Yaws 1.85 writes data to a log file without sanitizing non-printable
characters, which might allow remote attackers to modify a window's title,
or possibly execute arbitrary commands or overwrite files, via an HTTP
request containing an escape sequence for a terminal emulator.
#### Notes
Author| Note
---|---
[jdstrand](<https://launchpad.net/~jdstrand>) | if there is a problem, it is the terminal that has the issue
{"cve": [{"lastseen": "2022-03-23T21:39:27", "description": "Yaws 1.85 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.", "cvss3": {}, "published": "2010-01-13T20:30:00", "type": "cve", "title": "CVE-2009-4495", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4495"], "modified": "2018-10-10T19:49:00", "cpe": ["cpe:/a:yaws:yaws:1.85"], "id": "CVE-2009-4495", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4495", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:yaws:yaws:1.85:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-05-12T17:33:16", "description": "Yaws is prone to a command-injection vulnerability because it fails to\n adequately sanitize user-supplied input in logfiles.", "cvss3": {}, "published": "2010-01-13T00:00:00", "type": "openvas", "title": "Yaws Terminal Escape Sequence in Logs Command Injection Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-4495"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310100446", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100446", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Yaws Terminal Escape Sequence in Logs Command Injection Vulnerability\n#\n# Authors:\n# Michael Meyer\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100446\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-01-13 11:20:27 +0100 (Wed, 13 Jan 2010)\");\n script_bugtraq_id(37716);\n script_cve_id(\"CVE-2009-4495\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_name(\"Yaws Terminal Escape Sequence in Logs Command Injection Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/37716\");\n script_xref(name:\"URL\", value:\"http://yaws.hyber.org/\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/508830\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web Servers\");\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"Yaws/banner\");\n script_require_ports(\"Services/www\", 80);\n\n script_tag(name:\"summary\", value:\"Yaws is prone to a command-injection vulnerability because it fails to\n adequately sanitize user-supplied input in logfiles.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this issue to execute arbitrary commands in\n a terminal.\");\n\n script_tag(name:\"affected\", value:\"Yaws 1.85 is vulnerable, other versions may also be affected.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year\n since the disclosure of this vulnerability. Likely none will be provided anymore.\n General solution options are to upgrade to a newer release, disable respective features,\n remove the product or replace the product by another one.\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\nport = http_get_port(default:80);\n\nbanner = http_get_remote_headers(port: port);\nif(!banner || \"Server: Yaws/\" >!< banner)\n exit(0);\n\nversion = eregmatch(pattern:\"Server: Yaws/([0-9.]+)\", string: banner);\nif(isnull(version[1]))exit(0);\n\nif(version_is_less_equal(version: version[1], test_version: \"1.85\")) {\n security_message(port:port);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-07-02T21:09:55", "description": "Yaws is prone to a command-injection vulnerability because it fails to\nadequately sanitize user-supplied input in logfiles.\n\nAttackers can exploit this issue to execute arbitrary commands in\na terminal.\n\nYaws 1.85 is vulnerable; other versions may also be affected.", "cvss3": {}, "published": "2010-01-13T00:00:00", "type": "openvas", "title": "Yaws Terminal Escape Sequence in Logs Command Injection Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-4495"], "modified": "2017-02-23T00:00:00", "id": "OPENVAS:100446", "href": "http://plugins.openvas.org/nasl.php?oid=100446", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: yaws_webserver_37716.nasl 5401 2017-02-23 09:46:07Z teissa $\n#\n# Yaws Terminal Escape Sequence in Logs Command Injection Vulnerability\n#\n# Authors:\n# Michael Meyer\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"Yaws is prone to a command-injection vulnerability because it fails to\nadequately sanitize user-supplied input in logfiles.\n\nAttackers can exploit this issue to execute arbitrary commands in\na terminal.\n\nYaws 1.85 is vulnerable; other versions may also be affected.\";\n\n\nif (description)\n{\n script_id(100446);\n script_version(\"$Revision: 5401 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-23 10:46:07 +0100 (Thu, 23 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-01-13 11:20:27 +0100 (Wed, 13 Jan 2010)\");\n script_bugtraq_id(37716);\n script_cve_id(\"CVE-2009-4495\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_name(\"Yaws Terminal Escape Sequence in Logs Command Injection Vulnerability\");\n\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/bid/37716\");\n script_xref(name : \"URL\" , value : \"http://yaws.hyber.org/\");\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/archive/1/508830\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web Servers\");\n script_copyright(\"This script is Copyright (C) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"Yaws/banner\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n \ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\nport = get_http_port(default:80);\nif(!get_port_state(port))exit(0);\n\nbanner = get_http_banner(port: port);\nif(!banner)exit(0);\n\nif(\"Server: Yaws/\" >!