(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_httprint_Multiple_Vulnerabilities.pdf)
CYBSEC S.A.
www.cybsec.com
http://www.cybsec.com/vulnerability_policy.pdf
httprint is a web server fingerprinting tool. It relies on web server
characteristics to accurately identify web servers, despite the fact
that they may have been obfuscated by changing the server banner
strings, or by plug-ins such as mod_security or servermask.
A vulnerability exists in the way httprint processes responses received
from the host being scanned.
If the target host has modified the "Server" field of the HTTP Response
headers, including DHTML code in it, it will be executed when the HTML
output file is displayed by the browser.
It's important to emphasize that this code will be executed under "My
Computer" Security Zone when viewed with IE.
Proof of Concept (using mod_security):
SecServerSignature "Microsoft-IIS/5.0<script>alert('test')</script>"
If the server being fingerprinted is configured to reply with a "Server"
field consisting of a string between 1030 and 1800 characters, httprint
fails to process the response properly, leading to an Access Violation
condition, and ends abruptly.
This condition can be effectively used to develop a Denial of Service
attack against the tool, preventing it from displaying the
fingerprinting results.
Proof of Concept (using mod_security):
SecServerSignature "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA…"x1500
Vendor has released httprint v301, which fixes both vulnerabilities.
07/26/2005 - Vendor Notified about Script Injection vulnerability.
07/27/2005 - Vendor Confirmed Vulnerability.
09/01/2005 - Vendor Notified about DoS vulnerability.
09/27/2005 - Vendor Confirmed Vulnerability.
12/22/2005 - Vendor Releases New Version.
12/22/2005 - Vulnerability Public Disclosure.
For more information regarding the vulnerability feel free to contact
the author at mnunez {at} cybsec.com.
For more information regarding CYBSEC: www.cybsec.com
(c) 2005 - CYBSEC S.A. Security Systems
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/