Re: [AOLSERVER] AOLServer Terminal Escape Sequence in Logs Command Injection Vulnerability
After looking at the URI RFCs (twilight zone), here is a basic algorithm which should be applied to the request: 1: Unreserved chars should always be unescaped (if they are escaped), producing a normalized request uri (assuming no #3 illegal chars, this is what will go into the log file): unreserved = ALPHA / DIGIT / - / . / _ / ~ 2: reserved chars should be left as-is: reserved= gen-delims / sub-delims gen-delims = : / / / ? / # / [ / ] / @ sub-delims = ! / $ / / ' / ( / ) / * / + / , / ; / = 3: Any other char should be considered an exploit or client error. If the url is logged, it might end with the % encoded representation of the first illegal char, plus a response code to identify the client error. Since this decoding/normalization step should take place when processing the start-line/request-line, this might be a good time to update AOLserver to handle absolute uri, which will also require changes to the logic used for (virtual) host identification. The RFC support for this is from 3986: 2.1. Percent-Encoding A percent-encoding mechanism is used to represent a data octet in a component when that octet's corresponding character is outside the allowed set or is being used as a delimiter of, or within, the component. A percent-encoded octet is encoded as a character triplet, consisting of the percent character % followed by the two hexadecimal digits representing that octet's numeric value. For example, %20 is the percent-encoding for the binary octet 0010 (ABNF: %x20), which in US-ASCII corresponds to the space character (SP). Section 2.4 describes when percent-encoding and decoding is applied. pct-encoded = % HEXDIG HEXDIG The uppercase hexadecimal digits 'A' through 'F' are equivalent to the lowercase digits 'a' through 'f', respectively. If two URIs differ only in the case of hexadecimal digits used in percent-encoded octets, they are equivalent. For consistency, URI producers and normalizers should use uppercase hexadecimal digits for all percent- encodings. Anyway, it is critical to examine and normalize the request uri asap and act quickly when presented with invalid chars. tom jackson On Sat, Sep 11, 2010 at 4:00 PM, Tom Jackson t...@rmadilo.com wrote: This is not an AOLserver issue to write a log file that is safe for broken programs. If there are illegal chars in the URL, maybe reject the request outright. If the chars are legal, then there isn't much else to be done. Chances are the chars in question should be escaped in the URL, so the request should be rejected. Although it might be nice to inform the client, it might be okay and more safe to just drop the request with no response. tom jackson On Fri, Sep 10, 2010 at 9:34 AM, Dossy Shiobara do...@panoptic.com wrote: Fair enough. ;-) On 9/10/10 2:07 AM, Gustaf Neumann wrote: The information loss (changing ESC to the bell character 7) is very little; under normal operation, you should never have a bell character in the log file, and now, if you see one, it should ring a bell -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] AOLServer Terminal Escape Sequence in Logs Command Injection Vulnerability
Actually, someone made the point -- what if you log request *headers* and someone puts a malicious byte sequence in that header? What's the rule around escaping the header values? What about every other code path where a remote user can write unfiltered bytes to a file on the server (logfile, etc.). Essentially, the vulnerability here isn't in applications that write these bytes to files, but specific terminal applications that are weak and should be fixed. Otherwise, cat is potentially vulnerable and that's a ridiculous position to hold. On 9/13/10 4:46 PM, Tom Jackson wrote: Anyway, it is critical to examine and normalize the request uri asap and act quickly when presented with invalid chars. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] AOLServer Terminal Escape Sequence in Logs Command Injection Vulnerability
IOW, fix the consumer (where the real bug is), not every producer. On 13/09/2010 2:16 PM, Dossy Shiobara wrote: Actually, someone made the point -- what if you log request *headers* and someone puts a malicious byte sequence in that header? What's the rule around escaping the header values? What about every other code path where a remote user can write unfiltered bytes to a file on the server (logfile, etc.). Essentially, the vulnerability here isn't in applications that write these bytes to files, but specific terminal applications that are weak and should be fixed. Otherwise, cat is potentially vulnerable and that's a ridiculous position to hold. On 9/13/10 4:46 PM, Tom Jackson wrote: Anyway, it is critical to examine and normalize the request uri asap and act quickly when presented with invalid chars. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] AOLServer Terminal Escape Sequence in Logs Command Injection Vulnerability
