TUCoPS :: Web :: Apache :: b06-2086.htm

Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1
Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1
Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1


Folks,

During some specific tests with our upcoming Web App Security Scanner tool, 
we have found that Apache would kindly accept HTML injection through 
"Expect" header. Originally meant to be a protocol flow control that would 
give web client the capacity of sending the HTTP headers for server's 
pre-analysis before submitting the rest of the payload (body), Expect header 
is not usually used by common user's client-side software (for more details 
see section 8.2.6 from RFC 2616 - http://www.ietf.org/rfc/rfc2616.txt). 

During a brief discussion with the gentle guys at security apache org, we 
had concluded that vulnerability cannot be trivially exploited and its 
exploitation focus would be client-side software. It was common sense that 
this flaw should be corrected in lastest Apache versions 
(1.3.35/2.0.58/2.2.2) -- which was done, however, it should not be 
categorized as a security vulnerability.

The software flaw, not being exploitable on common web browser scenario, can 
be used by malicious software distributors by appending malformed expect 
headers in outgoing HTTP requests (via common toolbars and web components). 
The idea would be to render arbitrary HTML code in an obscure way -- without 
leaving traces, after all, victims would still see connection going to a 
legitimate web server's IP address.

Some exploitation can be also considered if an attacker is able to control 
variables that affect HTTP Header of outgoing requests (i.e: an URI variable 
that would be used by an asynchronous object to connect back -- attacker 
could use \t tab encoding vulnerability to insert arbitrary headers in the 
XmlHttpRequest/MSXML request -- see Amit Klein's document at 
http://seclists.org/lists/webappsec/2005/Jul-Sep/0614.html), however, it is 
also a rare situation.

The affected source code was (extracted from line 1286 of http_protocol.c of 
v1.3.34):

      if (((expect = ap_table_get(r->headers_in, "Expect")) != NULL) &&
        (expect[0] != '\0')) {

    [...] (expect is rendered in the client's browser without further 
filtering)

        ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r,
                          "client sent an unrecognized expectation value of 
"
                          "Expect: %s", expect);
            ap_send_error_response(r, 0);

We have prepared a small proof-of-concept test software that is using 
Microsoft's ActiveX control WebBrowser to inject malicious Expect Headers. 
When vulnerable, Apache will display a html message to be rendered back in 
user's browser. The idea is to simulate the malicious component that would 
still display correct URL address (right-click under site's properties), 
however, rendering a different web page:
Download at http://www.nstalker.com/defense/ApacheExpectPOC.zip 

Again, this is a simple and harmless example. For those who are still using 
old versions of Apache, I recommend upgrading to the latest versions -- it 
does not have a direct impact against your web server, however, you will be 
protecting client-side against obscure exploitation. See 
http://httpd.apache.org for more details. 

I would like to thank Mark Cox and William Rowe for their immediate response 
and support over this matter. Thanks also goes to OWASP Brazil Chapter's 
list for their comments, Markswell Coelho (obscure tests), Carlos Gomes and 
Sekure SDI labs.

ps: for those whishing to beta test our latest websec tool, please, send an 
e-mail to beta nstalker com to get more details.

Kindest Regards,

Thiago Zaninotti,Security+,CISSP-ISSAP,CISM
CTO - N-Stalker/ZMT

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH