Jetty HttpParser Error Remote Memory Disclosure

2015-02-27T00:00:00
ID JETTY_CVE-2015-2080.NASL
Type nessus
Reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-04-02T00:00:00

Description

The remote instance of Jetty is affected by a remote memory disclosure vulnerability in the HttpParser module due to incorrect handling of illegal characters in header values. When an illegal character is encountered in an HTTP request, Jetty writes a response in a shared buffer that was used in a previous request. Jetty

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(81576);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/26");

  script_cve_id("CVE-2015-2080");
  script_bugtraq_id(72768);

  script_name(english:"Jetty HttpParser Error Remote Memory Disclosure");
  script_summary(english:"Checks for a remote memory disclosure flaw.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a remote memory disclosure
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote instance of Jetty is affected by a remote memory disclosure
vulnerability in the HttpParser module due to incorrect handling of
illegal characters in header values. When an illegal character is
encountered in an HTTP request, Jetty writes a response in a shared
buffer that was used in a previous request. Jetty's response to the
client includes this shared buffer which contains potentially
sensitive data from the previous request. An attacker, using specially
crafted requests containing variable length strings of illegal
characters, can steal sensitive header data (e.g. cookies,
authentication tokens) or sensitive POST data (e.g. credentials).");
  # https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b8e07913");
  script_set_attribute(attribute:"see_also", value:"https://bugs.eclipse.org/bugs/show_bug.cgi?id=460642");
  # https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f918c477");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Jetty 9.2.9.v20150224 or later. For Jetty 9.3.x, contact
the vendor for a solution.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2080");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/02/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mortbay:jetty");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 8080);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("audit.inc");
include("http.inc");
include("data_protection.inc");

port = get_http_port(default: 8080);

# Unless we're paranoid, make sure the banner looks like Jetty.
if (report_paranoia < 2)
{
  banner = get_http_banner(port:port);
  if (isnull(banner) || "Server: Jetty(" >!< banner)
    audit(AUDIT_WRONG_WEB_SERVER, port, "Jetty");
}

response = http_send_recv3(
  method: "GET",
  item:"/",
  port:port,
  add_headers: make_array("Nessus-Header", '\x00')
);

if (isnull(response))
  audit(AUDIT_RESP_NOT, port, "HTTP GET");

if ("Illegal character 0x0 in state" >!< response[0])
  audit(AUDIT_LISTEN_NOT_VULN, "web server", port);

request = http_last_sent_request();

request =  str_replace(string:request, find:'\x00', replace:"\x00", count:1);

security_report_v4(
  port        : port,
  severity    : SECURITY_WARNING,
  generic     : TRUE,
  line_limit  : 5,
  request     : make_list(request),
  output      : data_protection::sanitize_user_full_redaction(output:chomp(response[0]))
);