Jetty HttpParser Error Remote Memory Disclosure

2015-02-2700:00:00

www.tenable.com

358

The remote instance of Jetty is affected by a remote memory disclosure vulnerability in the HttpParser module due to incorrect handling of illegal characters in header values. When an illegal character is encountered in an HTTP request, Jetty writes a response in a shared buffer that was used in a previous request. Jetty’s response to the client includes this shared buffer which contains potentially sensitive data from the previous request. An attacker, using specially crafted requests containing variable length strings of illegal characters, can steal sensitive header data (e.g. cookies, authentication tokens) or sensitive POST data (e.g. credentials).

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(81576);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/26");

  script_cve_id("CVE-2015-2080");
  script_bugtraq_id(72768);

  script_name(english:"Jetty HttpParser Error Remote Memory Disclosure");
  script_summary(english:"Checks for a remote memory disclosure flaw.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a remote memory disclosure
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote instance of Jetty is affected by a remote memory disclosure
vulnerability in the HttpParser module due to incorrect handling of
illegal characters in header values. When an illegal character is
encountered in an HTTP request, Jetty writes a response in a shared
buffer that was used in a previous request. Jetty's response to the
client includes this shared buffer which contains potentially
sensitive data from the previous request. An attacker, using specially
crafted requests containing variable length strings of illegal
characters, can steal sensitive header data (e.g. cookies,
authentication tokens) or sensitive POST data (e.g. credentials).");
  # https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b8e07913");
  script_set_attribute(attribute:"see_also", value:"https://bugs.eclipse.org/bugs/show_bug.cgi?id=460642");
  # https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f918c477");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Jetty 9.2.9.v20150224 or later. For Jetty 9.3.x, contact
the vendor for a solution.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2080");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/02/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mortbay:jetty");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 8080);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("audit.inc");
include("http.inc");
include("data_protection.inc");

port = get_http_port(default: 8080);

# Unless we're paranoid, make sure the banner looks like Jetty.
if (report_paranoia < 2)
{
  banner = get_http_banner(port:port);
  if (isnull(banner) || "Server: Jetty(" >!< banner)
    audit(AUDIT_WRONG_WEB_SERVER, port, "Jetty");
}

response = http_send_recv3(
  method: "GET",
  item:"/",
  port:port,
  add_headers: make_array("Nessus-Header", '\x00')
);

if (isnull(response))
  audit(AUDIT_RESP_NOT, port, "HTTP GET");

if ("Illegal character 0x0 in state" >!< response[0])
  audit(AUDIT_LISTEN_NOT_VULN, "web server", port);

request = http_last_sent_request();

request =  str_replace(string:request, find:'\x00', replace:"\x00", count:1);

security_report_v4(
  port        : port,
  severity    : SECURITY_WARNING,
  generic     : TRUE,
  line_limit  : 5,
  request     : make_list(request),
  output      : data_protection::sanitize_user_full_redaction(output:chomp(response[0]))
);

VendorProductVersionCPE
mortbayjettycpe:/a:mortbay:jetty

Vendor	Product	Version	CPE
mortbay	jetty		cpe:/a:mortbay:jetty

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080

www.nessus.org/u?b8e07913

www.nessus.org/u?f918c477

bugs.eclipse.org/bugs/show_bug.cgi?id=460642

JSON

Related for JETTY_CVE-2015-2080.NASL