"CRLF injection attack"

///////////////////////////////////////////

What is CRLF Injection Attack? - CRLF Injections Tutorial



Hi there. In this article we will talk about CRLF Injection. The CRLF

Injection Attack (sometimes also referred to as HTTP Response Splitting) is

a fairly simple, yet extremely powerful web attack. Hackers are actively
exploiting this web application vulnerability to perform a large variety of
attacks that include XSS cross-site scripting, cross-user defacement,
positioning of client’s web-cache, hijacking of web pages, defacement and a
myriad of other related attacks. A number of years ago a number of CRLF
injection vulnerabilities were also discovered in Google’s Adwords web
interface.



Today you will learn:

What is a CRLF Injection?Vulnerability PoC - Comment SystemVulnerability

PoC - Email FormVulnerability PoC - Header InjectionPatchingConclusion

What is a CRLF Injection?



Carraige Return Line Feed (CRLF) work due to improper sanatization in user

input. The carriage return is essentially the same as hitting 'Enter'
or 'Return', creating a new line. The carriage return can be represented in
a few different ways: CR, ASCII 13 or r. Both the carriage return and the
line feed do essentially the same thing. Although, the line feed is
represented as LF, ASCII 10 or n. These commands are printer commands, the
line feed tells the printer to feed out one line and a carriage return said
the printer carriage should go to the beginning of the current line. In the
event you know the operating system of the target machine it will prove
useful to know that Windows uses CR/LF but *nix systems only use LF.





Vulnerability PoC - Comment System



To illustrate the first method of CRLF we will be using a hypothetical
comment application which is vulnerable to the attack. Let's say our
current comment system looks like so:



8/04/07 - DaveSomething is wrong with the login system?

09/04/07 - haZedYeah, you should fix it....



Keep in mind both of these posts are legitimate. To exploit the

vulnerability our attack will craft a post that will make it seem like he's

posting as an administrator. He will enter the following into the comment

box:



Yep, doesn't work..n10/04/07/ - Admin I've relocated the login to

http://attackersite.com/login.php, you should be able to login there.



This extremely simple injection will change the comment output the
following result.



8/04/07 - DaveSomething is wrong with the login system?

09/04/07 - haZedYeah, you should fix it....

09/04/07 - EthernetYep, doesn't work..

10/04/07 - Admin I've relocated the login to

http://attackersite.com/login.php



As you can clearly see in the example, by posing as an administrator we are

able to phish passwords from the unsuspecting users. By inserting our new
line character in to the post we can go down a line and pretend to be an
administrator. It's a pretty neat trick.





Vulnerability PoC - Email Form



The second and final example involves a script used to send emails to other
users. The catch is that you cannot see the real email address of the
person you are sending to. To exploit this we can simple insert the
following in to the 'Subject' header:



Hey, it's DavenBcc: dave@email.comdave@email.com



This injection will send the email over to dave@email.comdave@email.com AND
the person we originally specified in the 'To' column. These mail forms can
also be exploited by spammers in order to hide their identity. By using a
similar method as above they can'Cc' and 'Bcc' the message to 100's of
other people spamming their
inboxes anonymously.





Vulnerability PoC - Header Injection



As an alternative to inserting the carriage return-line feed in to an input
box we can also use a program like Achilles to intercept the POST headers
and then modify them. Using a similar example as to the Email Form example
above we could change our headers like so:



Content-Type: application/x-www-form-urlencoded

Content-Length: 147



name=This+is+a+test+&emai l= dave@coldmail.comdave@coldmail.com&subje

ct=Test&header=Header:

noone@thingy.comnoone@thingy.com

CC: fbi.gov@meow.comfbi.gov@meow.com

Bcc:enigmagroup.test.@eg. com,

psychomarine@enigmagroup. org,

ausome1@enigmagroup.orgausome1@enigmagroup.org

&msg=crlf!



As you can plainly see in the above example we are able to modify the
header in order to spam those email addresses.





Patching



The CRLF vulnerability is extremely easy to patch. The following code
example assumes the input is set to $_POST['input']



if (eregi('n', $_POST['input'])) //This checks for the new line character

in the POST variable

{ //start if..

die("CRLF Attack Detected"); //exit program if CRLF is found in the variable

} //end if..



I have commented the code so that you can gain an idea of how we are fixing
this vulnerability. As you can see it doesn't take much to thwart this
vulnerability. Sadly, not many people are implementing such a patch.





Conclusion



Whether you're dealing with a high risk vulnerability (remote file
inclusion) or a low risk one, such as this, you always need to be aware of
what you're dealing with. In creating this article I hoped to enlighten
some of you as to how this vulnerability works. I hope you've enjoyed this
article. Feedback and constructive criticism is encourage.