Dossy, I agree that the problem is not with AOLserver, wrt reading the log file, but AOLserver should probably not accept url bytes outside of the accepted range. Headers are slightly more difficult to handle. I have a test http client (htclient) which only accepts context appropriate bytes. For headers the range of acceptable bytes is larger, but you first have to identify the context. From what I can figure out right now, URLs can't contain unescaped control characters, so valid urls written to a log file will never cause problems with shell programs. On Mon, Sep 13, 2010 at 2:16 PM, Dossy Shiobara do...@panoptic.com wrote: Actually, someone made the point -- what if you log request *headers* and someone puts a malicious byte sequence in that header? What's the rule around escaping the header values? What about every other code path where a remote user can write unfiltered bytes to a file on the server (logfile, etc.). Essentially, the vulnerability here isn't in applications that write these bytes to files, but specific terminal applications that are weak and should be fixed. Otherwise, cat is potentially vulnerable and that's a ridiculous position to hold. This is absolutely correct. External applications should protect themselves against malicious input. Many do. Occasionally I make a mistake and read a binary file. The result is lots of beeps and strange graphical characters appearing on the terminal. The only solution is to exit the terminal. Headers are much more dangerous than the request-line, but the problem is with the reader, not the http application. The request line cannot contain malicious characters, I'll have to review the headers definition (either don't log headers or read them with a safe reader). tom jackson On 9/13/10 4:46 PM, Tom Jackson wrote: Anyway, it is critical to examine and normalize the request uri asap and act quickly when presented with invalid chars. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] AOLServer Terminal Escape Sequence in Logs Command Injection Vulnerability
This is not an AOLserver issue to write a log file that is safe for broken programs. If there are illegal chars in the URL, maybe reject the request outright. If the chars are legal, then there isn't much else to be done. Chances are the chars in question should be escaped in the URL, so the request should be rejected. Although it might be nice to inform the client, it might be okay and more safe to just drop the request with no response. tom jackson On Fri, Sep 10, 2010 at 9:34 AM, Dossy Shiobara do...@panoptic.com wrote: Fair enough. ;-) On 9/10/10 2:07 AM, Gustaf Neumann wrote: The information loss (changing ESC to the bell character 7) is very little; under normal operation, you should never have a bell character in the log file, and now, if you see one, it should ring a bell -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] AOLServer Terminal Escape Sequence in Logs Command Injection Vulnerability
as i said, a quick fix to close the logging exploit. The information loss (changing ESC to the bell character 7) is very little; under normal operation, you should never have a bell character in the log file, and now, if you see one, it should ring a bell the incoming url might be url-encoded or not. if one url-encodes the logged url, then there is as well an information loss. One could certainly just url-encode the escape character, but there is as well an information loss on these. One could grep safely for the bell character, but this is probably not very intuitive. Note, that it is not only sufficient to escape the url, the attack could as well come from other http reply header fields. One should implement a DStringAppendSanitized() function in nslog.c to allow multi-character substitutions. -gustaf On 09.09.10 14:41, Dossy Shiobara wrote: As a short-term solution, this is probably adequate, but there's information loss -- it'd be nice to indicate the original byte sequence somehow in the log entry by escaping characters so that log analysis tools could detect such attacks, etc. Perhaps the right answer is to log the URI with proper URL-encoding, so that it would be logged as %1B instead of the literal byte. On 9/9/10 8:18 AM, Gustaf Neumann wrote: i have just now committed a quick fix for the problem into the aolserver/nslog/nslog.c into the sourceforge module. please check, if this is in all cases sufficient. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] AOLServer Terminal Escape Sequence in Logs Command Injection Vulnerability
The problem is a very old one, known at least since the 1980ies. There are discussions, whether this qualifies as a security problem of some software writing to a logfile or as a problem of the terminal emulators (which it actually is). IMHO, this discussion is worthless. Some vendors of webservers even seem to refuse to fix this. Actually, every software writing unfiltered to some terminals is dangerous, even a grep. The real security problem are some terminal emulations, but there are many of these. The evil thing is that writing to the log file at the first place does nothing bad, but looking at the logfile with some standard tools can rise the problem - it is a sleeper attack. If the log file is e.g. accessible via NFS, the machines of developer developers watching the log file are under attack. As mentioned above this is not only a problem of aolserver, but potentially of more or less all logging programs or programs writing unfiltered to a terminal, such as e.g. database management systems, etc. If you're super-paranoid, don't tail -f access log files or other files that an attacker can write to through accessing a service on your system. Get into the habit of cat -v $FILENAME to make sure non-printable characters are escaped, intead of being fed unfiltered to your terminal program. or tail -f ... | cat -v -gustaf neumann -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] AOLServer Terminal Escape Sequence in Logs Command Injection Vulnerability
Fair enough. ;-) On 9/10/10 2:07 AM, Gustaf Neumann wrote: The information loss (changing ESC to the bell character 7) is very little; under normal operation, you should never have a bell character in the log file, and now, if you see one, it should ring a bell -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] AOLServer Terminal Escape Sequence in Logs Command Injection Vulnerability
As a short-term solution, this is probably adequate, but there's information loss -- it'd be nice to indicate the original byte sequence somehow in the log entry by escaping characters so that log analysis tools could detect such attacks, etc. Perhaps the right answer is to log the URI with proper URL-encoding, so that it would be logged as %1B instead of the literal byte. On 9/9/10 8:18 AM, Gustaf Neumann wrote: i have just now committed a quick fix for the problem into the aolserver/nslog/nslog.c into the sourceforge module. please check, if this is in all cases sufficient. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] AOLServer Terminal Escape Sequence in Logs Command Injection Vulnerability
Did I read this correctly: this is a remotely exploitable? Jade Jade Rubick | Director of Development | TRUiST 2201 Wisconsin Ave NW, Suite 250 | Washington, DC 20007 | www.truist.com | +1 202 903 2564 P Please consider the environment before printing The information contained in this email/document is confidential and may be legally privileged. Access to this email/document by anyone other than the intended recipient(s) is unauthorized. If you are not an intended recipient, any disclosure, copying, distribution, or any action taken or omitted to be taken in reliance to it, is prohibited. On Sep 9, 2010, at 5:41 AM, Dossy Shiobara wrote: As a short-term solution, this is probably adequate, but there's information loss -- it'd be nice to indicate the original byte sequence somehow in the log entry by escaping characters so that log analysis tools could detect such attacks, etc. Perhaps the right answer is to log the URI with proper URL-encoding, so that it would be logged as %1B instead of the literal byte. On 9/9/10 8:18 AM, Gustaf Neumann wrote: i have just now committed a quick fix for the problem into the aolserver/nslog/nslog.c into the sourceforge module. please check, if this is in all cases sufficient. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] AOLServer Terminal Escape Sequence in Logs Command Injection Vulnerability
The exploit works like this: 1) Attacker sends HTTP request with ANSI escape sequence embedded in URL 2) Escape sequence is logged to access log. 3) Administrator on web server views log via cat, tail, etc.' 4) Escape sequences are interpreted by terminal emulator. In the case of extremely braindead terminal emulators, this can result in arbitrary command execution. The example in the SecurityFocus link sends an escape sequence which changes the window title in most common terminal emulators. A more comprehensive overview of terminal emulator security issues is available here: http://marc.info/?l=bugtraqm=104612710031920 Some subtle (?) points: 1) The remote exploit actually occurs on the host running the terminal emulator, not the web server. 2) Most terminal emulators do not support arbitrary command execution via escape sequences. -Andrew On Thu, Sep 9, 2010 at 9:47 AM, Jade Rubick jrub...@truist.com wrote: Did I read this correctly: this is a remotely exploitable? Jade * Jade Rubick *|* *Director of Development | *TRU**i**ST* 2201 Wisconsin Ave NW, Suite 250 | Washington, DC 20007 | *www.truist.com* | +1 202 903 2564 P Please consider the environment before printing The information contained in this email/document is confidential and may be legally privileged. Access to this email/document by anyone other than the intended recipient(s) is unauthorized. If you are not an intended recipient, any disclosure, copying, distribution, or any action taken or omitted to be taken in reliance to it, is prohibited. On Sep 9, 2010, at 5:41 AM, Dossy Shiobara wrote: As a short-term solution, this is probably adequate, but there's information loss -- it'd be nice to indicate the original byte sequence somehow in the log entry by escaping characters so that log analysis tools could detect such attacks, etc. Perhaps the right answer is to log the URI with proper URL-encoding, so that it would be logged as %1B instead of the literal byte. On 9/9/10 8:18 AM, Gustaf Neumann wrote: i have just now committed a quick fix for the problem into the aolserver/nslog/nslog.c into the sourceforge module. please check, if this is in all cases sufficient. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] AOLServer Terminal Escape Sequence in Logs Command Injection Vulnerability
tl;dr: Yes, this is remotely exploitable. Longer explanation: It is if and only if you use a terminal emulator that implements various exploitable escape sequences *and* cat/tail files that an attacker can write to, even indirectly, such as webserver access logs. For various attack vectors, read this: http://marc.info/?l=bugtraqm=104612710031920 If you're super-paranoid, don't tail -f access log files or other files that an attacker can write to through accessing a service on your system. Get into the habit of cat -v $FILENAME to make sure non-printable characters are escaped, intead of being fed unfiltered to your terminal program. On 9/9/10 10:47 AM, Jade Rubick wrote: Did I read this correctly: this is a remotely exploitable? -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.