< banner)exit(0);\nversion = eregmatch(pattern:\"Server: Yaws/([0-9.]+)\", string: banner);\nif(isnull(version[1]))exit(0);\n\nif(version_is_less_equal(version: version[1], test_version: \"1.85\")) {\n security_message(port:port);\n exit(0);\n}\n\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "debiancve": [{"lastseen": "2022-10-20T06:09:14", "description": "Yaws 1.85 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.", "cvss3": {}, "published": "2010-01-13T20:30:00", "type": "debiancve", "title": "CVE-2009-4495", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4495"], "modified": "2010-01-13T20:30:00", "id": "DEBIANCVE:CVE-2009-4495", "href": "https://security-tracker.debian.org/tracker/CVE-2009-4495", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "securityvulns": [{"lastseen": "2021-06-08T18:44:59", "description": "ESC-sequences filtering is not performed.", "edition": 2, "cvss3": {}, "published": "2010-01-12T00:00:00", "type": "securityvulns", "title": "Multiple applications log files terminal control characters injections", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4490", "CVE-2009-4495", "CVE-2009-4488", "CVE-2009-4494", "CVE-2009-4492", "CVE-2009-4491", "CVE-2009-4496", "CVE-2009-4489", "CVE-2009-4493", "CVE-2009-4487"], "modified": "2010-01-12T00:00:00", "id": "SECURITYVULNS:VULN:10511", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10511", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:33", "description": "Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver,\r\nYaws and Boa log escape sequence injection\r\n\r\n Name Nginx, Varnish, Cherokee, thttpd, mini-httpd,\r\n WEBrick, Orion, AOLserver, Yaws and Boa log escape\r\n sequence injection\r\n Systems Affected nginx 0.7.64\r\n Varnish 2.0.6\r\n Cherokee 0.99.30\r\n mini_httpd 1.19\r\n thttpd 2.25b0\r\n WEBrick 1.3.1\r\n Orion 2.0.7\r\n AOLserver 4.5.1\r\n Yaws 1.85\r\n Boa 0.94.14rc21\r\n Severity Medium\r\n Impact (CVSSv2) Medium 5/10, vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\r\n Vendor http://www.nginx.net/\r\n http://varnish.projects.linpro.no/\r\n http://www.cherokee-project.com/\r\n http://www.ruby-lang.org/\r\n http://www.acme.com/software/thttpd/\r\n http://www.acme.com/software/mini_httpd/\r\n http://www.orionserver.com/\r\n http://www.aolserver.com/\r\n http://yaws.hyber.org/\r\n http://www.boa.org/\r\n Advisory http://www.ush.it/team/ush/hack_httpd_escape/adv.txt\r\n Authors Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)\r\n Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it)\r\n Francesco "ascii" Ongaro (ascii AT ush DOT it)\r\n Date 20100110\r\n\r\nI. BACKGROUND\r\n\r\nnginx is a HTTP and reverse proxy server written by Igor Sysoev.\r\nVarnish is a state-of-the-art, high-performance HTTP accelerator.\r\nCherokee is a very fast, flexible and easy to configure Web Server.\r\nthttpd is a simple, small, portable, fast, and secure HTTP server.\r\nmini_httpd is a small HTTP server.\r\nWEBrick is a Ruby library providing simple HTTP web server services.\r\nOrion Application Server is a pure java application-server.\r\nAOLserver is America Online's Open-Source web server.\r\nYaws is a HTTP high perfomance 1.1 webserver.\r\nBoa is a single-tasking HTTP server.\r\n\r\nII. DESCRIPTION\r\n\r\nNginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver,\r\nYaws and Boa are subject to logs escape sequence injection\r\nvulnerabilites.\r\n\r\nEscape sequences are special characters sequences that are used to\r\ninstruct the terminal to perform special operations like executing\r\ncommands [4, 5] or dumping the buffer to a file [6, 7].\r\n\r\nWhen the webserver is executed in foreground in a pty or when the\r\nlogfiles are viewed with tools like "cat" or "tail" such control chars\r\nreach the terminal and are executed.\r\n\r\nIII. ANALYSIS\r\n\r\nSummary:\r\n\r\n A) "nginx" log escape sequence injection\r\n (Affected versions: 0.7.64 and probably earlier versions)\r\n\r\n B) "Varnish" log escape sequence injection\r\n (Affected versions: 2.0.6 and probably earlier versions)\r\n\r\n C) "Cherokee" log escape sequence injection\r\n (Affected versions: 0.99.30 and probably earlier versions)\r\n\r\n D) "thttpd" log escape sequence injection\r\n (Affected versions: thttpd/2.25b and probably earlier versions)\r\n\r\n E) "mini_httpd" log escape sequence injection\r\n (Affected versions: 1.19 and probably earlier versions)\r\n\r\n F) "WEBrick" log escape sequence injection\r\n (Affected versions: 1.3.1 and probably earlier versions)\r\n\r\n G) "Orion" log escape sequence injection\r\n (Affected versions: 2.0.7 and probably earlier versions)\r\n\r\n H) "AOLserver" log escape sequence injection\r\n (Affected versions: 4.5.1 and probably earlier versions)\r\n\r\n I) "Yaws" log escape sequence injection\r\n (Affected versions: 1.85 and probably earlier versions)\r\n\r\n L) "Boa" log escape sequence injection\r\n (Affected versions: 0.94.14rc21 and probably earlier versions)\r\n\r\nA) "nginx" log escape sequence injection\r\n\r\nOne of the following two Proofs Of Concept can be used in order to\r\nverify the vulnerability.