HTTP REQUEST_METHOD flaw (fwd)

[Dean Gaudet <dg...@arctic.org>]

We should really disallow requests with bogus characters in the request
method.

Dean

---------- Forwarded message ----------
Approved-By: aleph1@UNDERGROUND.ORG
Date: Wed, 6 Jan 1999 13:16:07 -0000
From: mnemonix <mn...@GLOBALNET.CO.UK>
Subject: HTTP REQUEST_METHOD flaw
X-cc:         ntsecurity@iss.net, ntbugtraq@listserv.ntbugtraq.com
To: BUGTRAQ@NETSPACE.ORG

There is a "feature" inherent in some web servers, such as Apache 1.3.x or
MS IIS, that carries mild security implications that could allow web server
attacks to go unnoticed.

The problem relates to "allowable" REQUEST_METHODs when a dynamic resource,
such  as a CGI script is requested. Essentially _any_ (except for HEAD,
TRACE and OPTIONS) REQUEST_METHOD can be used - even methods not defined in
the HTTP protocol. Consider the following requests which all return the
requested resource.

 GET /cgi-bin/environ.cgi HTTP/0.9

 Azx5T8uHTRuDL /cgi-bin/environ.cgi HTTP/1.0

Even Control characters are allowed. Consider the following:

 ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1

An attacker could issue this request in an attempt to hide their movements.
When this request is logged in the access log and viewed using cat or more
the above will appear with the IP address removed.

 # cat /var/log/httpd/access_log

 or

 # more /var/log/httpd/access_log

reveals

10.20.20.1 - - [05/Jan/1999:18:00:00 GMT] "GET / HTTP/1.0" 200 1098
/cgi-bin/environ.cgi HTTP/1.1" 200 2034
10.20.20.2 -- [05/Jan/1999:18:01:00 GMT] "GET /index.html HTTP/0.9" 200 1098

Using a method similar to this it is possible for an attacker to make it
appear as if the attack came from another IP address or completely remove
the whole entry by placing certain control characters in the QUERY_STRING,
too. This "hiding" works because the control characters are interpreted when
piped to STDOUT and the ^H being the back space removes, from the screen at
least, the IP address and date and time stamp. You could use the vi editor
the view the "real" contents of the access log.

This was tested on Apache 1.3.3 on RedHat 5.2 and Apache 1.2.7 on RedHat
5.0. Also affected is Microsoft's Internet Information Server 2, 3 and 4 but
in the NT environment this is less of a problem because the log files are
generally viewd in Notepad and not using the "type" command, which
incidently will interpret the control characters.

As I said it's only a mild problem most likely, really, to effect those that
don't use a text editor to browse log files.

Cheers,
David Litchfield

Re: HTTP REQUEST_METHOD flaw (fwd)

[Dean Gaudet <dg...@arctic.org>]

Of course then this "attack" can be performed in the URL itself... so
what's the point.

Dean

On Thu, 7 Jan 1999, Dean Gaudet wrote:

> We should really disallow requests with bogus characters in the request
> method.
> 
> Dean
> 
> ---------- Forwarded message ----------
> Approved-By: aleph1@UNDERGROUND.ORG
> Date: Wed, 6 Jan 1999 13:16:07 -0000
> From: mnemonix <mn...@GLOBALNET.CO.UK>
> Subject: HTTP REQUEST_METHOD flaw
> X-cc:         ntsecurity@iss.net, ntbugtraq@listserv.ntbugtraq.com
> To: BUGTRAQ@NETSPACE.ORG
> 
> There is a "feature" inherent in some web servers, such as Apache 1.3.x or
> MS IIS, that carries mild security implications that could allow web server
> attacks to go unnoticed.
> 
> The problem relates to "allowable" REQUEST_METHODs when a dynamic resource,
> such  as a CGI script is requested. Essentially _any_ (except for HEAD,
> TRACE and OPTIONS) REQUEST_METHOD can be used - even methods not defined in
> the HTTP protocol. Consider the following requests which all return the
> requested resource.
> 
>  GET /cgi-bin/environ.cgi HTTP/0.9
> 
>  Azx5T8uHTRuDL /cgi-bin/environ.cgi HTTP/1.0
> 
> Even Control characters are allowed. Consider the following:
> 
>  ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1
> 
> An attacker could issue this request in an attempt to hide their movements.
> When this request is logged in the access log and viewed using cat or more
> the above will appear with the IP address removed.
> 
>  # cat /var/log/httpd/access_log
> 
>  or
> 
>  # more /var/log/httpd/access_log
> 
> reveals
> 
> 10.20.20.1 - - [05/Jan/1999:18:00:00 GMT] "GET / HTTP/1.0" 200 1098
> /cgi-bin/environ.cgi HTTP/1.1" 200 2034
> 10.20.20.2 -- [05/Jan/1999:18:01:00 GMT] "GET /index.html HTTP/0.9" 200 1098
> 
> Using a method similar to this it is possible for an attacker to make it
> appear as if the attack came from another IP address or completely remove
> the whole entry by placing certain control characters in the QUERY_STRING,
> too. This "hiding" works because the control characters are interpreted when
> piped to STDOUT and the ^H being the back space removes, from the screen at
> least, the IP address and date and time stamp. You could use the vi editor
> the view the "real" contents of the access log.
> 
> This was tested on Apache 1.3.3 on RedHat 5.2 and Apache 1.2.7 on RedHat
> 5.0. Also affected is Microsoft's Internet Information Server 2, 3 and 4 but
> in the NT environment this is less of a problem because the log files are
> generally viewd in Notepad and not using the "type" command, which
> incidently will interpret the control characters.
> 
> As I said it's only a mild problem most likely, really, to effect those that
> don't use a text editor to browse log files.
> 
> Cheers,
> David Litchfield
> 
> 

Re: HTTP REQUEST_METHOD flaw (fwd)

[Marc Slemko <ma...@worldgate.com>]

On Thu, 7 Jan 1999, Dean Gaudet wrote:

> We should really disallow requests with bogus characters in the request
> method.

I don't know that it is really worthwhile.

As I pointed out in a reply to bugtraq yesterday (that wasn't
approved yet...) you can do the same thing with the URL a lot of
the time, the protocol, etc.  Trying to define what a "bogus" character
is in any of that could be a bit harder.  My reply also said that the
ability to use methods wasn't a "feature" but a feature, and pointed 
out the more common thing that people do improperly to break it, ie.
"Limit GET ...".

I guess you can simply encode certain characters, convention be 
damned.  But I go for "don't do that" even more.  It does put a 
hamper in tail -fing logs, but that is always the case.  If you try
to fix this, then someone will say "oh, but if someone tail -f's the
error log then someone else can write a CGI that spits bad things to 
your terminal", etc.