SECURITY: HTTP proxy responses with both Transfer-Encoding and Content-Length headers (CAN-2005-2088)

Automatically imported from Debian bug report #322607 http://bugs.debian.org/322607

Message-Id: <email address hidden>
Date: Wed, 29 Jun 2005 00:49:31 +0200
From: Moritz Muehlenhoff <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: apache2: Security issues in HTTP proxy responses with both Transfer-Encoding
 and Content-Length headers

Package: apache2
Severity: grave
Tags: security
Justification: user security hole

Latest 2.1.6-alpha fixes a security in the proxy HTTP code:

| The 2.1.6-alpha release addresses a security vulnerability present
| in all previous 2.x versions. This fault did not affect Apache 1.3.x
| (which did not proxy keepalives or chunked transfer encoding);

| Proxy HTTP: If a response contains both Transfer-Encoding
| and a Content-Length, remove the Content-Length to eliminate
| an HTTP Request Smuggling vulnerability and don't reuse the
| connection, stopping some HTTP Request Spoofing attacks.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Message-ID: <email address hidden>
Date: Wed, 29 Jun 2005 00:11:56 +0100
From: Steve Kemp <email address hidden>
To: Moritz Muehlenhoff <email address hidden>, <email address hidden>
Subject: Re: Bug#316173: apache2: Security issues in HTTP proxy responses with both
 Transfer-Encoding and Content-Length headers

On Wed, Jun 29, 2005 at 12:49:31AM +0200, Moritz Muehlenhoff wrote:
> Package: apache2
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Latest 2.1.6-alpha fixes a security in the proxy HTTP code:
>
> | The 2.1.6-alpha release addresses a security vulnerability present
> | in all previous 2.x versions. This fault did not affect Apache 1.3.x
> | (which did not proxy keepalives or chunked transfer encoding);
>
> | Proxy HTTP: If a response contains both Transfer-Encoding
> | and a Content-Length, remove the Content-Length to eliminate
> | an HTTP Request Smuggling vulnerability and don't reuse the
> | connection, stopping some HTTP Request Spoofing attacks.
>

  Can I be the first to say that I don't understand the nature of this
 issue?

  Is this also present in 2.0.54 which is the latest stable release?
 There's no mention of it in the changelog there..

Steve
--

Message-ID: <email address hidden>
Date: Wed, 29 Jun 2005 10:50:54 +1000 (EST)
From: "Adam Conrad" <adconrad@0c3.net>
To: "Steve Kemp" <email address hidden>
Cc: "Moritz Muehlenhoff" <email address hidden>,
 <email address hidden>
Subject: Re: Bug#316173: apache2: Security issues in HTTP proxy responses with both
 Transfer-Encoding and Content-Length headers

Steve Kemp wrote:
>
> Can I be the first to say that I don't understand the nature of this
> issue?

The description sounds reasonably straightforward, though I'd classify
this as a vulnerability of pretty low importance, from a "will people be
exploited by this" viewpoint.

> Is this also present in 2.0.54 which is the latest stable release?
> There's no mention of it in the changelog there..

It looks like it's in 2.0.54, and there's a backport in SVN for the 2.0.55
release, but the backport looks more like a massive feature backport, not
just a small security patch, so I may look at if there's a way to fix this
a bit less intrusively.

Actually, it's worth nothing that we muck with Content-Length at another
point, thanks to a Debian-specific patch, so we may accidentally not be
vulnerable to this anyway. I'll follow the code around a little later
today and see if that's the case.

... Adam

Message-ID: <email address hidden>
Date: Wed, 29 Jun 2005 15:10:56 +0200
From: Moritz Muehlenhoff <email address hidden>
To: Steve Kemp <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#316173: apache2: Security issues in HTTP proxy responses with both
 Transfer-Encoding and Content-Length headers

Steve Kemp wrote:
> > | Proxy HTTP: If a response contains both Transfer-Encoding
> > | and a Content-Length, remove the Content-Length to eliminate
> > | an HTTP Request Smuggling vulnerability and don't reuse the
> > | connection, stopping some HTTP Request Spoofing attacks.
>
> Can I be the first to say that I don't understand the nature of this
> issue?

This seems to be an Apache specific variation of the HTTP Request Smuggling
attacks described in the original Watchfire paper:
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf

Apache rejects packets with multiple Content-Length headers, but it
seems as if it uses size information constructed from the Transfer-
Encoding headers instead, which make this attack possible?

