[Owasp-brazil] Fw: Apache HTTP Server EXPECT Header Default Error Page Arbitrary HTML Injection

Zaninotti, Thiago thiago at zaninotti.net
Thu Apr 20 16:42:31 EDT 2006


(In)felizmente não é possível fazer isso diretamente. A não ser que isto se 
tratasse de um objeto assíncrono para scripting remoto (e.g: AJAX). Via 
XmlHttpRequest ou MSXMLx é possível chamar o método SetHeaderRequest --  
ainda sim, não seria possível fazer um cross-domain request (grande vantagem 
do XSS).

Veja o que eu mandei para eles (a primeira resposta do Mark está após o meu 
e-mail):

Dear Mark,

First of all, I am sorry for the delay -- I was out of town and my mailbox
has been flooded :)

Well, the vulnerability is certainly very hard to exploit as you have
mentioned below -- I agree -- I don't think it can be exploited on normal
browsing environment. Actually, I believe it can be exploited in obscure
ways (by adware vendors, etc). Here are some scenarios where it may be
exploited:

1) Through the use of Malware/Adware/Freeware plugins, extensions or other
browser Entertainment Bars

A malware/adware/freeware plugin installed in the client-side may append a
malformed "Expect" header that could be used to inject a malicious script
when the target's URL is rendered into victim's browser. In this way
malicious activities may be obscured as there is no visible impact in the
user's navigation.

2) Through the use of Poisoned Proxy

An incorrect request may be cached under URL http://mydomain/ (malicious
user may request the same URL previously with Expect Header appended). Some
Proxy Software may be tricked into caching specifice error pages (such as
status code 417) and an injected HTML could be rendered on victim's browser.

3) Through exploitation of possible cross-domain violation vulnerabilities
in Web Browsers (theoretical)

How would you exploit a certain vulnerability that requires a malicious
header to be injected in the outgoing request ? One of the answers would be
to use an asynchronous objects for remote scripting such as those used for
well-known Ajax concept (XmlHttpRequest and MSXMLx objects). If a browser is
vulnerable to cross-domain violation and would render the response of an
asynchronous object into a browser's window under specific domain context,
you would be able to exploit that HTML injection "capability" on Apache
servers (some examples on cross-domain violation is ShowModalWindow
vulnerability in Internet Explorer).

Once again, these kind of attacks are not trivial and requires a very
specific environment to be successful. Anyway, it is certainly much more
safe to provide filtering for every entry that will be rendered into the
client's side than keeping an open alternative for obscure exploitation.

Let me know what you think -- although I work/build commercial web
application security scanner, my objective is not commercial and I am
willing to change any details in the announcement or even supress it if
necessary (in case Apache don't think it may be considered a security
problem).

Thanks for your attention!

Kindest Regards,
Thiago Zaninotti

----- Original Message ----- 
From: "Mark J Cox" <mark at awe.com>
To: "Zaninotti, Thiago" <thiago at nstalker.com>
Cc: <security at httpd.apache.org>
Sent: Tuesday, April 11, 2006 4:59 AM
Subject: Re: Apache HTTP Server EXPECT Header Default Error Page Arbitrary
HTML Injection


> Dear Thiago Zaninotti:
>
> Thank you for reporting this issue to us responsibly.
>
>> A malicious user should append "Expect:" header field to the HTTP
>> request.
>
> In order for this issue to be exploited you need to get a victim to
> connect to a target site and send a carefully crafted Expect: header.  I
> can't think of a way that an attacker could do this.
>
> We've had a similar flaw in the past based on the mod_imap module
> displaying the referrer header unescaped.  In that case it was possible
> using a cunning series of redirects for the attacker to influence the
> referrer header, and hence lead to cross-site scripting attack on the
> target site so this was classed as a security issue.
>
> Do you know some way that the attacker can influence the victims Expect:
> header?
>
> Cheers, Mark
> --
> Mark J Cox | www.awe.com/mark



Thiago Zaninotti,Security+,CISSP-ISSAP,CISM
Information Security Professional
----- Original Message ----- 
From: "Augusto Paes de Barros" <augusto at paesdebarros.com.br>
To: <owasp-brazil at lists.sourceforge.net>
Sent: Thursday, April 20, 2006 5:30 PM
Subject: Re: [Owasp-brazil] Fw: Apache HTTP Server EXPECT Header Default 
Error Page Arbitrary HTML Injection


Esse header não pode ser setado com Javascript?

[]s

Augusto.

