httpoxy 漏洞预警及修复方案

时间:2022-06-03 09:33:31

影响范围

PHP、Go、Python等开启CGI(Client)模式的脚本语言

Language 环境依赖 HTTP Client
PHP php-fpmmod_php Guzzle 4+Artax
Python wsgiref.handlers.CGIHandlertwisted.web.twcgi.CGIScript requests
Go net/http/cgi net/http

漏洞原理

在CGI(RFC 3875)的模式的时候,server 会把请求中的 Header, 加上 HTTP_ 前缀, 注册为环境变量,且重名变量会被覆盖污染,若该变量被脚本调用,即可利用,该漏洞在15年前在LWP中已被发现并修复http://www.nntp.perl.org/group/perl.libwww/2001/03/msg2249.html。

如控制 HTTPHOST 进行 URL 跳转,或者直接控制 HTTP_PROXY 让流量到代理服务器中转,将 HTTP 控制进入环境变量进行shellshock攻击等,所以,所有 HTTP_ 开头的环境变量在CGI模式下都是不可信不安全的。

利用过程如图所示:

httpoxy 漏洞预警及修复方案

可通过

ngrep -q -i -d any -W byline 'proxy' 'dst port 80'

捕获扫描

<?php
$http_proxy = getenv("HTTP_PROXY");
if ($http_proxy) {
$context = array(
'http' => array(
'proxy' => $http_proxy,
'request_fulluri' => true,
), );
$s_context = stream_context_create($context);
} else {
$s_context = NULL;
}
$ret = file_get_contents("http://www.chaitin.cn/", false, $s_context);

PoC

curl "http://target" -H "Proxy: test env"

httpoxy 漏洞预警及修复方案

利用条件

  • 后端信任接收的 Header
  • 污染控制的变量被脚本调用
  • 开启CGI(Client)模式
  • 服务器能对外通信

修复方案

最为有效的方式就是在脚本调用变量之前及时阻断或者限制内部调用时的可信变量

Nginx

在配置中加入

fastcgi_param HTTP_PROXY "";

Apache

根据官方建议patchhttps://www.apache.org/security/asf-httpoxy-response.txt

IIS

运行 appcmd set config /section:requestfiltering /+requestlimits.headerLimits.[header='proxy',sizelimit='0'] 来阻止恶意代理被调用

如果要清理header,可以使用如下规则

<system.webServer>
<rewrite>
<rules>
<rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">
<match url="*.*" />
<serverVariables>
<set name="HTTP_PROXY" value="" />
</serverVariables>
<action type="None" />
</rule>
</rules>
</rewrite>
</system.webServer>

参考来源

https://httpoxy.org/

https://www.symfony.fi/entry/httpoxy-vulnerability-hits-php-installations-using-fastcgi-and-php-fpm-and-hhvm

附其他语言测试用例

bash

#!/bin/bash

export http_proxy=$HTTP_PROXY
`curl http://www.chaitin.cn`

python

#!/usr/bin/python

import requests
import os
import sys
from wsgiref.handlers import CGIHandler if sys.version_info < (3,):
def b(x):
return x
else:
import codecs def b(x):
return codecs.latin_1_encode(x)[0] def application(environ, start_response):
status = '200 OK' r = requests.get("http://www.chaitin.cn/") output = """
Made internal subrequest to http://www.chaitin.cn/ and got:
os.environ[HTTP_PROXY]: %(proxy)s
os.getenv('HTTP_PROXY'): %(getenv-proxy)s
wsgi Proxy header: %(wsgi-env-proxy)s
status code: %(status)d
text: %(text)s
""" % {
'proxy': os.environ['HTTP_PROXY'] if 'HTTP_PROXY' in os.environ else 'none',
'getenv-proxy': os.getenv('HTTP_PROXY', 'none'),
'wsgi-env-proxy': environ['HTTP_PROXY'] if 'HTTP_PROXY' in environ else 'none',
'status': r.status_code,
'text': r.text
} response_headers = [('Content-type', 'text/plain'),
('Content-Length', str(len(b(output))))] start_response(status, response_headers) return [b(output)] if __name__ == '__main__':
CGIHandler().run(application)

Go

package main

import (
"fmt"
"io"
"log"
"net/http"
"net/http/cgi"
) func main() {
if err := cgi.Serve(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
header := w.Header()
header.Set("Content-Type", "text/plain; charset=utf-8") response, err := http.Get("http://www.chaitin.cn/") if err != nil {
log.Fatal(err)
} else {
defer response.Body.Close() fmt.Fprint(w, "Response body from internal subrequest:")
_, err := io.Copy(w, response.Body)
fmt.Fprintln(w, "") if err != nil {
log.Fatal(err)
}
} fmt.Fprintln(w, "Method:", r.Method)
fmt.Fprintln(w, "URL:", r.URL.String()) query := r.URL.Query()
for k := range query {
fmt.Fprintln(w, "Query", k+":", query.Get(k))
} r.ParseForm()
form := r.Form
for k := range form {
fmt.Fprintln(w, "Form", k+":", form.Get(k))
}
post := r.PostForm
for k := range post {
fmt.Fprintln(w, "PostForm", k+":", post.Get(k))
} fmt.Fprintln(w, "RemoteAddr:", r.RemoteAddr) if referer := r.Referer(); len(referer) > 0 {
fmt.Fprintln(w, "Referer:", referer)
} if ua := r.UserAgent(); len(ua) > 0 {
fmt.Fprintln(w, "UserAgent:", ua)
} for _, cookie := range r.Cookies() {
fmt.Fprintln(w, "Cookie", cookie.Name+":", cookie.Value, cookie.Path, cookie.Domain, cookie.RawExpires)
}
})); err != nil {
fmt.Println(err)
}
} http://www.tuicool.com/articles/Brmm6zm