Cheers,
        Moritz

Message-Id: <200507081725.32343.b@9bit.biz>
Date: Fri, 8 Jul 2005 17:25:31 +0200
From: Borut Mrak <b@9bit.biz>
To: <email address hidden>
Subject: Re: Bug#316173: apache2: Security issues in HTTP proxy responses with both
 Transfer-Encoding and Content-Length headers

I hope this will be of some help.
If it's OK, someone tag this bug with PATCH or whatever is appropriate:

sorry about the long URL:

http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/2.0.x/STATUS?rev=208744&view=diff&r1=208744&r2=208743&p1=httpd/httpd/branches/2.0.x/STATUS&p2=/httpd/httpd/branches/2.0.x/STATUS

and from there:

http://people.apache.org/~jorton/ap_tevscl.diff

Pasting in case that URL goes 404:

Index: server/protocol.c
===================================================================
--- server/protocol.c (revision 208743)
+++ server/protocol.c (working copy)
@@ -885,6 +885,15 @@
             apr_brigade_destroy(tmp_bb);
             return r;
         }
+
+ if (apr_table_get(r->headers_in, "Transfer-Encoding")
+ && apr_table_get(r->headers_in, "Content-Length")) {
+ /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+ * and Content-Length are received, the latter MUST be
+ * ignored"; so unset it here to prevent any confusion
+ * later. */
+ apr_table_unset(r->headers_in, "Content-Length");
+ }
     }
     else {
         if (r->header_only) {

It seems this is the vulnerability-specific part of the patch.

Message-ID: <email address hidden>
Date: Tue, 26 Jul 2005 20:02:44 +0200
From: Sven Mueller <email address hidden>
To: Borut Mrak <b@9bit.biz>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#316173: apache2: Security issues in HTTP proxy responses
 with both Transfer-Encoding and Content-Length headers

--------------050509020101040302010905
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Package apache2
Tags 316173 +patch
thanks

Borut Mrak wrote on 08/07/2005 17:25:
> I hope this will be of some help.

Me too ;-)

> If it's OK, someone tag this bug with PATCH or whatever is appropriate:
>
> sorry about the long URL:
>
> http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/2.0.x/STATUS?rev=208744&view=diff&r1=208744&r2=208743&p1=httpd/httpd/branches/2.0.x/STATUS&p2=/httpd/httpd/branches/2.0.x/STATUS
>
> and from there:
>
> http://people.apache.org/~jorton/ap_tevscl.diff
>
> Pasting in case that URL goes 404:
>
> Index: server/protocol.c
> ===================================================================
> --- server/protocol.c (revision 208743)
> +++ server/protocol.c (working copy)
[...]
> It seems this is the vulnerability-specific part of the patch.

To me, this seems to be a similar patch, but unrelated to the proxy
issue this bug is about. In my opinion,
http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c?rev=219059&view=diff&r1=219059&r2=219058&p1=httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c&p2=/httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c
or http://people.apache.org/~trawick/20.te-cl.txt
looks more like it. That changeset (attached below) also contains an
entry in CHANGES which reads:
  *) proxy HTTP: If a response contains both Transfer-Encoding and a
     Content-Length, remove the Content-Length and don't reuse the
     connection, mitigating some HTTP Response Splitting attacks.
     [Jeff Trawick]
So in my opinion, this would be the real fix to this bug. But given that
the issue is so similar, I would suggest to also incorporate the fix to
server/protocol.c mentioned above.

cu,
sven

--------------050509020101040302010905
Content-Type: text/plain;
 name="apache219059-debian316173.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="apache219059-debian316173.patch"

--- /httpd/httpd/branches/2.0.x/CHANGES 2005/07/14 16:29:27 219058
+++ httpd/httpd/branches/2.0.x/CHANGES 2005/07/14 16:47:30 219059
@@ -1,5 +1,10 @@
 Changes with Apache 2.0.55

+ *) proxy HTTP: If a response contains both Transfer-Encoding and a
+ Content-Length, remove the Content-Length and don't reuse the
+ connection, mitigating some HTTP Response Splitting attacks.
+ [Jeff Trawick]
+
   *) Prevent hangs of child processes when writing to piped loggers at
      the time of graceful restart. PR 26467. [Jeff Trawick]
--- /httpd/httpd/branches/2.0.x/STATUS 2005/07/14 16:29:27 219058
+++ httpd/httpd/branches/2.0.x/STATUS 2005/07/14 16:47:30 219059
@@ -111,10 +111,6 @@

     * Various fixes to T-E and C-L processing from trunk

- + proxy HTTP - ignore C-L and disable keepalive to origin server
- ...