\r\n\r\ncurl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a\r\n\r\necho -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload\r\nnc localhost 80 < payload\r\n\r\nB) "Varnish" log escape sequence injection\r\n\r\nOne of the following two Proofs Of Concept can be used in order to\r\nverify the vulnerability.\r\n\r\nxterm varnishlog\r\n\r\necho -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload\r\nnc localhost 80 < payload\r\n\r\nC) "Cherokee" log escape sequence injection\r\n\r\nThe following Proof Of Concept can be used in order to verify the\r\nvulnerability.\r\n\r\ncurl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a\r\n\r\nD) "thttpd" log escape sequence injection\r\n\r\nThe following Proof Of Concept can be used in order to verify the\r\nvulnerability.\r\n\r\necho -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload\r\nnc localhost 80 < payload\r\n\r\nE) "mini_httpd" log escape sequence injection\r\n\r\nOne of the following two Proofs Of Concept can be used in order to\r\nverify the vulnerability.\r\n\r\ncurl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a\r\n\r\necho -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload\r\nnc localhost 80 < payload\r\n\r\nF) "WEBrick" log escape sequence injection\r\n\r\nOne of the following two Proofs Of Concept can be used in order to\r\nverify the vulnerability.\r\n\r\ncurl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a\r\n\r\necho -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload\r\nnc localhost 80 < payload\r\n\r\nG) "Orion" log escape sequence injection\r\n\r\nOne of the following two Proofs Of Concept can be used in order to\r\nverify the vulnerability.\r\n\r\ncurl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a\r\n\r\necho -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload\r\nnc localhost 80 < payload\r\n\r\nH) "AOLserver" log escape sequence injection\r\n\r\nThe following Proof Of Concept can be used in order to verify the\r\nvulnerability.\r\n\r\necho -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload\r\nnc localhost 80 < payload\r\n\r\nI) "Yaws" log escape sequence injection\r\n\r\nOne of the following two Proofs Of Concept can be used in order to\r\nverify the vulnerability.\r\n\r\ncurl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a\r\n\r\necho -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload\r\nnc localhost 80 < payload\r\n\r\nL) "Boa" log escape sequence injection\r\n\r\nThe following Proof Of Concept can be used in order to verify the\r\nvulnerability.\r\n\r\ncurl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a\r\n\r\nIV. DETECTION\r\n\r\nServices like Shodan (shodan.surtri.com) or Google can be used to get an\r\napproximate idea on the usage of the products.\r\n\r\nSome examples:\r\n - http://shodan.surtri.com/?q=nginx\r\n - http://www.google.com/search?q="powered+by+Cherokee"\r\n - curl -kis http://www.antani.gov | grep -E "Server: Orion/2.0.8"\r\n\r\nV. WORKAROUND\r\n\r\nCherokee and WEBrick (Ruby) released related security fixes and releases\r\nas detailed below.\r\n\r\nCherokee issued a public patch that resolved the issue but caused some\r\nissues (http://svn.cherokee-project.com/changeset/3944) and has been\r\nlater replaced (http://svn.cherokee-project.com/changeset/3977) by a\r\nbetter fix that both resolve the issue and doesn't affect the normal\r\nwebserver behavior. Use the second patch or a safe release like 0.99.34\r\nor above. If you are using Cherokee 0.99.32 please note that your build\r\nuses the first patch.\r\n\r\nWebrick (Ruby) sent us the following patch and issued a release\r\nthat fixes the issues. Detailed informations are available at the\r\nfollowing url:\r\n\r\nhttp://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection\r\n\r\nThe patch we reviewed is the following but please refer to the vendor's\r\narticle for exact informations.\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nIndex: lib/webrick/httpstatus.rb\r\n===================================================================\r\n--- lib/webrick/httpstatus.rb (revision 26065)\r\n+++ lib/webrick/httpstatus.rb (working copy)\r\n@@ -13,5 +13,15 @@ module WEBrick\r\n module HTTPStatus\r\n\r\n- class Status < StandardError; end\r\n+ class Status < StandardError\r\n+ def initialize(message, *rest)\r\n+ super(AccessLog.escape(message), *rest)\r\n+ end\r\n+ class << self\r\n+ attr_reader :code, :reason_phrase\r\n+ end\r\n+ def code() self::class::code end\r\n+ def reason_phrase() self::class::reason_phrase end\r\n+ alias to_i code\r\n+ end\r\n class Info < Status; end\r\n class Success < Status; end\r\n@@ -69,4 +79,5 @@ module WEBrick\r\n\r\n StatusMessage.each{|code, message|\r\n+ message.freeze\r\n var_name = message.gsub(/[ \-]/,'_').upcase\r\n err_name = message.gsub(/[ \-]/,'')\r\n@@ -80,16 +91,10 @@ module WEBrick\r\n end\r\n\r\n- eval %-\r\n- RC_#{var_name} = #{code}\r\n- class #{err_name} < #{parent}\r\n- def self.code() RC_#{var_name} end\r\n- def self.reason_phrase() StatusMessage[code] end\r\n- def code() self::class::code end\r\n- def reason_phrase() self::class::reason_phrase end\r\n- alias to_i code\r\n- end\r\n- -\r\n-\r\n- CodeToError[code] = const_get(err_name)\r\n+ const_set("RC_#{var_name}", code)\r\n+ err_class = Class.new(parent)\r\n+ err_class.instance_variable_set(:@code, code)\r\n+ err_class.instance_variable_set(:@reason_phrase, message)\r\n+ const_set(err_name, err_class)\r\n+ CodeToError[code] = err_class\r\n }\r\n\r\nIndex: lib/webrick/httprequest.rb\r\n===================================================================\r\n--- lib/webrick/httprequest.rb (revision 26065)\r\n+++ lib/webrick/httprequest.rb (working copy)\r\n@@ -267,9 +267,5 @@ module WEBrick\r\n end\r\n end\r\n- begin\r\n- @header = HTTPUtils::parse_header(@raw_header.join)\r\n- rescue => ex\r\n- raise HTTPStatus::BadRequest, ex.message\r\n- end\r\n+ @header = HTTPUtils::parse_header(@raw_header.join)\r\n end\r\n\r\nIndex: lib/webrick/httputils.rb\r\n===================================================================\r\n--- lib/webrick/httputils.rb (revision 26065)\r\n+++ lib/webrick/httputils.rb (working copy)\r\n@@ -130,9 +130,9 @@ module WEBrick\r\n value = $1\r\n unless field\r\n- raise "bad header '#{line.inspect}'."