Jetty HttpParser Error Remote Memory Disclosure

2015-02-2700:00:00

www.tenable.com

377

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.953

Percentile

99.4%

JSON

The remote instance of Jetty is affected by a remote memory disclosure vulnerability in the HttpParser module due to incorrect handling of illegal characters in header values. When an illegal character is encountered in an HTTP request, Jetty writes a response in a shared buffer that was used in a previous request. Jetty’s response to the client includes this shared buffer which contains potentially sensitive data from the previous request. An attacker, using specially crafted requests containing variable length strings of illegal characters, can steal sensitive header data (e.g. cookies, authentication tokens) or sensitive POST data (e.g. credentials).

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(81576);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/26");

  script_cve_id("CVE-2015-2080");
  script_bugtraq_id(72768);

  script_name(english:"Jetty HttpParser Error Remote Memory Disclosure");
  script_summary(english:"Checks for a remote memory disclosure flaw.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a remote memory disclosure
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote instance of Jetty is affected by a remote memory disclosure
vulnerability in the HttpParser module due to incorrect handling of
illegal characters in header values. When an illegal character is
encountered in an HTTP request, Jetty writes a response in a shared
buffer that was used in a previous request. Jetty's response to the
client includes this shared buffer which contains potentially
sensitive data from the previous request. An attacker, using specially
crafted requests containing variable length strings of illegal
characters, can steal sensitive header data (e.g. cookies,
authentication tokens) or sensitive POST data (e.g. credentials).");
  # https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b8e07913");
  script_set_attribute(attribute:"see_also", value:"https://bugs.eclipse.org/bugs/show_bug.cgi?id=460642");
  # https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f918c477");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Jetty 9.2.9.v20150224 or later. For Jetty 9.3.x, contact
the vendor for a solution.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2080");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/02/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mortbay:jetty");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 8080);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("audit.inc");
include("http.inc");
include("data_protection.inc");

port = get_http_port(default: 8080);

# Unless we're paranoid, make sure the banner looks like Jetty.
if (report_paranoia < 2)
{
  banner = get_http_banner(port:port);
  if (isnull(banner) || "Server: Jetty(" >!< banner)
    audit(AUDIT_WRONG_WEB_SERVER, port, "Jetty");
}

response = http_send_recv3(
  method: "GET",
  item:"/",
  port:port,
  add_headers: make_array("Nessus-Header", '\x00')
);

if (isnull(response))
  audit(AUDIT_RESP_NOT, port, "HTTP GET");

if ("Illegal character 0x0 in state" >!< response[0])
  audit(AUDIT_LISTEN_NOT_VULN, "web server", port);

request = http_last_sent_request();

request =  str_replace(string:request, find:'\x00', replace:"\x00", count:1);

security_report_v4(
  port        : port,
  severity    : SECURITY_WARNING,
  generic     : TRUE,
  line_limit  : 5,
  request     : make_list(request),
  output      : data_protection::sanitize_user_full_redaction(output:chomp(response[0]))
);