Message-ID: <email address hidden>
Date: Wed, 10 Aug 2005 17:03:55 +0200
From: Christian Hammers <email address hidden>
To: <email address hidden>
Subject: retitling

retitle 320048 SECURITY: buffer-overrun in apache2-ssl (CAN-2005-1268)
retitle 316173 SECURITY: HTTP proxy responses with both Transfer-Encoding and Content-Length headers (CAN-2005-2088)
severity 316173 critical
thanks

Added CAN-Numbers as seen in Ubuntu's USN-160-1 advisory for easier
reference.

bye,

-christian-

Message-ID: <email address hidden>
Date: Thu, 11 Aug 2005 20:01:16 +0200
From: Christian Hammers <email address hidden>
To: <email address hidden>
Subject: Apache 1.3 also vulnerable?

clone 316173 -1
clone 320048 -2
reassign -1 apache
reassign -2 apache
thanks

In the RedHat/Fedora security announcement, I saw today, their 1.3.27
also received an update so maybe that branch is also vulnerable.
More information may be found here:
 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157701

bye,

-christian-

Apache 2 was fixed a while ago already. However, apache is still vulnerable
(although it is universe).

(In reply to comment #9)
> Apache 2 was fixed a while ago already. However, apache is still vulnerable
> (although it is universe).

apache has now been fixed, too.

Message-Id: <email address hidden>
Date: Tue, 06 Sep 2005 07:47:04 -0700
From: Adam Conrad <adconrad@0c3.net>
To: <email address hidden>
Subject: Bug#322607: fixed in apache 1.3.33-8

Source: apache
Source-Version: 1.3.33-8

We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:

apache-common_1.3.33-8_powerpc.deb
  to pool/main/a/apache/apache-common_1.3.33-8_powerpc.deb
apache-dbg_1.3.33-8_powerpc.deb
  to pool/main/a/apache/apache-dbg_1.3.33-8_powerpc.deb
apache-dev_1.3.33-8_all.deb
  to pool/main/a/apache/apache-dev_1.3.33-8_all.deb
apache-doc_1.3.33-8_all.deb
  to pool/main/a/apache/apache-doc_1.3.33-8_all.deb
apache-perl_1.3.33-8_powerpc.deb
  to pool/main/a/apache/apache-perl_1.3.33-8_powerpc.deb
apache-ssl_1.3.33-8_powerpc.deb
  to pool/main/a/apache/apache-ssl_1.3.33-8_powerpc.deb
apache-utils_1.3.33-8_all.deb
  to pool/main/a/apache/apache-utils_1.3.33-8_all.deb
apache_1.3.33-8.diff.gz
  to pool/main/a/apache/apache_1.3.33-8.diff.gz
apache_1.3.33-8.dsc
  to pool/main/a/apache/apache_1.3.33-8.dsc
apache_1.3.33-8_powerpc.deb
  to pool/main/a/apache/apache_1.3.33-8_powerpc.deb
libapache-mod-perl_1.29.0.3-8_powerpc.deb
  to pool/main/a/apache/libapache-mod-perl_1.29.0.3-8_powerpc.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 06 Sep 2005 23:25:55 +1000
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl
Architecture: source powerpc all
Version: 1.3.33-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
 apache - versatile, high-performance HTTP server
 apache-common - support files for all Apache webservers
 apache-dbg - debug versions of the Apache webservers
 apache-dev - development kit for the Apache webserver
 apache-doc - documentation for the Apache webserver
 apache-perl - versatile, high-performance HTTP server with Perl support
 apache-ssl - versatile, high-performance HTTP server with SSL support
 apache-utils - utility programs for webservers (transitional package)
 libapache-mod-perl - integration of perl with the Apache web server
Closes: 322607
Changes:
 apache (1.3.33-8) unstable; urgency=medium
 .
   * Clean up debian/control, replacing hardcoded debconf dependencies with
     ${misc:Depends} and removing versioned dpkg dependencies, now that the
     version we want is in all of oldstable, stable, testing and unstable.
   * Ad...

Message-Id: <email address hidden>
Date: Wed, 07 Sep 2005 23:02:12 -0700
From: Adam Conrad <adconrad@0c3.net>
To: <email address hidden>
Subject: Bug#322607: fixed in apache 1.3.33-6sarge1

Source: apache
Source-Version: 1.3.33-6sarge1

We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:

apache-common_1.3.33-6sarge1_i386.deb
  to pool/main/a/apache/apache-common_1.3.33-6sarge1_i386.deb
apache-dbg_1.3.33-6sarge1_i386.deb
  to pool/main/a/apache/apache-dbg_1.3.33-6sarge1_i386.deb
apache-dev_1.3.33-6sarge1_all.deb
  to pool/main/a/apache/apache-dev_1.3.33-6sarge1_all.deb
apache-doc_1.3.33-6sarge1_all.deb
  to pool/main/a/apache/apache-doc_1.3.33-6sarge1_all.deb
apache-perl_1.3.33-6sarge1_i386.deb
  to pool/main/a/apache/apache-perl_1.3.33-6sarge1_i386.deb
apache-ssl_1.3.33-6sarge1_i386.deb
  to pool/main/a/apache/apache-ssl_1.3.33-6sarge1_i386.deb
apache-utils_1.3.33-6sarge1_all.deb
  to pool/main/a/apache/apache-utils_1.3.33-6sarge1_all.deb
apache_1.3.33-6sarge1.diff.gz
  to pool/main/a/apache/apache_1.3.33-6sarge1.diff.gz
apache_1.3.33-6sarge1.dsc
  to pool/main/a/apache/apache_1.3.33-6sarge1.dsc
apache_1.3.33-6sarge1_i386.deb
  to pool/main/a/apache/apache_1.3.33-6sarge1_i386.deb
libapache-mod-perl_1.29.0.3-6sarge1_i386.deb
  to pool/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge1_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 6 Sep 2005 23:02:02 +1000
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl
Architecture: source i386 all
Version: 1.3.33-6sarge1
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
 apache - versatile, high-performance HTTP server
 apache-common - support files for all Apache webservers
 apache-dbg - debug versions of the Apache webservers
 apache-dev - development kit for the Apache webserver
 apache-doc - documentation for the Apache webserver
 apache-perl - versatile, high-performance HTTP server with Perl support
 apache-ssl - versatile, high-performance HTTP server with SSL support
 apache-utils - utility programs for webservers (transitional package)
 libapache-mod-perl - integration of perl with the Apache web server
Closes: 322607
Changes:
 apache (1.3.33-6sarge1) stable-security; urgency=high
 .
   * Add 906_content_length_CAN-2005-2088, resolving an issue in mod_proxy
     where, when a response cont...

Message-Id: <email address hidden>
Date: Fri, 16 Dec 2005 21:19:02 -0800
From: Adam Conrad <adconrad@0c3.net>
To: <email address hidden>
Subject: Bug#322607: fixed in apache 1.3.33-6sarge1

Source: apache
Source-Version: 1.3.33-6sarge1

We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:

apache-common_1.3.33-6sarge1_i386.deb
  to pool/main/a/apache/apache-common_1.3.33-6sarge1_i386.deb
apache-dbg_1.3.33-6sarge1_i386.deb
  to pool/main/a/apache/apache-dbg_1.3.33-6sarge1_i386.deb
apache-dev_1.3.33-6sarge1_all.deb
  to pool/main/a/apache/apache-dev_1.3.33-6sarge1_all.deb
apache-doc_1.3.33-6sarge1_all.deb
  to pool/main/a/apache/apache-doc_1.3.33-6sarge1_all.deb
apache-perl_1.3.33-6sarge1_i386.deb
  to pool/main/a/apache/apache-perl_1.3.33-6sarge1_i386.deb
apache-ssl_1.3.33-6sarge1_i386.deb
  to pool/main/a/apache/apache-ssl_1.3.33-6sarge1_i386.deb
apache-utils_1.3.33-6sarge1_all.deb
  to pool/main/a/apache/apache-utils_1.3.33-6sarge1_all.deb
apache_1.3.33-6sarge1.diff.gz
  to pool/main/a/apache/apache_1.3.33-6sarge1.diff.gz
apache_1.3.33-6sarge1.dsc
  to pool/main/a/apache/apache_1.3.33-6sarge1.dsc
apache_1.3.33-6sarge1_i386.deb
  to pool/main/a/apache/apache_1.3.33-6sarge1_i386.deb
libapache-mod-perl_1.29.0.3-6sarge1_i386.deb
  to pool/main/a/apache/libapache-mod-perl_1.29.0.3-6sarge1_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 6 Sep 2005 23:02:02 +1000
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl
Architecture: source i386 all
Version: 1.3.33-6sarge1
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
 apache - versatile, high-performance HTTP server
 apache-common - support files for all Apache webservers
 apache-dbg - debug versions of the Apache webservers
 apache-dev - development kit for the Apache webserver
 apache-doc - documentation for the Apache webserver
 apache-perl - versatile, high-performance HTTP server with Perl support
 apache-ssl - versatile, high-performance HTTP server with SSL support
 apache-utils - utility programs for webservers (transitional package)
 libapache-mod-perl - integration of perl with the Apache web server
Closes: 322607
Changes:
 apache (1.3.33-6sarge1) stable-security; urgency=high
 .
   * Add 906_content_length_CAN-2005-2088, resolving an issue in mod_proxy
     where, when a response cont...