities.
A quote of Microsoft's Anti-XSS filter design philosophy:
<<<
"Like all security mitigation and protection technologies, the XSS Filter's
Attack:
=======
Make the evil Router Advertisement fragmented and put the ICMPv6 into
the second fragment, eg. by putting a very large Destination extension
header before the ICMPv6 part.
So the packets look like:
Fragment 1:
IPv6 Header
#include <netinet/ip.h>
/* BSD */
#define _BSD
/* Header sizes */
#define IP_HDR_SIZE 20
#define GRE_HDR_SIZE 4
#define GRE_KEY_SIZE 4
#define NHRP_HDR_SIZE 62
Risk factor: N/A
The reason why we didn't consider this vulnerability a security risk is because the attacker needs to force the victim's browser to submit a malformed HTTP method.
Header injection has been demonstrated to be possible using Flash [1] [2], but might be dependent on vulnerable Flash plugins.
A relevant example published in the past is exploiting the Apache 'Expect' XSS [3] (CVE-2006-3918) using flash [4].
However, in this case we need to spoof the HTTP METHOD to a specially-crafted value.
Summary:
A) Prelude to the vulnerabities
B) Cross Site Scripting
C) HTTP Response Header Injection
D) HTTP Response Splitting
A) Prelude to the vulnerabities
What follows is the code used to validate the user input:
TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004
CVE no -
CVE-2012-1456
39. If the length field in the header of a file with test EICAR virus
included into a TAR archive is set to be greater than the archive's total
length (1,000,000+original length in our experiments), the antivirus
declares the file to be clean but virus gets extracted correctly by the
GNU tar program.
What I understand from the advisory is the Squid proxy is basing its
filtering on the Host header when present, even for the CONNECT
command which doesn't allow this header at all as it makes no sense. I
haven't confirmed the bug but what's being described is definitely a
vulnerability.
There's also a small misconception in what you said. The proxy will
see the entire CONNECT request, headers and all - after the request
headers there'll be a pair of newlines, and only *then* the remaining
data is tunneled transparently. So it's the second request's headers
When a user logs into FWS, the user's IP address is stored in the
database. This is done to prevent replay of (stolen) session cookies. If
FWS is called with a session cookie from a different IP address, the
user will not be logged into FWS. The IP address is obtained using
GetUserIP(). This function first checks whether the HTTP request
contains the X-Forwarded-For or Client-IP HTTP headers. These headers
are normally set by proxy servers to expose the user's real IP
address to the webservers. If these headers are found, FWS will uses the
value of the header as the user's IP address. If these headers are
not set, FWS uses the IP address of the connecting party.
RFC3173 ip payload compression, henceforth ipcomp, is a protocol intended to
provide compression of ip datagrams, and is commonly used alongside IPSec
(although there is no requirement to do so).
An ipcomp datagram consists of an ip header with ip->ip_p set to 108, followed
by a 32 bit ipcomp header, described in C syntax below.
struct ipcomp {
uint8_t comp_nxt; // Next Header
uint8_t comp_flags; // Reserved
netVigilance Security Advisory #68
SimpNews version 2.41.03 Multiple Path Disclosure Vulnerabilities
Description:
SimpNews is a news system written in PHP. Features: Data stored in MySQL, admin interface, support for multiple languages, support for multiple instances in one database, own header, multiple layout settings, support for BBCode andsmilies, you can assin an icon graphic to every news entry, you can attach a file to news entries, entries can be put in categories, users can subscribe to get news sent by email, search entries, users can post comments on news entries, event calendar, newsticker, option to let users propose news entries.
External References:
Mitre CVE: CVE-2007-4872
NVD NIST: CVE-2007-4872
OSVDB: ID requested but no answer received
- ----------------------
Over the last several years, VSR analysts had observed unusual behavior
in multiple WebLogic deployments when certain special characters were
URL encoded and appended to URLs. In late April, 2010 VSR began
researching this more in depth and found that the issue could allow for
HTTP header injection and HTTP request smuggling attacks.
Product Background
- ------------------
WebLogic application server is commonly deployed in a three-tier
response and '300 Multiple Choices' message body.
This could lead to Xss if the name of the file is controlled by an
attacker (i.e. by previously uploading it).
Moreover, as the list of the filenames is also sent, without being
sanitized, in the response header, it could result in a Http Response
Splitting [1] issue if the name of the file contains '\n' (Line Feed).
[ Analysis ]
Besides many other applications the CFNetwork framework is used by
Safari and Mail.
