What is CRLF Injection Attack? - CRLF Injections Tutorial

Hi there. In this article we will talk about CRLF Injection. The CRLF Injection Attack (sometimes also referred to as HTTP Response Splitting) is a fairly simple, yet extremely powerful web attack. Hackers are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user defacement, positioning of client’s web-cache, hijacking of web pages, defacement and a myriad of other related attacks. A number of years ago a number of CRLF injection vulnerabilities were also discovered in Google’s Adwords web interface.

Today you will learn:
  • What is a CRLF Injection?
  • Vulnerability PoC - Comment System
  • Vulnerability PoC - Email Form
  • Vulnerability PoC - Header Injection
  • Patching
  • Conclusion
What is a CRLF Injection?

Carraige Return Line Feed (CRLF) work due to improper sanatization in user input. The carriage return is essentially the same as hitting 'Enter' or 'Return', creating a new line. The carriage return can be represented in a few different ways: CR, ASCII 13 or r. Both the carriage return and the line feed do essentially the same thing. Although, the line feed is represented as LF, ASCII 10 or n. These commands are printer commands, the line feed tells the printer to feed out one line and a carriage return said the printer carriage should go to the beginning of the current line. In the event you know the operating system of the target machine it will prove useful to know that Windows uses CR/LF but *nix systems only use LF.


Vulnerability PoC - Comment System

To illustrate the first method of CRLF we will be using a hypothetical comment application which is vulnerable to the attack. Let's say our current comment system looks like so:

8/04/07 - DaveSomething is wrong with the login system?
09/04/07 - haZedYeah, you should fix it....


Keep in mind both of these posts are legitimate. To exploit the vulnerability our attack will craft a post that will make it seem like he's posting as an administrator. He will enter the following into the comment box:

Yep, doesn't work..n10/04/07/ - Admin I've relocated the login to http://attackersite.com/login.php, you should be able to login there.

This extremely simple injection will change the comment output the following result.

8/04/07 - DaveSomething is wrong with the login system?
09/04/07 - haZedYeah, you should fix it....
09/04/07 - EthernetYep, doesn't work..
10/04/07 - Admin I've relocated the login to http://attackersite.com/login.php



As you can clearly see in the example, by posing as an administrator we are able to phish passwords from the unsuspecting users. By inserting our new line character in to the post we can go down a line and pretend to be an administrator. It's a pretty neat trick.


Vulnerability PoC - Email Form

The second and final example involves a script used to send emails to other users. The catch is that you cannot see the real email address of the person you are sending to. To exploit this we can simple insert the following in to the 'Subject' header:

Hey, it's DavenBcc: dave@email.comdave@email.com


This injection will send the email over to dave@email.comdave@email.com AND the person we originally specified in the 'To' column. These mail forms can also be exploited by spammers in order to hide their identity. By using a similar method as above they can'Cc' and 'Bcc' the message to 100's of other people spamming their
inboxes anonymously.


Vulnerability PoC - Header Injection

As an alternative to inserting the carriage return-line feed in to an input box we can also use a program like Achilles to intercept the POST headers and then modify them. Using a similar example as to the Email Form example above we could change our headers like so:

Content-Type: application/x-www-form-urlencoded
Content-Length: 147

name=This+is+a+test+&emai l= dave@coldmail.comdave@coldmail.com&subje ct=Test&header=Header:
noone@thingy.comnoone@thingy.com
CC: fbi.gov@meow.comfbi.gov@meow.com
Bcc:enigmagroup.test.@eg. com,
psychomarine@enigmagroup. org,
ausome1@enigmagroup.orgausome1@enigmagroup.org
&msg=crlf!



As you can plainly see in the above example we are able to modify the header in order to spam those email addresses.


Patching

The CRLF vulnerability is extremely easy to patch. The following code example assumes the input is set to $_POST['input']

if (eregi('n', $_POST['input'])) //This checks for the new line character in the POST variable
{ //start if..
die("CRLF Attack Detected"); //exit program if CRLF is found in the variable
} //end if..



I have commented the code so that you can gain an idea of how we are fixing this vulnerability. As you can see it doesn't take much to thwart this vulnerability. Sadly, not many people are implementing such a patch.


Conclusion

Whether you're dealing with a high risk vulnerability (remote file inclusion) or a low risk one, such as this, you always need to be aware of what you're dealing with. In creating this article I hoped to enlighten some of you as to how this vulnerability works. I hope you've enjoyed this article. Feedback and constructive criticism is encourage.

Do you have questions, comments, or suggestions? Feel free to post a comment!

Source

0 comments:

Post a Comment