\r\n+ raise HTTPStatus::BadRequest, "bad header '#{line}'."\r\n end\r\n header[field][-1] << " " << value\r\n else\r\n- raise "bad header '#{line.inspect}'."\r\n+ raise HTTPStatus::BadRequest, "bad header '#{line}'."\r\n end\r\n }\r\n\r\nIndex: lib/webrick/accesslog.rb\r\n===================================================================\r\n--- lib/webrick/accesslog.rb (revision 26065)\r\n+++ lib/webrick/accesslog.rb (working copy)\r\n@@ -54,5 +54,5 @@ module WEBrick\r\n raise AccessLogError,\r\n "parameter is required for \"#{spec}\"" unless param\r\n- params[spec][param] || "-"\r\n+ param = params[spec][param] ? escape(param) : "-"\r\n when ?t\r\n params[spec].strftime(param || CLF_TIME_FORMAT)\r\n@@ -60,8 +60,16 @@ module WEBrick\r\n "%"\r\n else\r\n- params[spec]\r\n+ escape(params[spec].to_s)\r\n end\r\n }\r\n end\r\n+\r\n+ def escape(data)\r\n+ if data.tainted?\r\n+ data.gsub(/[[:cntrl:]\\]+/) {$&.dump[1...-1]}.untaint\r\n+ else\r\n+ data\r\n+ end\r\n+ end\r\n end\r\n end\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nWe contacted the vendors of eleven affected webservers, counting the\r\nprevious advisory [1] for Jetty. Three fixed the issue (Cherokee,\r\nWEBrick/Ruby and Jetty), one will not fix the issue (Varnish) and one\r\nacknowledged the issue (AOLserver).\r\n\r\nNginx NO-RESPONSE\r\nCherokee FIXED\r\nthttpd NO-RESPONSE\r\nmini-httpd NO-RESPONSE\r\nWEBrick FIXED\r\nOrion NO-RESPONSE\r\nAOLserver ACK\r\nYaws NO-RESPONSE\r\nBoa NO-RESPONSE\r\nVarnish WONT-FIX\r\n\r\nThe response was overall good and it was nice to work with them, in\r\nparticular we want to thank Cherokee's staff, Ruby's staff, Raphael\r\nGeissert (Debian) and Steven M. Christey (Mitre) for the support.\r\n\r\nPoul-Henning Kamp (Varnish) replied to our contact email with the\r\nfollowing email that we quote as-is.\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nThe official Varnish response, which I ask that you include in its\r\nentirety in your advisory, if you list Varnish as "vulnerable" in it:\r\n\r\nThis is not a security problem in Varnish or any other piece of software\r\nwhich writes a logfile.\r\n\r\nThe real problem is the mistaken belief that you can cat(1) a random\r\nlogfile to your terminal safely.\r\n\r\nThis is not a new issue. I first remember the issue with xterm(1)'s\r\ninadvisably implemented escape-sequences in a root-context, brought up\r\nheatedly, in 1988, possibly late 1987, at Copenhagens University\r\nComputer Science dept. (Diku.dk). Since then, nothing much have changed.\r\n\r\nThe wisdom of terminal-response-escapes in general have been questioned\r\nat regular intervals, but still none of the major terminal emulation\r\nprograms have seen fit to discard these sequences, probably in a\r\nmisguided attempt at compatibility with no longer used 1970'es\r\ntechnology.\r\n\r\nI admit that listing "found a security hole in all HTTP-related programs\r\nthat write logfiles" will look more impressive on a resume, but I think\r\nit is misguided and a sign of trophy-hunting having overtaken common\r\nsense.\r\n\r\nInstead of blaming any and all programs which writes logfiles, it would\r\nbe much more productive, from a security point of view, to get the\r\nterminal emulation programs to stop doing stupid things, and thus fix\r\nthis and other security problems once and for all.\r\n\r\n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--\r\n\r\nWe would like to punctuate the following facts:\r\n\r\n1) We totally agree that the root of the problem is an unwise design in\r\nthe terminal emulators. If in 70' controls were sent out of band on a\r\nsecondary channel we would not have the equivalent of Blue Boxing in the\r\nterminal.\r\n\r\nThis is a known issue from years. We didn't invented this attack vector\r\nand never claimed so. We don't think that design changes will happen in\r\nthe short or mid term so it's better to have a proactive approach and\r\nsanitize outputs where functionalities are likely to not be affected at\r\nall like in this case.\r\n\r\nSecurity in complex systems requires some sinergy.\r\n\r\n2) Varnish is the only program that doesn't need a "cat" program as logs\r\nare stored in memory and displayed using the "varnishlog" utility.\r\n\r\n2) Apache fixed a similiar bug (CVE-2003-0020), "Low: Error log escape\r\nfiltering", in 2004 (six years ago). The bug was affecting Apache up\r\nto 1.3.29 [8] or 2.0.48 [9] depending on the branch.\r\n\r\nTake you conclusion, criticize if you want. In the meantime things are a\r\nlittle safer.\r\n\r\nVII. CVE INFORMATION\r\n\r\nCVE-2009-4487 nginx 0.7.64\r\nCVE-2009-4488 Varnish 2.0.6\r\nCVE-2009-4489 Cherokee 0.99.30\r\nCVE-2009-4490 mini_httpd 1.19\r\nCVE-2009-4491 thttpd 2.25b0\r\nCVE-2009-4492 WEBrick 1.3.1\r\nCVE-2009-4493 Orion 2.0.7\r\nCVE-2009-4494 AOLserver 4.5.1\r\nCVE-2009-4495 Yaws 1.85\r\nCVE-2009-4496 Boa 0.94.14rc21\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n20091117 Bug discovered\r\n20091208 First vendor contact\r\n20091209 Cherokee team confirms vulnerability (Alvaro Lopez Ortega)\r\n20091209 Alvaro Lopez Ortega commits Cherokee patch\r\n20091210 Ruby team confirms vulnerability (Shugo Maeda)\r\n20091211 Shugo Maeda sends us webrick patch for evaulation\r\n20091211 AOLserver confirms vulnerability (Jim Davidson)\r\n20091221 Contacted Raphael Geissert (Debian Security)\r\n20091223 Contacted Steven M. Christey (mitre.org)\r\n20091230 Raphael Geissert forwards to Redhat, Debian, Ubuntu and Mitre\r\n20091230 CVEs assigned by Steven M. Christey\r\n20100105 Poul-Henning (Varnish) Kamp said WONT-FIX\r\n20100105 Ruby team is ready for commit (Urabe Shyouhei)\r\n20100106 Second vendor contact\r\n20100110 Advisory release\r\n\r\nIX. REFERENCES\r\n\r\n[1] Jetty 6.x and 7.x Multiple Vulnerabilities\r\n http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt\r\n[2] Apache does not filter terminal escape sequences from error logs\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0020\r\n[3] Apache does not filter terminal escape sequences from access logs\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0083\r\n[4] Debian GNU/Linux XTERM (DECRQSS/comments) Weakness Vulnerability\r\n http://www.milw0rm.com/exploits/7681\r\n[5] Terminal Emulator Security Issues\r\n http://marc.info/?l=bugtraq&m=104612710031920&w=2\r\n[6] Eterm Screen Dump Escape Sequence Local File Corruption Vulnerability\r\n http://www.securityfocus.com/bid/6936/discuss\r\n[7] RXVT Screen Dump Escape Sequence Local File Corruption Vulnerability\r\n http://www.securityfocus.com/bid/6938/discuss\r\n[8] Apache httpd 1.3 vulnerabilities\r\n http://httpd.apache.org/security/vulnerabilities_13.html\r\n[9] Apache httpd 2.2 vulnerabilities\r\n http://httpd.apache.org/security/vulnerabilities_22.html\r\n\r\nX. CREDIT\r\n\r\nGiovanni "evilaliv3" Pellerano, Alessandro "jekil" Tanasi and\r\nFrancesco "ascii" Ongaro are credited with the discovery of this\r\nvulnerability.\r\n\r\nGiovanni "evilaliv3" Pellerano\r\nweb site: http://www.ush.it/, http://www.evilaliv3.org/\r\nmail: evilaliv3 AT ush DOT it\r\n\r\nAlessandro "jekil" Tanasi\r\nweb site: http://www.tanasi.it/\r\nmail: alessandro AT tanasi DOT it\r\n\r\nFrancesco "ascii" Ongaro\r\nweb site: http://www.ush.it/\r\nmail: ascii AT ush DOT it\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright (c) 2009 Francesco "ascii" Ongaro\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without mine express\r\nwritten consent. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease email me for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\nThere are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct, indirect,\r\nor consequential loss or damage arising from use of, or reliance on,\r\nthis information.", "edition": 1, "cvss3": {}, "published": "2010-01-12T00:00:00", "type": "securityvulns", "title": "Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4490", "CVE-2003-0083", "CVE-2009-4495", "CVE-2009-4488", "CVE-2009-4494", "CVE-2009-4492", "CVE-2009-4491", "CVE-2003-0020", "CVE-2009-4496", "CVE-2009-4489", "CVE-2009-4493", "CVE-2009-4487"], "modified": "2010-01-12T00:00:00", "id": "SECURITYVULNS:DOC:23029", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23029", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:19:35", "description": "", "cvss3": {}, "published": "2010-01-11T00:00:00", "type": "packetstorm", "title": "Nginx, Varnish, Cherokee, etc Log Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-4490", "CVE-2003-0083", "CVE-2009-4495", "CVE-2009-4488", "CVE-2009-4494", "CVE-2009-4492", "CVE-2009-4491", "CVE-2003-0020", "CVE-2009-4496", "CVE-2009-4489", "CVE-2009-4493", "CVE-2009-4487"], "modified": "2010-01-11T00:00:00", "id": "PACKETSTORM:85018", "href": "https://packetstormsecurity.com/files/85018/Nginx-Varnish-Cherokee-etc-Log-Injection.html", "sourceData": "`Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, \nYaws and Boa log escape sequence injection \n \nName Nginx, Varnish, Cherokee, thttpd, mini-httpd, \nWEBrick, Orion, AOLserver, Yaws and Boa log escape \nsequence injection \nSystems Affected nginx 0.7.64 \nVarnish 2.0.6 \nCherokee 0.99.30 \nmini_httpd 1.19 \nthttpd 2.25b0 \nWEBrick 1.3.1 \nOrion 2.0.7 \nAOLserver 4.5.1 \nYaws 1.85 \nBoa 0.94.14rc21 \nSeverity Medium \nImpact (CVSSv2) Medium 5/10, vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \nVendor http://www.nginx.net/ \nhttp://varnish.projects.linpro.no/ \nhttp://www.cherokee-project.com/ \nhttp://www.ruby-lang.org/ \nhttp://www.acme.com/software/thttpd/ \nhttp://www.acme.com/software/mini_httpd/ \nhttp://www.orionserver.com/ \nhttp://www.aolserver.com/ \nhttp://yaws.hyber.org/ \nhttp://www.boa.org/ \nAdvisory http://www.ush.it/team/ush/hack_httpd_escape/adv.txt \nAuthors Giovanni \"evilaliv3\" Pellerano (evilaliv3 AT ush DOT it) \nAlessandro \"jekil\" Tanasi (alessandro AT tanasi DOT it) \nFrancesco \"ascii\" Ongaro (ascii AT ush DOT it) \nDate 20100110 \n \nI. BACKGROUND \n \nnginx is a HTTP and reverse proxy server written by Igor Sysoev. \nVarnish is a state-of-the-art, high-performance HTTP accelerator. \nCherokee is a very fast, flexible and easy to configure Web Server. \nthttpd is a simple, small, portable, fast, and secure HTTP server. \nmini_httpd is a small HTTP server. \nWEBrick is a Ruby library providing simple HTTP web server services. \nOrion Application Server is a pure java application-server. \nAOLserver is America Online's Open-Source web server. \nYaws is a HTTP high perfomance 1.1 webserver. \nBoa is a single-tasking HTTP server. \n \nII. DESCRIPTION \n \nNginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, \nYaws and Boa are subject to logs escape sequence injection \nvulnerabilites. \n \nEscape sequences are special characters sequences that are used to \ninstruct the terminal to perform special operations like executing \ncommands [4, 5] or dumping the buffer to a file [6, 7]. \n \nWhen the webserver is executed in foreground in a pty or when the \nlogfiles are viewed with tools like \"cat\" or \"tail\" such control chars \nreach the terminal and are executed. \n \nIII. ANALYSIS \n \nSummary: \n \nA) \"nginx\" log escape sequence injection \n(Affected versions: 0.7.64 and probably earlier versions) \n \nB) \"Varnish\" log escape sequence injection \n(Affected versions: 2.0.6 and probably earlier versions) \n \nC) \"Cherokee\" log escape sequence injection \n(Affected versions: 0.99.30 and probably earlier versions) \n \nD) \"thttpd\" log escape sequence injection \n(Affected versions: thttpd/2.25b and probably earlier versions) \n \nE) \"mini_httpd\" log escape sequence injection \n(Affected versions: 1.19 and probably earlier versions) \n \nF) \"WEBrick\" log escape sequence injection \n(Affected versions: 1.3.1 and probably earlier versions) \n \nG) \"Orion\" log escape sequence injection \n(Affected versions: 2.0.7 and probably earlier versions) \n \nH) \"AOLserver\" log escape sequence injection \n(Affected versions: 4.5.1 and probably earlier versions) \n \nI) \"Yaws\" log escape sequence injection \n(Affected versions: 1.85 and probably earlier versions) \n \nL) \"Boa\" log escape sequence injection \n(Affected versions: 0.94.14rc21 and probably earlier versions) \n \nA) \"nginx\" log escape sequence injection \n \nOne of the following two Proofs Of Concept can be used in order to \nverify the vulnerability. \n \ncurl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a \n \necho -en \"GET /\\x1b]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d\" > payload \nnc localhost 80 < payload \n \nB) \"Varnish\" log escape sequence injection \n \nOne of the following two Proofs Of Concept can be used in order to \nverify the vulnerability. \n \nxterm varnishlog \n \necho -en \"GET /\\x1b]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d\" > payload \nnc localhost 80 < payload \n \nC) \"Cherokee\" log escape sequence injection \n \nThe following Proof Of Concept can be used in order to verify the \nvulnerability. \n \ncurl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a \n \nD) \"thttpd\" log escape sequence injection \n \nThe following Proof Of Concept can be used in order to verify the \nvulnerability. \n \necho -en \"GET /\\x1b]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d\" > payload \nnc localhost 80 < payload \n \nE) \"mini_httpd\" log escape sequence injection \n \nOne of the following two Proofs Of Concept can be used in order to \nverify the vulnerability. \n \ncurl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a \n \necho -en \"GET /\\x1b]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d\" > payload \nnc localhost 80 < payload \n \nF) \"WEBrick\" log escape sequence injection \n \nOne of the following two Proofs Of Concept can be used in order to \nverify the vulnerability. \n \ncurl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a \n \necho -en \"GET /\\x1b]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d\" > payload \nnc localhost 80 < payload \n \nG) \"Orion\" log escape sequence injection \n \nOne of the following two Proofs Of Concept can be used in order to \nverify the vulnerability. \n \ncurl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a \n \necho -en \"GET /\\x1b]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d\" > payload \nnc localhost 80 < payload \n \nH) \"AOLserver\" log escape sequence injection \n \nThe following Proof Of Concept can be used in order to verify the \nvulnerability. \n \necho -en \"GET /\\x1b]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d\" > payload \nnc localhost 80 < payload \n \nI) \"Yaws\" log escape sequence injection \n \nOne of the following two Proofs Of Concept can be used in order to \nverify the vulnerability. \n \ncurl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a \n \necho -en \"GET /\\x1b]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d\" > payload \nnc localhost 80 < payload \n \nL) \"Boa\" log escape sequence injection \n \nThe following Proof Of Concept can be used in order to verify the \nvulnerability. \n \ncurl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a \n \nIV. DETECTION \n \nServices like Shodan (shodan.surtri.com) or Google can be used to get an \napproximate idea on the usage of the products. \n \nSome examples: \n- http://shodan.surtri.com/?q=nginx \n- http://www.google.com/search?q=\"powered+by+Cherokee\" \n- curl -kis http://www.antani.gov | grep -E \"Server: Orion/2.0.8\" \n \nV. WORKAROUND \n \nCherokee and WEBrick (Ruby) released related security fixes and releases \nas detailed below. \n \nCherokee issued a public patch that resolved the issue but caused some \nissues (http://svn.cherokee-project.com/changeset/3944) and has been \nlater replaced (http://svn.cherokee-project.com/changeset/3977) by a \nbetter fix that both resolve the