[NEWS] httprint DoS and Arbitrary Script Injection Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



httprint DoS and Arbitrary Script Injection Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://net-square.com/httprint/> httprint is "a web server
fingerprinting tool. It relies on web server characteristics to accurately
identify web servers, despite the fact that they may have been obfuscated
by changing the server banner strings, or by plug-ins such as mod_security
or servermask".

httprint does not properly handle maliciously crafted HTTP server banner
returned by servers it scans, this allows an attacker to cause the program
to crash and/or inject arbitrary scripts into its report.

DETAILS

Vulnerable Systems:
* httprint version 0.202 and prior

Immune Systems:
* httprint version 0.301

Arbitrary Script Injection:
A vulnerability exists in the way httprint processes responses received
from the host being scanned.

If the target host has modified the "Server" field of the HTTP Response
headers, including DHTML code in it, it will be executed when the HTML
output file is displayed by the browser.

It's important to emphasize that this code will be executed under "My
Computer" Security Zone when viewed with IE.

Proof of Concept (using mod_security):
SecServerSignature "Microsoft-IIS/5.0<script>alert('test')</script>"

Denial of Service:
If the server being fingerprinted is configured to reply with a "Server"
field consisting of a string between 1030 and 1800 characters, httprint
fails to process the response properly, leading to an Access Violation
condition, and ends abruptly. This condition can be effectively used to
develop a Denial of Service attack against the tool, preventing it from
displaying the fingerprinting results.

Proof of Concept (using mod_security):
SecServerSignature "AAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."x1500

For the exploitation to succeed, httprint must be used to analyze a web
server specially configured to exploit the vulnerability.

Vendor Response:
Vendor has released httprint version 0.301, which fixes both
vulnerabilities.

Disclosure Timeline:
* 26.07.05 - Vendor Notified about Script Injection vulnerability
* 27.07.05 - Vendor Confirmed Vulnerability
* 01.09.05 - Vendor Notified about DoS vulnerability
* 27.09.05 - Vendor Confirmed Vulnerability
* 22.12.05 - Vendor Releases New Version
* 22.12.05 - Vulnerability Public Disclosure


ADDITIONAL INFORMATION

The information has been provided by <mailto:mnunez@xxxxxxxxxx> Mariano
Nunez Di Croce.
The original article can be found at:
<http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_httprint_Multiple_Vulnerabilities.pdf> http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_httprint_Multiple_Vulnerabilities.pdf



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages