lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <43AABECB.4080006@cybsec.com>
Date: Thu, 22 Dec 2005 14:57:15 +0000
From: Mariano Nuñez Di Croce <mnunez@...sec.com>
To: bugtraq@...urityfocus.com
Subject: CYBSEC - Security Advisory: httprint Multiple Vulnerabilities


(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_httprint_Multiple_Vulnerabilities.pdf)


CYBSEC S.A.
www.cybsec.com

Advisory Name: httprint Multiple Vulnerabilities
==========

Vulnerability Class: Denial of Service, Arbitrary Script Injection.
=============

Release Date: 12/22/2005
=========

Affected Applications: 
==============
* httprint v202

Affected Platforms:
============
* Platform-Independent: Tested on Windows 2000 and Debian Linux

Local / Remote: Remote
==========

Severity: Medium
=====

Author:  Mariano Nuñez Di Croce
=====

Vendor Status: Confirmed, new version released.
=========

Reference to Vulnerability Disclosure Policy:
=============================
http://www.cybsec.com/vulnerability_policy.pdf

Product Overview:
============

httprint is a web server fingerprinting tool. It relies on web server
characteristics to accurately identify web servers, despite the fact
that they may have been obfuscated by changing the server banner
strings, or by plug-ins such as mod_security or servermask.

Vulnerabilities Description:
==================

1. Arbitrary Script Injection

A vulnerability exists in the way httprint processes responses received
from the host being scanned.
If the target host has modified the "Server" field of the HTTP Response
headers, including DHTML code in it, it will be executed when the HTML
output file is displayed by the browser.
It's important to emphasize that this code will be executed under "My
Computer" Security Zone when viewed with IE.

Proof of Concept (using mod_security):

SecServerSignature "Microsoft-IIS/5.0<script>alert('test')</script>"

2. Denial of Service

If the server being fingerprinted is configured to reply with a "Server"
field consisting of a string between 1030 and 1800 characters, httprint
fails to process the response properly, leading to an Access Violation
condition, and ends abruptly.

This condition can be effectively used to develop a Denial of Service
attack against the tool, preventing it from displaying the
fingerprinting results.

Proof of Concept (using mod_security):

SecServerSignature "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."x1500

Solutions:
======

Vendor has released httprint v301, which fixes both vulnerabilities.

Vendor Response:
============

    07/26/2005 - Vendor Notified about Script Injection vulnerability.
    07/27/2005 - Vendor Confirmed Vulnerability.
    09/01/2005 - Vendor Notified about DoS vulnerability.
    09/27/2005 - Vendor Confirmed Vulnerability.
    12/22/2005 - Vendor Releases New Version.
    12/22/2005 - Vulnerability Public Disclosure.

Contact Information:
==============

For more information regarding the vulnerability feel free to contact
the author at mnunez {at} cybsec.com.

For more information regarding CYBSEC: www.cybsec.com

(c) 2005 - CYBSEC S.A. Security Systems


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