WebApp Sec mailing list archives

Re: Is this exploitable?..

From: Stephen de Vries <stephen () twisteddelight org>
Date: Fri, 17 Dec 2004 10:28:40 +0000


Hi Ben

Yes it is exploitable, one attack vector is called Cross Site Tracingdocumented here:http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf

It should be noted that this is not a vulnerability in the J2EEimplementation of TRACE, it is a problem with the TRACE method itself,see the HTTP 1.1 RFC for more info:http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.8


Regards,
Stephen



On Dec 15, 2004, at 10:42 PM, Benjamin Livshits wrote:

I was looking at the follong code in J2EE 1.4.1 HttpServlet.java and it
looks like it may be possible to exploit it:

    672     protected void doTrace(HttpServletRequest req,
HttpServletResponse resp)
    673         throws ServletException, IOException
    674     {
    675
    676         int responseLength;
    677
    678         String CRLF = "\r\n";
    679         String responseString = "TRACE "+ req.getRequestURI()+
    680             " " + req.getProtocol();
    681
    682         Enumeration reqHeaderEnum = req.getHeaderNames();
    683
    684         while( reqHeaderEnum.hasMoreElements() ) {
    685             String headerName =
(String)reqHeaderEnum.nextElement();
    686             responseString += CRLF + headerName + ": " +
    687                 req.getHeader(headerName);
    688         }
    689
    690         responseString += CRLF;
    691
    692         responseLength = responseString.length();
    693
    694         resp.setContentType("message/http");
    695         resp.setContentLength(responseLength);
    696         ServletOutputStream out = resp.getOutputStream();
    697         out.print(responseString);
    698         out.close();
    699         return;
    700     }

It looks like responseString obtained from req is forgeable and thismay

conceivably lead to a vulnerability down the line, it seems, when
responseString is output with a call to out.print(responseString).

Please advise.

-Ben

Current thread:

Is this exploitable?.. Benjamin Livshits (Dec 16)
- Re: Is this exploitable?.. Peter Conrad (Dec 20)
  - RE: Is this exploitable?.. Benjamin Livshits (Dec 20)
    - Re: Is this exploitable?.. Peter Conrad (Dec 20)
- Re: Is this exploitable?.. Stephen de Vries (Dec 20)
- Re: Is this exploitable?.. Tim (Dec 20)