issue and doesn't affect the normal \nwebserver behavior. Use the second patch or a safe release like 0.99.34 \nor above. If you are using Cherokee 0.99.32 please note that your build \nuses the first patch. \n \nWebrick (Ruby) sent us the following patch and issued a release \nthat fixes the issues. Detailed informations are available at the \nfollowing url: \n \nhttp://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection \n \nThe patch we reviewed is the following but please refer to the vendor's \narticle for exact informations. \n \n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- \n \nIndex: lib/webrick/httpstatus.rb \n=================================================================== \n--- lib/webrick/httpstatus.rb (revision 26065) \n+++ lib/webrick/httpstatus.rb (working copy) \n@@ -13,5 +13,15 @@ module WEBrick \nmodule HTTPStatus \n \n- class Status < StandardError; end \n+ class Status < StandardError \n+ def initialize(message, *rest) \n+ super(AccessLog.escape(message), *rest) \n+ end \n+ class << self \n+ attr_reader :code, :reason_phrase \n+ end \n+ def code() self::class::code end \n+ def reason_phrase() self::class::reason_phrase end \n+ alias to_i code \n+ end \nclass Info < Status; end \nclass Success < Status; end \n@@ -69,4 +79,5 @@ module WEBrick \n \nStatusMessage.each{|code, message| \n+ message.freeze \nvar_name = message.gsub(/[ \\-]/,'_').upcase \nerr_name = message.gsub(/[ \\-]/,'') \n@@ -80,16 +91,10 @@ module WEBrick \nend \n \n- eval %- \n- RC_#{var_name} = #{code} \n- class #{err_name} < #{parent} \n- def self.code() RC_#{var_name} end \n- def self.reason_phrase() StatusMessage[code] end \n- def code() self::class::code end \n- def reason_phrase() self::class::reason_phrase end \n- alias to_i code \n- end \n- - \n- \n- CodeToError[code] = const_get(err_name) \n+ const_set(\"RC_#{var_name}\", code) \n+ err_class = Class.new(parent) \n+ err_class.instance_variable_set(:@code, code) \n+ err_class.instance_variable_set(:@reason_phrase, message) \n+ const_set(err_name, err_class) \n+ CodeToError[code] = err_class \n} \n \nIndex: lib/webrick/httprequest.rb \n=================================================================== \n--- lib/webrick/httprequest.rb (revision 26065) \n+++ lib/webrick/httprequest.rb (working copy) \n@@ -267,9 +267,5 @@ module WEBrick \nend \nend \n- begin \n- @header = HTTPUtils::parse_header(@raw_header.join) \n- rescue => ex \n- raise HTTPStatus::BadRequest, ex.message \n- end \n+ @header = HTTPUtils::parse_header(@raw_header.join) \nend \n \nIndex: lib/webrick/httputils.rb \n=================================================================== \n--- lib/webrick/httputils.rb (revision 26065) \n+++ lib/webrick/httputils.rb (working copy) \n@@ -130,9 +130,9 @@ module WEBrick \nvalue = $1 \nunless field \n- raise \"bad header '#{line.inspect}'.\" \n+ raise HTTPStatus::BadRequest, \"bad header '#{line}'.\" \nend \nheader[field][-1] << \" \" << value \nelse \n- raise \"bad header '#{line.inspect}'.\" \n+ raise HTTPStatus::BadRequest, \"bad header '#{line}'.\" \nend \n} \n \nIndex: lib/webrick/accesslog.rb \n=================================================================== \n--- lib/webrick/accesslog.rb (revision 26065) \n+++ lib/webrick/accesslog.rb (working copy) \n@@ -54,5 +54,5 @@ module WEBrick \nraise AccessLogError, \n\"parameter is required for \\\"#{spec}\\\"\" unless param \n- params[spec][param] || \"-\" \n+ param = params[spec][param] ? escape(param) : \"-\" \nwhen ?t \nparams[spec].strftime(param || CLF_TIME_FORMAT) \n@@ -60,8 +60,16 @@ module WEBrick \n\"%\" \nelse \n- params[spec] \n+ escape(params[spec].to_s) \nend \n} \nend \n+ \n+ def escape(data) \n+ if data.tainted? \n+ data.gsub(/[[:cntrl:]\\\\]+/) {$&.dump[1...-1]}.untaint \n+ else \n+ data \n+ end \n+ end \nend \nend \n \n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- \n \nVI. VENDOR RESPONSE \n \nWe contacted the vendors of eleven affected webservers, counting the \nprevious advisory [1] for Jetty. Three fixed the issue (Cherokee, \nWEBrick/Ruby and Jetty), one will not fix the issue (Varnish) and one \nacknowledged the issue (AOLserver). \n \nNginx NO-RESPONSE \nCherokee FIXED \nthttpd NO-RESPONSE \nmini-httpd NO-RESPONSE \nWEBrick FIXED \nOrion NO-RESPONSE \nAOLserver ACK \nYaws NO-RESPONSE \nBoa NO-RESPONSE \nVarnish WONT-FIX \n \nThe response was overall good and it was nice to work with them, in \nparticular we want to thank Cherokee's staff, Ruby's staff, Raphael \nGeissert (Debian) and Steven M. Christey (Mitre) for the support. \n \nPoul-Henning Kamp (Varnish) replied to our contact email with the \nfollowing email that we quote as-is. \n \n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- \n \nThe official Varnish response, which I ask that you include in its \nentirety in your advisory, if you list Varnish as \"vulnerable\" in it: \n \nThis is not a security problem in Varnish or any other piece of software \nwhich writes a logfile. \n \nThe real problem is the mistaken belief that you can cat(1) a random \nlogfile to your terminal safely. \n \nThis is not a new issue. I first remember the issue with xterm(1)'s \ninadvisably implemented escape-sequences in a root-context, brought up \nheatedly, in 1988, possibly late 1987, at Copenhagens University \nComputer Science dept. (Diku.dk). Since then, nothing much have changed. \n \nThe wisdom of terminal-response-escapes in general have been questioned \nat regular intervals, but still none of