CYBSEC - Security Advisory: httprint Multiple Vulnerabilities

[Mariano Nuñez Di Croce <mnunez () cybsec com>]

(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_httprint_Multiple_Vulnerabilities.pdf)


CYBSEC S.A.
www.cybsec.com

Advisory Name: httprint Multiple Vulnerabilities
==========

Vulnerability Class: Denial of Service, Arbitrary Script Injection.
=============

Release Date: 12/22/2005
=========

Affected Applications: 
==============
* httprint v202

Affected Platforms:
============
* Platform-Independent: Tested on Windows 2000 and Debian Linux

Local / Remote: Remote
==========

Severity: Medium
=====

Author:  Mariano Nuñez Di Croce
=====

Vendor Status: Confirmed, new version released.
=========

Reference to Vulnerability Disclosure Policy:
=============================
http://www.cybsec.com/vulnerability_policy.pdf

Product Overview:
============

httprint is a web server fingerprinting tool. It relies on web server
characteristics to accurately identify web servers, despite the fact
that they may have been obfuscated by changing the server banner
strings, or by plug-ins such as mod_security or servermask.

Vulnerabilities Description:
==================

1. Arbitrary Script Injection

A vulnerability exists in the way httprint processes responses received
from the host being scanned.
If the target host has modified the "Server" field of the HTTP Response
headers, including DHTML code in it, it will be executed when the HTML
output file is displayed by the browser.
It's important to emphasize that this code will be executed under "My
Computer" Security Zone when viewed with IE.

Proof of Concept (using mod_security):

SecServerSignature "Microsoft-IIS/5.0<script>alert('test')</script>"

2. Denial of Service

If the server being fingerprinted is configured to reply with a "Server"
field consisting of a string between 1030 and 1800 characters, httprint
fails to process the response properly, leading to an Access Violation
condition, and ends abruptly.

This condition can be effectively used to develop a Denial of Service
attack against the tool, preventing it from displaying the
fingerprinting results.

Proof of Concept (using mod_security):

SecServerSignature "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."x1500

Solutions:
======

Vendor has released httprint v301, which fixes both vulnerabilities.

Vendor Response:
============

    07/26/2005 - Vendor Notified about Script Injection vulnerability.
    07/27/2005 - Vendor Confirmed Vulnerability.
    09/01/2005 - Vendor Notified about DoS vulnerability.
    09/27/2005 - Vendor Confirmed Vulnerability.
    12/22/2005 - Vendor Releases New Version.
    12/22/2005 - Vulnerability Public Disclosure.

Contact Information:
==============

For more information regarding the vulnerability feel free to contact
the author at mnunez {at} cybsec.com.

For more information regarding CYBSEC: www.cybsec.com

(c) 2005 - CYBSEC S.A. Security Systems
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/