Bitmap Pox | TechSNAP 276

Bitmap Pox | TechSNAP 276

A new vulnerability in many websites, Oracle’s Outside In Technology, Turned Inside-Out & the value of a hacked company.

Plus your questions, our answers, a really great round up & much more!

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:


Show Notes:

New vulnerability in many websites: HTTPoxy

  • Background #1: The CGI (Common Gateway Interface) Specification defines the standard way that web servers run backend applications to dynamically generate websites
  • CGI can be used to run Perl, PHP, Python, Ruby, Go, C, and any other language
  • To provide access to information about the original request from the user, the web server sets a number of environment variables to represent the HTTP headers that were sent with the request
  • To avoid conflicting with any existing environment variables, the headers are prefixed with HTTP_
  • So, when you pass the the Accept-Encoding header, to indicate your browser supports receiving compressed data, the environment variable HTTP_ACCEPT_ENCODING gets set to the contents of that header
  • This allows your application to know what compression algorithms are supported
  • Background #2: Most tools support accessing the Internet via a proxy, and in UNIX, this is usually configured by setting an environment variable, which happens to be named: HTTP_PROXY
  • “httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:”
    • RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
    • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy
  • “This leads to a remotely exploitable vulnerability. httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.”
  • “What can happen if my web application is vulnerable? If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:”
    • Proxy the outgoing HTTP requests made by the web application
  • Direct the server to open outgoing connections to an address and port of their choosing
  • Tie up server resources by forcing the vulnerable software to use a malicious proxy
  • “httpoxy is extremely easy to exploit in basic form. And we expect security researchers to be able to scan for it quickly. Luckily, if you read on and find you are affected, easy mitigations are available.”
  • So, I can send a header that will cause your application to make all of its connections, even to things like your backend API, via a proxy that I control. This could allow me to get access to passwords and other data that you thought would only ever be transmitted over your internal network.
  • Timeline:
  • March 2001: The issue is discovered in libwww-perl and fixed. Reported by Randal L. Schwartz
  • April 2001: The issue is discovered in curl, and fixed there too (albeit probably not for Windows). Reported by Cris Bailiff.
  • July 2012: In implementing HTTP_PROXY for Net::HTTP, the Ruby team notice and avoid the potential issue. Nice work Akira Tanaka!
  • November 2013: The issue is mentioned on the NGINX mailing list. The user humbly points out the issue: “unless I’m missing something, which is very possible”. No, Jonathan Matthews, you were exactly right!
  • February 2015: The issue is mentioned on the Apache httpd-dev mailing list. Spotted by Stefan Fritsch.
  • July 2016: Scott Geary, an engineer at Vend, found an instance of the bug in the wild. The Vend security team found the vulnerability was still exploitable in PHP, and present in many modern languages and libraries. We started to disclose to security response teams.
  • So this issue was found and dealt with in Perl and cURL in 2001, but, not widely advertised enough to make people aware that it could also impact every other CGI application and language
  • Luckily, you can solve it fairly easily, the site provides instructions for fixing most popular web servers, including NGINX, Apache. Varnish, Relayd, HAProxy, lighttpd, Microsoft IIS, and others
  • The fix is simple, remove or blank out the ‘Proxy’ header before it is sent to the application. Since this is a non-standard header, and should never be used, it is safe to just delete the header
  • Other Mitigations: Firewall the web server so it can not make outgoing requests, or use HTTPS for all internal requests, so they cannot be snooped upon.

Oracle’s Outside In Technology, Turned Inside-Out

  • From Oracle’s Outside In Technology, Turned Inside-Out Site: “Outside In Technology is a suite of software development kits (SDKs) that provides developers with a comprehensive solution to extract, normalize, scrub, convert and view the contents of 600 unstructured file formats.”
  • In April, Talos blogged about one of the OIT-related arbitrary code execution bugs patched by Oracle.
  • The impact of that vulnerability, plus these additional eighteen OIT bugs disclosed in these findings, is severe because so many third-party products use Oracle’s OIT to parse and transform files.

A review of an OIT-related CERT advisory from January 2016 reveals a large list of third-party products, especially security and messaging-related products, that are affected. The list of products that, according to CERT, rely on Oracle’s Outside In SDK includes:

Krebs: The value of a hacked company

  • Based on his previous infographic, the value of a hacked email address, this new post covers the value of a hacked company
  • “Most organizations only grow in security maturity the hard way — that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organization’s overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised.”
  • “If you’re unsure how much of your organization’s strategic assets may be intimately tied up with all this technology stuff, ask yourself what would be of special worth to a network intruder. Here’s a look at some of the key corporate assets that may be of interest and value to modern bad guys.”
  • There is a lot of value that an attack can extract from a hacked company:
    • Intellectual Property, like trade secrets, plans, or even just a list of customers
    • Physical Property: Desktops, backups, telecom equipment, access to VOIP infrastructure
    • Partners: Access to other companies that the hacked company deals with, weather it be for the sake of Phishing those companies, accessing their bank details, or spreading the compromise to their network
    • HR Data: Information about employees, for tax fraud, insurance fraud, identity theft, or as further targeting data for future attacks
    • Financials: Draining the company bank account, company credit card details, customer credit card details, employee bank account details (payroll), sensitive financial data
    • Virtual Property: Access to cloud services, websites (watering hole attacks), software licenses, encryption keys, etc.
  • “This isn’t meant to be an exhaustive list; I’m sure we can all think of other examples, and perhaps if I receive enough suggestions from readers I’ll update this graphic. But the point is that whatever paltry monetary value the cybercrime underground may assign to these stolen assets individually, they’re each likely worth far more to the victimized company — if indeed a price can be placed on them at all.”
  • “In years past, most traditional, financially-oriented cybercrime was opportunistic: That is, the bad guys tended to focus on getting in quickly, grabbing all the data that they knew how to easily monetize, and then perhaps leaving behind malware on the hacked systems that abused them for spam distribution.”
  • “These days, an opportunistic, mass-mailed malware infection can quickly and easily morph into a much more serious and sustained problem for the victim organization (just ask Target). This is partly because many of the criminals who run large spam crime machines responsible for pumping out the latest malware threats have grown more adept at mining and harvesting stolen data.”
  • “It’s also never been easier for disgruntled employees to sell access to their employer’s systems or data, thanks to the proliferation of open and anonymous cybercrime forums on the Dark Web that serve as a bustling marketplace for such commerce.”
  • “Organizational leaders in search of a clue about how to increase both their security maturity and the resiliency of all their precious technology stuff could do far worse than to start with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), the federal agency that works with industry to develop and apply technology, measurements, and standards. This primer (PDF) from PWC does a good job of explaining why the NIST Framework may be worth a closer look.”


Mention: Networking for Information Security/Penetration Testing

Round Up:

Question? Comments? Contact us here!