lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <y2s4a9eee2a1005061428gbc2e50feo3ab3be37c40b93bf@mail.gmail.com>
Date: Thu, 6 May 2010 23:28:43 +0200
From: Alexis Tremblay <tralexhan@...il.com>
To: bugtraq@...urityfocus.com
Subject: Vulnerability with Cisco ACE. A2 3.0 (probably all version)

Vulnerability with Cisco ACE. A2 3.0 (probably all version)

====================
Abstract :
Cisco Application Control Engine (ACE) are hardware loadbalancer
available as appliance
(Model 4710) or catalyst 6000 blade.


====================
Vulnerability :
When used as a Server Load Balancer and/or SSL offloader it's possible
to do requests
to the backend without leaving any ip address in the http server logs.
it's possible
then to do any L7 http attacks anonymousely.

A Bug request has been opened at cisco TAC, it has been classified
"work as designed"


====================
Configuration description :

[Client]------[ACE]----[Backend A]
                |
                +------[Backend B]

When Cisco ACE is used as SLB or SSL offloader, since the ACE in most
configuration
act as a L7 Proxy, the IP of the real client is added in the Http
client request.
The backend then could log the client real IP.

When Cisco ACE has any http parsing error it stop tagging client request with ip
address but the tcp session continue, all other request in this tcp session are
not ip tagged.

Since the ACE does not respect the ambigous RFC 2616 implied *LWS
rules (chap 2.1) it's
easy to do an "Parse Error" which is honoured by the backend honor.

RFC extracts:

 The version of an HTTP message is indicated by an HTTP-Version field
   in the first line of the message.

       HTTP-Version   = "HTTP" "/" 1*DIGIT "." 1*DIGIT

   HTTP/1.1 header field values can be folded onto multiple lines if the
   continuation line begins with a space or horizontal tab. All linear
   white space, including folding, has the same semantics as SP. A
   recipient MAY replace any linear white space with a single SP before
   interpreting the field value or forwarding the message downstream.

   implied *LWS
      The grammar described by this specification is word-based. Except
      where noted otherwise, linear white space (LWS) can be included
      between any two adjacent words (token or quoted-string), and
      between adjacent words and separators, without changing the
      interpretation of a field. At least one delimiter (LWS and/or


====================
Ace Configuration :

In a one arm deployement this action add the http header
x-forwarded-for with client ip
in all clients requests.

host1/Admin(config)# action-list type modify http HTTP_MODIFY_ACTLIST
host1/Admin(config-actlist-mod)# header insert request x-forwarded-for
header-value %is



====================
Attack demonstration:

This tricks is available on all Apache http servers.
In the Same TCP Session ..

GET / HTTP / 1 . 1
HOST: Myserver.com
CONNECTION: KEEP-ALIVE

GET / HTTP/1.1
HOST: Myserver.com
CONNECTION: KEEP-ALIVE

All two request will not be flagged with the http header "X-Forwarded-for"
The first one because ace did a parse error on "HTTP / 1 . 1", the second one
because since the first parse error, the ace a stop tagging ip header.

Http server log could not tell the ip of the client

Cisco Ace could be detected easily if the trace method is activated on
the backend



====================
Links:

http://www.cisco.com/en/US/products/ps6906/index.html
http://www.ietf.org/rfc/rfc2616.txt
http://en.wikipedia.org/wiki/X-Forwarded-For
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html#wp1131842

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