the major terminal emulation \nprograms have seen fit to discard these sequences, probably in a \nmisguided attempt at compatibility with no longer used 1970'es \ntechnology. \n \nI admit that listing \"found a security hole in all HTTP-related programs \nthat write logfiles\" will look more impressive on a resume, but I think \nit is misguided and a sign of trophy-hunting having overtaken common \nsense. \n \nInstead of blaming any and all programs which writes logfiles, it would \nbe much more productive, from a security point of view, to get the \nterminal emulation programs to stop doing stupid things, and thus fix \nthis and other security problems once and for all. \n \n--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- \n \nWe would like to punctuate the following facts: \n \n1) We totally agree that the root of the problem is an unwise design in \nthe terminal emulators. If in 70' controls were sent out of band on a \nsecondary channel we would not have the equivalent of Blue Boxing in the \nterminal. \n \nThis is a known issue from years. We didn't invented this attack vector \nand never claimed so. We don't think that design changes will happen in \nthe short or mid term so it's better to have a proactive approach and \nsanitize outputs where functionalities are likely to not be affected at \nall like in this case. \n \nSecurity in complex systems requires some sinergy. \n \n2) Varnish is the only program that doesn't need a \"cat\" program as logs \nare stored in memory and displayed using the \"varnishlog\" utility. \n \n2) Apache fixed a similiar bug (CVE-2003-0020), \"Low: Error log escape \nfiltering\", in 2004 (six years ago). The bug was affecting Apache up \nto 1.3.29 [8] or 2.0.48 [9] depending on the branch. \n \nTake you conclusion, criticize if you want. In the meantime things are a \nlittle safer. \n \nVII. CVE INFORMATION \n \nCVE-2009-4487 nginx 0.7.64 \nCVE-2009-4488 Varnish 2.0.6 \nCVE-2009-4489 Cherokee 0.99.30 \nCVE-2009-4490 mini_httpd 1.19 \nCVE-2009-4491 thttpd 2.25b0 \nCVE-2009-4492 WEBrick 1.3.1 \nCVE-2009-4493 Orion 2.0.7 \nCVE-2009-4494 AOLserver 4.5.1 \nCVE-2009-4495 Yaws 1.85 \nCVE-2009-4496 Boa 0.94.14rc21 \n \nVIII. DISCLOSURE TIMELINE \n \n20091117 Bug discovered \n20091208 First vendor contact \n20091209 Cherokee team confirms vulnerability (Alvaro Lopez Ortega) \n20091209 Alvaro Lopez Ortega commits Cherokee patch \n20091210 Ruby team confirms vulnerability (Shugo Maeda) \n20091211 Shugo Maeda sends us webrick patch for evaulation \n20091211 AOLserver confirms vulnerability (Jim Davidson) \n20091221 Contacted Raphael Geissert (Debian Security) \n20091223 Contacted Steven M. Christey (mitre.org) \n20091230 Raphael Geissert forwards to Redhat, Debian, Ubuntu and Mitre \n20091230 CVEs assigned by Steven M. Christey \n20100105 Poul-Henning (Varnish) Kamp said WONT-FIX \n20100105 Ruby team is ready for commit (Urabe Shyouhei) \n20100106 Second vendor contact \n20100110 Advisory release \n \nIX. REFERENCES \n \n[1] Jetty 6.x and 7.x Multiple Vulnerabilities \nhttp://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt \n[2] Apache does not filter terminal escape sequences from error logs \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0020 \n[3] Apache does not filter terminal escape sequences from access logs \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0083 \n[4] Debian GNU/Linux XTERM (DECRQSS/comments) Weakness Vulnerability \nhttp://www.milw0rm.com/exploits/7681 \n[5] Terminal Emulator Security Issues \nhttp://marc.info/?l=bugtraq&m=104612710031920&w=2 \n[6] Eterm Screen Dump Escape Sequence Local File Corruption Vulnerability \nhttp://www.securityfocus.com/bid/6936/discuss \n[7] RXVT Screen Dump Escape Sequence Local File Corruption Vulnerability \nhttp://www.securityfocus.com/bid/6938/discuss \n[8] Apache httpd 1.3 vulnerabilities \nhttp://httpd.apache.org/security/vulnerabilities_13.html \n[9] Apache httpd 2.2 vulnerabilities \nhttp://httpd.apache.org/security/vulnerabilities_22.html \n \nX. CREDIT \n \nGiovanni \"evilaliv3\" Pellerano, Alessandro \"jekil\" Tanasi and \nFrancesco \"ascii\" Ongaro are credited with the discovery of this \nvulnerability. \n \nGiovanni \"evilaliv3\" Pellerano \nweb site: http://www.ush.it/, http://www.evilaliv3.org/ \nmail: evilaliv3 AT ush DOT it \n \nAlessandro \"jekil\" Tanasi \nweb site: http://www.tanasi.it/ \nmail: alessandro AT tanasi DOT it \n \nFrancesco \"ascii\" Ongaro \nweb site: http://www.ush.it/ \nmail: ascii AT ush DOT it \n \nX. LEGAL NOTICES \n \nCopyright (c) 2009 Francesco \"ascii\" Ongaro \n \nPermission is granted for the redistribution of this alert \nelectronically. It may not be edited in any way without mine express \nwritten consent. If you wish to reprint the whole or any \npart of this alert in any other medium other than electronically, \nplease email me for permission. \n \nDisclaimer: The information in the advisory is believed to be accurate \nat the time of publishing based on currently available information. Use \nof the information constitutes acceptance for use in an AS IS condition. \nThere are no warranties with regard to this information. Neither the \nauthor nor the publisher accepts any liability for any direct, indirect, \nor consequential loss or damage arising from use of, or reliance on, \nthis information. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/85018/log-inject.txt", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}
CVE-2009-4495
