exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Jetty 9.2.8 Shared Buffer Leakage

Jetty 9.2.8 Shared Buffer Leakage
Posted Feb 27, 2015
Authored by Stephen Komal, Gotham Digital Science

Gotham Digital Science discovered a critical information leakage vulnerability in the Jetty web server that allows an unauthenticated remote attacker to read arbitrary data from previous requests and responses submitted to the server by other users. Jetty versions 9.2.3 through 9.2.8 are affected. Proof of concept code included.

tags | exploit, remote, web, arbitrary, proof of concept, info disclosure
advisories | CVE-2015-2080
SHA-256 | 17f918c6ed7be55415f6475ca5befcbf2d795848bb2960612e998e54f15479d5

Jetty 9.2.8 Shared Buffer Leakage

Change Mirror Download
GDS LABS ALERT: CVE-2015-2080
JetLeak Vulnerability Remote Leakage Of Shared Buffers In Jetty Web Server

SYNOPSIS
========
Gotham Digital Science discovered a critical information leakage vulnerability in the Jetty web server that allows an unauthenticated remote attacker to read arbitrary data from previous requests and responses submitted to the server by other users.

The vulnerability was made public by the Jetty development team on the 24th of February 2015 and included proof-of-concept exploit code. As a result, GDS Labs recommends upgrading Jetty web server to a version patched against this vulnerability as soon as possible.


IMPACT
======
Using a vulnerable version of the Jetty web server can lead to the compromise of sensitive data including data passed within headers (e.g. cookies, authentication tokens, etc.), as well as data passed in the POST body (e.g. usernames, passwords, authentication tokens, CSRF tokens, PII, etc.) of requests and responses handled by the web server.

The root cause of this vulnerability can be traced to exception handling code that returns approximately 16 bytes of data from a shared buffer when illegal characters are submitted in header values to the server. An attacker can exploit this behavior by submitting carefully crafted requests containing variable length strings of illegal characters to trigger the exception and offset into the shared buffer. Since the shared buffer contains user submitted data from previous requests, the Jetty server will return specific data chunks from a previous exchange depending on the attacker’s payload offset.


ARE YOU VULNERABLE?
===================
This vulnerability affects versions 9.2.3 to 9.2.8. GDS also found that beta releases (including the beta releases of 9.3.x) are vulnerable.

GDS have created a simple python script that can be used to determine if a Jetty HTTP server is vulnerable. The script code can be downloaded from the GDS Github repository below:

- https://github.com/GDSSecurity/Jetleak-Testing-Script

If running one of the vulnerable Jetty web server versions, Jetty recommends that you upgrade to version 9.2.9.v20150224 immediately. Organizations should also be aware that Jetty might be bundled within third party products. GDS recommends referring to the Jetty Powered website (http://eclipse.org/jetty/powered/) for a non-exhaustive list of products that utilize Jetty. Due to Jetty being a fairly lightweight HTTP server, it is also commonly used by a variety of embedded systems. Organizations should contact any vendors that may be running a Jetty web server in order to determine if their products are vulnerable and when any patches to resolve this vulnerability will be made available.

We have encountered cases where development teams use Jetty as a light-weight replacement for app servers such as Tomcat for internal testing. Organizations should consider notifying their development teams about the vulnerability and require teams to upgrade any vulnerable versions of Jetty.

The latest release of the Jetty HTTP server is available for download at the following locations:

- Maven - http://central.maven.org/
- Jetty Downloads - http://download.eclipse.org/jetty


REFERENCES
==========
A thorough technical analysis of the vulnerability is available on the GDS blog at:

http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html

Jetty Vulnerability Announcement:

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html

Jetty Vulnerability Advisory:

https://github.com/eclipse/jetty.project/blob/master/advisories/2015-02-24-httpparser-error-buffer-bleed.md


DISCLOSURE TIMELINE
===================
Feb 19, 2015 - Vulnerability report sent to security@eclipse.org using SendSafely

Feb 23, 2015 - Jetty team downloads the vulnerability report

Feb 24, 2015 - Jetty team releases HTTP Server v9.2.9.v20150224 with bug fix and publicly discloses vulnerability with exploit code

Feb 25, 2015 - GDS publicly discloses vulnerability


GDS commends the Jetty development team on their timely response and swift remediation. It should be noted that the decision to publicly disclose the vulnerability was made by the Jetty development team, independent of GDS. GDS’ blog post and vulnerability disclosure was published after it was discovered that Jetty had publicly disclosed the vulnerability.


CREDITS
=======
Stephen Komal from Gotham Digital Science for discovering the bug.


About GDS Labs
==============

Security Research & Development is a core focus and competitive advantage for GDS. The GDS Labs team has the following primary directives:

- Assessing cutting-edge technology stacks

- Improving delivery efficiency through custom tool development

- Finding & responsibly disclosing vulnerabilities in high value targets

- Assessing the impact to our clients of high risk, publicly disclosed vulnerabilities

The GDS Labs R&D team performs security research, with areas of current focus including mobile application security, embedded systems, and cryptography. GDS also participates in many security related organizations and groups. GDS Labs is a value added service that our clients benefit from on virtually every engagement that we perform.


About Gotham Digital Science
=======================

Gotham Digital Science (GDS) is a specialist security consulting company focused on helping our clients find, fix, and prevent security bugs in mission critical network infrastructure, web-based software applications, mobile apps and embedded systems. GDS is also committed to contributing to the security and developer communities through sharing knowledge and resources such as blog posts, security tool releases, vulnerability disclosures, sponsoring and presenting at various industry conferences.

For more information on GDS, please contact info@gdssecurity.com or visit http://www.gdssecurity.com.


-----------------------------------
jetleak_tester.py proof of concept:

import httplib, urllib, ssl, string, sys, getopt
from urlparse import urlparse

'''

Author: Gotham Digital Science

Purpose: This tool is intended to provide a quick-and-dirty way for organizations to test whether
their Jetty web server versions are vulnerable to JetLeak. Currently, this script does
not handle sites with invalid SSL certs. This will be fixed in a future iteration.

'''

if len(sys.argv) < 3:
print("Usage: jetleak.py [url] [port]")
sys.exit(1)

url = urlparse(sys.argv[1])
if url.scheme == '' and url.netloc == '':
print("Error: Invalid URL Entered.")
sys.exit(1)

port = sys.argv[2]

conn = None

if url.scheme == "https":
conn = httplib.HTTPSConnection(url.netloc + ":" + port)
elif url.scheme == "http":
conn = httplib.HTTPConnection(url.netloc + ":" + port)
else:
print("Error: Only 'http' or 'https' URL Schemes Supported")
sys.exit(1)

x = "\x00"
headers = {"Referer": x}
conn.request("POST", "/", "", headers)
r1 = conn.getresponse()

if (r1.status == 400 and ("Illegal character 0x0 in state" in r1.reason)):
print("\r\nThis version of Jetty is VULNERABLE to JetLeak!")
else:
print("\r\nThis version of Jetty is NOT vulnerable to JetLeak.")
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close