HTTPoxy vulnerability can redirect web application http requests

July 18 was published information about the set of vulnerabilities, called HTTPoxy. Using it, attackers can replace the HTTP_PROXY environment variable, which allows them to redirect http requests to web applications to their resources.



The vulnerability was revealed with the participation of the developer of the company Vend Dominic Scheyrlinka (Dominic Scheirlinck), who in his blog on Medium talked about how it was discovered by his colleagues during the analysis of one of the tickets received by the support service.

')

How it works

Scheirlink explains in detail how HTTPoxy works. A typical attack using this set of vulnerabilities looks like this:

1. The attacker creates a specially crafted HTTP request that contains the Proxy header;
2. CGI receives the request and stores the header value in the HTTP_PROXY environment variable;
3. The CGI application runs its own web client using the HTTP_PROXY environment variable as a proxy setting;
4. The client sends a request that is proxied instead of the destination address through the attacker's server.

For example, an operation code in several popular languages ​​might look like this:



PHP:

$client = new GuzzleHttp\Client(); $client->get('http://api.internal/?secret=foo') 

Python:

 from wsgiref.handlers import CGIHandler def application(environ, start_response): requests.get("http://api.internal/?secret=foo") CGIHandler().run(application) 

Go:

 cgi.Serve( http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { res, _ := http.Get("http://api.internal/?secret=foo") // [...] 

More detailed PoCs can be found on GitHub in the special HTTPoxy repository .



An interesting point is that the bug itself, which is used in the HTTPoxy attack, was discovered fifteen years ago. The HTTPoxy site provides a detailed description of the vulnerability history.



According to him, in March 2001, the error of incorrect processing of HTTP_PROXY headers in libwww-perl was detected and fixed. In April of the same year, the problem was found in curl (and also fixed, although not for Windows). In 2012, the Ruby project team developed HTTP_PROXY for Net :: HTTP - there was no vulnerability in their system.



In November 2013, she was mentioned on the NGINX mailing list — user Jonathan Matthews described the error, although he was not completely sure that he was right. In February 2015, the vulnerability was also mentioned on the Apache httpd-dev mailing list. And in July 2016, Vend employee Scott Geary found a bug in the real system.

What systems are vulnerable

As the Vend security team found out, the vulnerability is found in many modern languages ​​and libraries.

• CVE-2016-5386 Go
• CVE-2016-5387 Apache HTTPD
• CVE-2016-5388 Tomcat
• CVE-2016-1000104 mod_fcgi
• CVE-2016-1000107 Erlang HTTP Server
• CVE-2016-1000108 YAWS
• CVE-2016-1000109 HHVM FastCGI
• CVE-2016-1000110 Python CGIHandler
• CVE-2016-1000111 Python twisted

How to detect a vulnerability in your software

RedHat experts have developed a small script to determine if a particular system is vulnerable to HTTPoxy.



To do this, the server administrator must install the following CGI script and make it executable:

 test.cgi: #!/bin/sh echo "Content-Type:text/plain" ​echo "" echo "HTTP_PROXY='$HTTP_PROXY'" 

After that, call the CGI script with the Proxy header:

 curl -H 'Proxy: AFFECTED' http://my-server-name/cgi-bin/test.cgi 

If the command output looks like this, the server is not vulnerable:

 HTTP_PROXY=" 

If the output looks wrong, for example, the inscription below is displayed, then the system is vulnerable:

 HTTP_PROXY='AFFECTED' 

How to protect

End users of web applications in this situation can not improve their security level, but the developers of this software have all the capabilities to protect it.



To do this, they need to block the headers of the Proxy requests - this can be done very quickly. This should not damage the functionality of the application, since such headers are non-standard and are not usually used.



For example, this is how you can disable Apache Proxy headers using the .htaccess file:

 <IfModule mod_headers.c> RequestHeader unset Proxy </IfModule> 

Many IT companies and software developers have already announced that they have taken measures to protect their users from the HTTPoxy vulnerability - including Akamai , CloudFlare , and RedHat has also released fixes.



Positive Technologies experts have developed a signature for Suricata IDS, which makes it possible to detect the use of the “Proxy” header in HTTP requests and to prevent possible consequences. The signature and example of operation can be found in the official repository twitter.com/AttackDetection/status/756142402268639232 .