CRLF Injections

----------------------------------------
[0x] Table of Contents
----------------------------------------

[1x] - What is a CRLF Injection?
[2a] - Vulnerability PoC - Comment System
[2b] - Vulnerability PoC - Email Form
[2c] - Vulnerability PoC - Header Injection
[3x] - Patching
[4x] - References
[5x] - Conclusion

----------------------------------------
[1x] What is a CRLF Injection?
----------------------------------------

Carraige Return Line Feed (CRLF) work due to improper sanatization in user input. The carriage
return is essentially the same as hitting 'Enter' or 'Return', creating a new line. The
carriage return can be represented in a few different ways: CR, ASCII 13 or r. Both the carraige
return and the line feed do essentially the same thing. Although, the line feed is represented as
LF, ASCII 10 or n. These commands are printer commands, the line feed tells the printer to feed
out one line and a carriage return said the printer carriage should go to the beginning of the current
line. In the event you know the operating system of the target machine it will prove useful to know
that Windows uses CR/LF but *nix systems only use LF.


----------------------------------------
[2a] Vulnerability PoC - Comment System
----------------------------------------

To illustrate the first method of CRLF we will be using a hypothetical comment application which is
vulnerable to the attack. Let's say our current comment system looks like so:


8/04/07 - DaveSomething is wrong with the login system?
09/04/07 - haZedYeah, you should fix it....


Keep in mind both of these posts are legitimate. To exploit the vulnerability our attack will craft
a post that will make it seem like he's posting as an administrator. He will enter the following in
to the comment box:


Yep, doesn't work..n10/04/07/ - Admin I've relocated the login to http://attackersite.com/login.php,
you should be able to login there.


This extremelly simple injection will change the comment output the following result.


8/04/07 - DaveSomething is wrong with the login system?
09/04/07 - haZedYeah, you should fix it....
09/04/07 - EthernetYep, doesn't work..
10/04/07 - Admin I've relocated the login to http://attackersite.com/login.php


As you can clearly see in the example, by posing as an administrator we are able to phish passwords
from the unsuspecting users. By inserting our new line character in to the post we can go down a line
and pretend to be an administrator. It's a pretty neat trick.

----------------------------------------
[2b] Vulnerability PoC - Email Form
----------------------------------------

The second and final example involves a script used to send emails to other users. The catch is that
you cannot see the real email address of the person you are sending to. To exploit this we can simple
insert the following in to the 'Subject' header:


Hey, it's DavenBcc: dave@email.com


This injection will send the email over to dave@email.com AND the person we originally specified in the
'To' column. These mail forms can also be exploited by spammers in order to hide their identity. By
using a similar method as above they can'Cc' and 'Bcc' the message to 100's of other people spamming their
inboxes anonymously.

----------------------------------------
[2c] Vulnerability PoC - Header Injection
----------------------------------------

As an alternative to inserting the carriage returnline feed in to an input box we can also use a program like
Achilles to intercept the POST headers and then modify them. Using a similar example as to the Email Form
example above we could change our headers like so:


Content-Type: application/x-www-form-urlencoded
Content-Length: 147

name=This+is+a+test+&emai l=dave@coldmail.com&subje ct=Test&header=Header:
noone@thingy.com
CC:fbi.gov@meow.com
Bcc:enigmagroup.test.@eg. com,
psychomarine@enigmagroup. org,
ausome1@enigmagroup.org
&msg=crlf!


As you can plainly see in the above example we are able to modify the header in order to spam those email
addresses.

----------------------------------------
[3x] Patching
----------------------------------------

The CRLF vulnerability is extremely easy to patch. The following code example assumes the input is set to
$_POST['input'].


if (eregi('n', $_POST['input'])) //This checks for the new line character in the POST variable
{ //start if..
die("CRLF Attack Detected"); //exit program if CRLF is found in the variable
} //end if..


I have commented the code so that you can gain an idea of how we are fixing this vulnerability. As you can see
it doesn't take much to thwart this vulnerability. Sadly, not many people are implementing such a patch.

----------------------------------------
[4x] References
----------------------------------------

http://ca.php.net/manual/en/function.eregi.php - PHP Eregi function used in patch
http://en.wikipedia.org/wiki/CRLF - General CRLF information
http://www.owasp.org/index.php/CRLF_Injection - OWASP CRLF stub article

Keep Rocking, Keep Hacking

I'm reading: CRLF Injections