Vulnerability analysis: how “HTTPoxy” allows redirect of web applications http-queries

This is a guest post written by Alex Bod, Information Security Researcher and the founder of the Gods Hackers Team.

 

The information about a set of vulnerabilities called HTTPoxy was published on July 18. Using this, attackers can replace the HTTP_PROXY environment variable that allows them to redirect http-queries to the Web applications on their resources.

The vulnerability was identified in partnership with the developer Dominic Scheirlinck, who in his blog talked about how the vulnerability was discovered by his colleagues in the analysis of one of the tickets, received in support.

http-poxy

 

How it works

 

Scheirlinck explains in detail the principle of the HTTPoxy work. A typical attack using this vulnerability set is as follows:

  • The attacker creates a specially crafted HTTP-request, which contains the Proxy header;
  • CGI receives the request and saves the header value in the HTTP_PROXY environment variable;
  • CGI application runs its own web client that uses the HTTP_PROXY environment variable for the proxy settings;
  • The client sends the request that instead of the destination address is proxied through the attacker’s server.

 

For instance, the exploitation code in several popular languages could look like this:

PHP:

$client = new GuzzleHttp\Client();

$client->get(‘http://api.internal/?secret=foo’)

 

Python:

from wsgiref.handlers import CGIHandler

def application(environ, start_response):

requests.get(“http://api.internal/?secret=foo”)

CGIHandler().run(application)

 

Go:

cgi.Serve(

http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

res, _ := http.Get(“http://api.internal/?secret=foo”)

// […]

 

For more information about PoC can be found on GitHub HTTPoxy repository.

An interesting point is that the bug itself, which is used in HTTPoxy attack was detected fifteen years ago. The site dedicated to HTTPoxy has a detailed description of the history of vulnerability.

According to the description, in March 2001 has been found and fixed a bug of incorrect processing of the HTTP_PROXY headers libwww-perl. In April of the year, the problem was detected in the curl (also corrected, though not for Windows). In 2012, the Ruby project team developed HTTP_PROXY for Net::HTTP – the vulnerability was not found in their system.

In November 2013, the vulnerability was mentioned in NGINX mailing list – by Jonathan Matthews described the mistake, even though he was not completely sure he is right. In February 2015, the vulnerability was also mentioned in the mailing list Apache httpd-dev. In July 2016, Scott Geary found a bug in the real system.

 

Which systems are vulnerable

 

The vulnerability is found in many modern languages and libraries.

 

How to detect the vulnerability in your software

RedHat  has developed a small script that allows you to determine whether a particular system is vulnerable to HTTPoxy.

The server administrator should install the following CGI-script and make it executable:

test.cgi:

#!/bin/sh

echo “Content-Type:text/plain”

echo “”

echo “HTTP_PROXY=’$HTTP_PROXY'”

 

After that, the server administrator should call the CGI-script with Proxy heading:

curl -H ‘Proxy: AFFECTED’ http://my-server-name/cgi-bin/test.cgi

 

If the output of the command is as follows – the server is not affected by the vulnerability:

HTTP_PROXY=”

 

If the output looks like below, the system is vulnerable:

HTTP_PROXY=’AFFECTED’

 

How to protect yourself

 

Some of IT companies and software developers have already taken measures to protect their users from the HTTPoxy vulnerability, among of them Akamai, CloudFlare, and RedHat.

But not all of IT companies have taken measures, we will not list them now.

Visitors of web applications in this situation simply cannot improve their safety, but the developers of the software have all the features to protect it.

The developers need to block the Proxy headers requests – it can be done very quickly. It should not damage the functionality of the application. Such headers are non-standard and normally is not used.

For instance, everyone can disable the Proxy headers in Apache using .htaccess file:

<IfModule mod_headers.c>

RequestHeader unset Proxy

</IfModule>


© Copyright 2016 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch