In my current security audit test I've stumbled on something I can't possibly comprehend. The behavior exhibits signs of a buffer overflow in target or in some intermidiate service (http proxy/IDE/IPS/firewall), but I haven't been able to prove it yet, or somehow show it can be exploited. The service exhibits these 2 pecularities, both related to the the first string of HTTP request (exactly as such, not just an URL length, but the whole 1st string's length, includint HTTP verb(GET,POST,etc) and http protocol version):
1) HTTP protocol version, specified at the end of the 1st string of http request, can't be changed (leads to "Protocol version isn't supported" type of error response), BUT it can be ommited - the page will still be served.. but without response headers from the server, just a plain html text
2) After removing http proto version as described above, upon inserting a very long character sequence in this 1st string, while preserving url's format intact (like, adding it to some parameter, ?par1=very_long_string) server responds with the same page as before, but now "torn appart" - html abruptly ends in the middle of some tag. This behavior happens all the time, and with the exactly defined length of the 1st string in HTTP request (like, one character less - and it's ok, one character more - and it's distorted; note, not length of url, but length of the whole 1st string in request!). Though, service doesn't crash after that. And at the same time you can insert much more lengthy strings into other strings of http request, it won't trigger anything unusual.
I failed to grasp how length of HTTP request can affect the integrity of html in answer, so some good insight could be very helpful. How should I proceed with this further? I've been thinknig about exposing this target to fuzzer of sort, trying to force some more unusual behavior out of it, but thats seems to be my limit.
Aucun commentaire:
Enregistrer un commentaire