<<< Date Index >>>     <<< Thread Index >>>

Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1



Folks,

During some specific tests with our upcoming Web App Security Scanner tool, we have found that Apache would kindly accept HTML injection through "Expect" header. Originally meant to be a protocol flow control that would give web client the capacity of sending the HTTP headers for server's pre-analysis before submitting the rest of the payload (body), Expect header is not usually used by common user's client-side software (for more details see section 8.2.6 from RFC 2616 - http://www.ietf.org/rfc/rfc2616.txt).

During a brief discussion with the gentle guys at security apache org, we had concluded that vulnerability cannot be trivially exploited and its exploitation focus would be client-side software. It was common sense that this flaw should be corrected in lastest Apache versions (1.3.35/2.0.58/2.2.2) -- which was done, however, it should not be categorized as a security vulnerability.

The software flaw, not being exploitable on common web browser scenario, can be used by malicious software distributors by appending malformed expect headers in outgoing HTTP requests (via common toolbars and web components). The idea would be to render arbitrary HTML code in an obscure way -- without leaving traces, after all, victims would still see connection going to a legitimate web server's IP address.

Some exploitation can be also considered if an attacker is able to control variables that affect HTTP Header of outgoing requests (i.e: an URI variable that would be used by an asynchronous object to connect back -- attacker could use \t tab encoding vulnerability to insert arbitrary headers in the XmlHttpRequest/MSXML request -- see Amit Klein's document at http://seclists.org/lists/webappsec/2005/Jul-Sep/0614.html), however, it is also a rare situation.

The affected source code was (extracted from line 1286 of http_protocol.c of v1.3.34):

     if (((expect = ap_table_get(r->headers_in, "Expect")) != NULL) &&
       (expect[0] != '\0')) {

[...] (expect is rendered in the client's browser without further filtering)

       ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r,
"client sent an unrecognized expectation value of "
                         "Expect: %s", expect);
           ap_send_error_response(r, 0);

We have prepared a small proof-of-concept test software that is using Microsoft's ActiveX control WebBrowser to inject malicious Expect Headers. When vulnerable, Apache will display a html message to be rendered back in user's browser. The idea is to simulate the malicious component that would still display correct URL address (right-click under site's properties), however, rendering a different web page:
Download at http://www.nstalker.com/defense/ApacheExpectPOC.zip

Again, this is a simple and harmless example. For those who are still using old versions of Apache, I recommend upgrading to the latest versions -- it does not have a direct impact against your web server, however, you will be protecting client-side against obscure exploitation. See http://httpd.apache.org for more details.

I would like to thank Mark Cox and William Rowe for their immediate response and support over this matter. Thanks also goes to OWASP Brazil Chapter's list for their comments, Markswell Coelho (obscure tests), Carlos Gomes and Sekure SDI labs.

ps: for those whishing to beta test our latest websec tool, please, send an e-mail to beta nstalker com to get more details.

Kindest Regards,

Thiago Zaninotti,Security+,CISSP-ISSAP,CISM
CTO - N-Stalker/ZMT