On 4/20/06, Zaninotti, Thiago <thiago at zaninotti.net> wrote:
> Pessoal,
>
> Durante minhas pesquisas com a nova ferramenta de scanner de aplicações 
> Web
> desenvolvidas pela minha empresa (N-Stalker), cheguei a um problema que
> afeta todos os códigos atuais do Apache (incluindo 1.3/2.0/2.2). Entrei em
> contato com a lista de segurança do Apache e debatemos bem "calorosamente" 
> a
> questão e ficou decidido que o bug não seria classificado como problema de
> Segurança.
>
> O fato é que o problema pode ser explorado em situações específicas e
> gostaria de colocar em primeira mão para o capítulo OWASP-BR para
> discutirmos um pouco.
>
> A resposta do apache terminou da seguinte forma:
> http://svn.apache.org/viewcvs?rev=394965&view=rev
>
>
> Abraços,
> Thiago Zaninotti
>
>
> ----- Original Message -----
> From: "Zaninotti, Thiago" <thiago at nstalker.com>
> To: <security at apache.org>
> Sent: Monday, April 10, 2006 5:27 PM
> Subject: Apache HTTP Server EXPECT Header Default Error Page Arbitrary 
> HTML
> Injection
>
>
> > Dear Apache Security Staff,
> >
> > First of all, I would like to congratulate the efforts of Apache
> > Foundation to keep the product on such a stable and secure condition.
> >
> > We have found a low/medium vulnerability in the Apache HTTP Server, more
> > specifically in the default Error pages. The condition may be triggered
> > when a malformed Expect header field is appended to the user's request.
> > The Error Page is the 417 Expectation Failed (http_protocol.c line 
> > 1286).
> >
> > Before submitting it for public disclosure, it is reasonable to provide
> > advanced details to Apache Foundation in order to fix the problem.
> >
> > Please, let us know what would be the best date to release the advisory
> > and if you would like to make any statement/adjustments with the
> > information below.
> >
> > Once again, thanks for your attention and the excellent work given to 
> > the
> > community.
> >
> > Kindest Regards,
> > Thiago Zaninotti
> >
> > ================== ADVISORY FOLLOWS BELOW
> > ==================================
> >
> >
> >     N-STALKER WEB SECURITY INTELLIGENCE ADVISORY #2006-01
> >      contact(at)nstalker com - http://www.nstalker.com
> >
> > -[ Apache HTTP Server EXPECT Header Default Error Page Arbitrary HTML
> > Injection ]-
> >
> > ============================================================================
> >
> > 1. SUMMARY
> >
> >  Apache Server suffers from HTML injection when processing a request 
> > with
> > malformed Expect Header.
> >
> >  Vulnerability Level: Medium
> >  Affected Version(s): Apache HTTP Server 1.3.34/2.0.55/2.2.0
> >  (other versions and vendors may be affected)
> >
> > 2. DETAILS
> >
> >  According to RFC 2616, Expect field is used to indicate that a 
> > particular
> > server behavior
> >  is expected and required by the client. The idea is usually to submit 
> > the
> > request HEADER
> >  data first for server analysis and receive a 100-continue (Status Code
> > 100) as an agreement
> >  to continue sending the BODY data. Extracted from section 8.2.6:
> >
> >  "The purpose of the 100 (Continue) status (see section 10.1.1) is to
> > allow a client that
> >   is sending a request message with a request body to determine if the
> > origin server is
> >   willing to accept the request (based on the request headers) before 
> > the
> > client sends
> >   the request body."
> >
> >  Should the server fail to process, a 417-Expectation Failed must be 
> > sent
> > to the client.
> >
> >  Apache HTTP Server is shipped with default error messages to provide
> > detailed information
> >  about incorrect requests. Due to an error while processing an 
> > Expectation
> > Failed response,
> >  the content of Expect Header (provided by the client) is arbitrarily
> > appended to the
> >  Server's error message without further check.
> >
> >  Extracted from line 1286 of http_protocol.c (v1.3.34):
> >
> >      if (((expect = ap_table_get(r->headers_in, "Expect")) != NULL) &&
> >        (expect[0] != '\0')) {
> >
> >    [...] (expect is rendered in the client's browser without further
> > filtering)
> >
> >        ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r,
> >                          "client sent an unrecognized expectation value 
> > of
> > "
> >                          "Expect: %s", expect);
> >            ap_send_error_response(r, 0);
> >
> > 3. IMPACT
> >
> >  The vulnerability may be exploited in distinct situations. A malicious
> > user should append
> >  "Expect:" header field to the HTTP request. Under regular conditions, 
> > the
> > exploitation
> >  should be considered harder than usual, specially because DOM
> > asynchronous request elements
> >  (such as XmlHttpRequest) and ActiveX request objects are restricted to
> > issue requests
> >  against window's own target.
> >
> >  When exploited, it may facilitate stealing of user's credential and
> > provide the ability
> >  to inpersonate forged requests under victim's session credential.
> >
> > 4. PROOF OF CONCEPT
> >
> >  Vulnerability is fairly easy to be reproduced:
> >
> >  [CLIENT REQUEST]
> >  GET / HTTP/1.0
> >  Host: nstalker.com
> >  Expect: <script>alert('nstalker');</script>
> >
> >  [/CLIENT REQUEST]
> >
> >  A 417-Expectation failed should be displayed and code will be rendered 
> > at
> > the user-side.
> >
> > 5. VENDOR STATUS
> >
> >  + April 10, 2006 - Vulnerability is disclosed to Apache Foundation
> >
> > 6. ABOUT N-STALKER
> >
> >  This advisory has been produced by Thiago Zaninotti and N-Stalker Web
> > Security Intelligence Labs
> >  (aka Sekure SDI labs). Information provided here is for educational
> > purposes only.
> >
> >  The security flaw was found during evaluation tests of our next
> > generation Web Application
> >  Security Scanner. If you want to find out more about it, please, 
> > contact
> > us at
> >  beta(at)nstalker(dot)com.
> >
> >  Founded in 2000 and based in Sao Paulo, Brazil, N-Stalker is a leader 
> > in
> > Web Security Tools
> >  and produces the well-known Free HTTP Security Scanner - N-Stealth. For
> > more information
> >  about the company, contact us at http://www.nstalker.com.
> >
> > Kindest Regards,
> >
> > Thiago Zaninotti,Security+,CISSP-ISSAP,CISM
> > CTO - N-Stalker/ZMT
>
>
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job 
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmdlnk&kid0709&bid&3057&dat1642
> _______________________________________________
> Owasp-brazil mailing list
> Owasp-brazil at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-brazil
>


--
Augusto Paes de Barros, CISSP-ISSAP(r)
http://www.paesdebarros.com.br/indexpb.html


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job 
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=k&kid0709&bid&3057&dat1642
_______________________________________________
Owasp-brazil mailing list
Owasp-brazil at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-brazil






More information about the Owasp-brazil mailing list