CVE-2 0 1 5-2 0 8 0 analysis-vulnerability warning-the black bar safety net

2015-03-01T00:00:00
ID MYHACK58:62201559517
Type myhack58
Reporter 佚名
Modified 2015-03-01T00:00:00

Description

jetty is a very widely used java container, in the development of javaweb application when using jetty as an embedded container, debugging is very convenient. Many big Internet companies are using it to replace the tomcat, as far as I know, Ali inside the use of the jetty is also better than the tomcat.

2 0 1 5 year 2 Month 2 5 Number of times gdssecurity published a jetty of a buffer of data leakage vulnerabilities, and exploits way

http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html

This vulnerability could lead an attacker to gain simultaneous access to the jetty the other user in the http request sensitive data.

The clouds above already had a translation of the article(http://drops.wooyun.org/papers/4972), I learn a bit, and summarized the principles as follows:

1, the jetty in processing the http request when the http request contents are stored in a particular buffer inside. Every time a new request will overwrite this buffer. jetty uses nio, so the main stored in the bytebuffer.

2, After receiving the http request, jetty-by-character parsing and analyzing the http header, http content information. Wherein if it is determined to the http header contains non-ascii characters, it will throw a IllegalCharacter exception

3, the exception will be in the http return inside to print some user-friendly debug information, this will require the jetty to continue to parse the buffer inside the value. In the buffer contents into the debug information, since there is no well-thought-out, the buffer which contains the last the normal user requested content. If this request than the previous request, you will jointly on a request of the contents to print out.

I drew a figure, the Read should be very easy to understand this vulnerability.

! the blue part is we construct the illegal data, the exception is thrown, the original should only return the blue portion of the data. But the jetty continued to read, will read to the green portion of 1 6 bytes, and then back to the“...”is omitted, and then read the last 1 to 6 bytes.

Thus, as long as the structure of a specific length of the blue portion, it can be the yellow part of all the data read is returned.

Fix:

The official has released a fix code. https://github.com/eclipse/jetty.project/commit/4df5647f6dfdc5fa7abb812afe9290d60b17c098

We can see that the Fix is also very simple.

for (int i = buffer. position(); i < buffer. limit(); i++) { appendContentChar(buf,buffer. get(i)); if (i == buffer. position() + 1 6 && buffer. limit() > buffer. position() + 3 2) { buf. append("..."); i = buffer. limit() - 1 6; } } buf. append(">>>\""); // ignore content beyond limit() return buf. toString();

ignore content beyond limit()

So there is no echo back of the data, everything to restore calm.