Tweet
Martin Doyhenard - Internal Server Error: Exploiting Inter-Process Communication with new desynchronization primitives
Martin Doyhenard, Security Researcher at Onapsis
Presentation Title: Internal Server Error: Exploiting Inter-Process Communication with new desynchronization primitives
Length of presentation: 45 minutes
Demo, Tool, Exploit
In this talk I will show how to reverse engineer a proprietary HTTP Server in order to leverage memory corruption vulnerabilities using high level HTTP protocol exploitation techniques. To do so, I will present two critical vulnerabilities, CVE-2022-22536 and CVE-2022-22532, which were found in SAP's proprietary HTTP Server, and could be used by a remote unauthenticated attacker to compromise any SAP installation in the world.
First, I will explain how to escalate an error in the request handling process to Desynchronize data buffers and hijack every user’s account with Advanced Response Smuggling. Furthermore, as the primitives of this vulnerability do not rely on header parsing errors, I will show a new technique to persist the attack using the first Desync botnet in history. This attack will prove to be effective even in an “impossible to exploit” scenario: without a Proxy!
Next I will examine a Use-After-Free in the shared memory used for Inter-Process Communication. By exploiting the incorrect deallocation, I will show how to tamper messages belonging to other TCP connections and take control of all responses using Cache Poisoning and Response Splitting theory.
Finally, as the affected buffers could also contain IPC control data, I will explain how to corrupt memory address pointers and end up obtaining RCE.
.
SPEAKER BIO:
Martin is a security researcher at the Onapsis Research Labs. His work includes performing security assessment on SAP and Oracle products and detecting vulnerabilities in ERP systems. His research is focused on Web stack security, reverse engineering and binary analisis, and he is also an active CTF player.
Martin has spoken at different conferences including DEFCON, RSA, HITB and EkoParty, and presented multiple critical vulnerabilities.
Twitter: @tincho_508
REFERENCES:
Please provide a simple bibliography and/or works cited. List sources you have used (whether referenced or not) in the process of finalizing your presentation. Please remember to credit prior works and acknowledge others. References will be posted online with your talk information. We want attendees interested in your talk to be able to research what has been helpful for you in developing this presentation.
RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1
https://tools.ietf.org/html/rfc2616
RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
https://tools.ietf.org/html/rfc7231
Response Smuggling: Pwning HTTP 1 1 Connections
https://media.defcon.org/DEF%20CON%2...onnections.pdf
James Kettle:
HTTP Desync Attacks: Request Smuggling Reborn
https://portswigger.net/research/htt...uggling-reborn
Dennis Andriesse
No Starch Press: Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly
Daniel P. Bovet
O'Reilly: Understanding the Linux Kernel
Martin Doyhenard, Security Researcher at Onapsis
Presentation Title: Internal Server Error: Exploiting Inter-Process Communication with new desynchronization primitives
Length of presentation: 45 minutes
Demo, Tool, Exploit
In this talk I will show how to reverse engineer a proprietary HTTP Server in order to leverage memory corruption vulnerabilities using high level HTTP protocol exploitation techniques. To do so, I will present two critical vulnerabilities, CVE-2022-22536 and CVE-2022-22532, which were found in SAP's proprietary HTTP Server, and could be used by a remote unauthenticated attacker to compromise any SAP installation in the world.
First, I will explain how to escalate an error in the request handling process to Desynchronize data buffers and hijack every user’s account with Advanced Response Smuggling. Furthermore, as the primitives of this vulnerability do not rely on header parsing errors, I will show a new technique to persist the attack using the first Desync botnet in history. This attack will prove to be effective even in an “impossible to exploit” scenario: without a Proxy!
Next I will examine a Use-After-Free in the shared memory used for Inter-Process Communication. By exploiting the incorrect deallocation, I will show how to tamper messages belonging to other TCP connections and take control of all responses using Cache Poisoning and Response Splitting theory.
Finally, as the affected buffers could also contain IPC control data, I will explain how to corrupt memory address pointers and end up obtaining RCE.
.
SPEAKER BIO:
Martin is a security researcher at the Onapsis Research Labs. His work includes performing security assessment on SAP and Oracle products and detecting vulnerabilities in ERP systems. His research is focused on Web stack security, reverse engineering and binary analisis, and he is also an active CTF player.
Martin has spoken at different conferences including DEFCON, RSA, HITB and EkoParty, and presented multiple critical vulnerabilities.
Twitter: @tincho_508
REFERENCES:
Please provide a simple bibliography and/or works cited. List sources you have used (whether referenced or not) in the process of finalizing your presentation. Please remember to credit prior works and acknowledge others. References will be posted online with your talk information. We want attendees interested in your talk to be able to research what has been helpful for you in developing this presentation.
RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1
https://tools.ietf.org/html/rfc2616
RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
https://tools.ietf.org/html/rfc7231
Response Smuggling: Pwning HTTP 1 1 Connections
https://media.defcon.org/DEF%20CON%2...onnections.pdf
James Kettle:
HTTP Desync Attacks: Request Smuggling Reborn
https://portswigger.net/research/htt...uggling-reborn
Dennis Andriesse
No Starch Press: Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly
Daniel P. Bovet
O'Reilly: Understanding the Linux Kernel