Description:
A remotely exploitable vulnerability has been found in the HTTP header
parsing code. Each HTTP header received from a web server is first
capitalized. I.e. the first character of the header name is upper-cased
while all remaining characters are lower-cased. Inside the CFNetwork
framework the _CFCapitalizeHeader() function is used for this purpose.
ffffe40c g DF .text 00000008 LINUX_2.5 __kernel_rt_sigreturn
ffffe400 g DF .text 00000009 LINUX_2.5 __kernel_sigreturn
pi3-darkstar new # readelf -h ./test_dump.bin
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
netVigilance Security Advisory #64
SimpGB version 1.46.02 Multiple Path Disclosure Vulnerabilities
Description:
SimpGB is a guestbook with data stored in MySQL, administration interface and support for multiple languages. Features: Data stored in MySQL, Administration interface, Support for multiple languages, Support for multiple instances in one database, Support for multiple layouts, Own header/footer can be defined, Support of BBCode and smilies, Admin can decide which BBCode tags to enable, Avatars (with option to let users upload their own), Admin can decide which input fields to display and which of them are required, Admins can write comments on posts, Admins can mark entry as "always on top", Admins can attach file to entry, flood protection, IP banlist, bad word list, send email notification upon new posts, optionally validate new posts before they get visible by public, own leadtext for entry form and own "Thank you" message can be defined, Option to mark posts as private (only admins can see them), search entries, Option to let users send emails out of guestbook.
External References:
Mitre CVE: ID requested but no answer received
NVD NIST: ID requested but no answer received
OSVDB: ID requested but no answer received
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: MyBB <= 1.4.11
Severity: An email injection vulnerability in MyBB allows injecting
e.g. BCC mail headers into password reset emails. This
allows an attacker to takeover accounts via the password
reset functionality.
Risk: Critical
Vendor Status: MyBB 1.4.12 was released which fixes this vulnerability
Reference:
- -----/
According to the .MBM format [3], the structure of an MBM is the
following (beginning with a Header Section):
/-----
Offset Size Data Description
0000 ID 37 00 00 10 UID1: Header Section layout
There is possbile get username and password from "Proxy-Authorization" header, which is not correctly removed when authorization header sends WMP.
Requirements:
- IWSVA/IWSS basic authorization on
- Client is using WMP (8-11) as video player
- Standalone proxy (if upstream proxy is used, "Proxy-Authorization" header is removed by this upstream proxy)
Bug:
strongly needed.
>>> By the way, I don't think it is a good idea to disallow any Extension
>>> Headers in ND-Messages,
>>
>> Consensus at the relevant IETF working-group (6man) seems to be to only
>> ban the Fragment Header (when SEND is not employed).
>
> not allowing ANY extension headers for NDP and RA is the way to go. But
@dan: nice paper.
ScreenOS has several DOS issues in their IPv6 implementation btw
>> By the way, I don't think it is a good idea to disallow any Extension
>> Headers in ND-Messages,
>
> Consensus at the relevant IETF working-group (6man) seems to be to only
> ban the Fragment Header (when SEND is not employed).
not allowing ANY extension headers for NDP and RA is the way to go. But
remote code execution. However further investigation into the
vulnerability revealed that it can only be triggered if the admin
has not only activated transparent cookie encryption, but also
explicitly disabled several other security features of Suhosin.
In addition to that remote exploitation requires a PHP application
that puts unfiltered user input into a call to the header()
function that sends a Set-Cookie header.
Furthermore most modern unix systems compile the Suhosin extension
with the FORTIFY_SOURCE flag, which will detect the possible buffer
overflow and abort execution before something bad can happen.
40| }
41| return( $ip );
42| }
So, an attacker can spoof his IP, he just have to create
an HTTP packet, add a special header, and send it. The
HTTP packet will look's like this:
GET /index.php HTTP/1.1\r\n
Host: localhost\r\n
X-Forwarded-For: 127.0.0.1\r\n
+++ lib/webrick/httprequest.rb (working copy)
@@ -267,9 +267,5 @@ module WEBrick
end
end
- begin
- @header = HTTPUtils::parse_header(@raw_header.join)
- rescue => ex
- raise HTTPStatus::BadRequest, ex.message
- end
+ @header = HTTPUtils::parse_header(@raw_header.join)
end
Permalink:
http://www.mindedsecurity.com/MSA01240108.html
[ Summary ]
Internet Explorer 7 allows setting of header "Transfer Encoding:
chunked" in setRequestHeader exposing the browser to Http Request
Splitting/Smuggling attacks.
[ Analysis ]
=======================
Affects most web application platforms, including Java, .NET, PHP, Cold
Fusion.
This attack involves the use of header injection, particularly the
Content-Disposition header, to subvert HTTP responses from trusted
domains. Attackers can use this technique to inject a malicious file
download with an arbitrary filename (.html, .exe, .swf, .mov, .msi,
.vbs, etc...) and arbitrary file content. Since the attack subverts an
existing HTTP request, both the URL and the downloaded file use a
Next Page>>
|
