Issues in Rex::Proto::HTTP

[todb-r7]

This issue was RM8785, originally filed by @firefart

It seems like Rex::Proto::HTTP has some issues. This bug appeared when testing the http_header module.

Example:

firefart@LinuxMint ~/Coding/metasploit-framework $ ./msfcli auxiliary/scanner/http/http_header RHOSTS=accounts.google.com RPORT=443 SSL=true VERBOSE=true E
[*] Initializing modules...
RHOSTS => accounts.google.com
RPORT => 443
SSL => true
VERBOSE => true
[*] 173.194.70.84:443: requesting / via HEAD
[-] 173.194.70.84:443: connection timed out
[*] Scanned 1 of 2 hosts (050% complete)
[*] 2a00:1450:4001:c02::54:443: requesting / via HEAD
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed

CURL Output:

root@firefart:~# curl -skI -X HEAD https://accounts.google.com
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Strict-Transport-Security: max-age=10893354; includeSubDomains
X-Frame-Options: DENY
Location: https://accounts.google.com/ManageAccount
Content-Length: 223
Date: Sun, 06 Apr 2014 06:52:52 GMT
Expires: Sun, 06 Apr 2014 06:52:52 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Alternate-Protocol: 443:quic

As you can see, MSF gets a Timeout, CURL gets the output.

I traced the error down to lib/rex/proto/http/client.rb#read_response and lib/rex/proto/http/packet.rb#parse

The buffer is filled correctly with the response but on parsing, self.state never leaves the state ParseState::ProcessingBody and so a Timeout is triggered after the default timeout because it is trapped in an endless loop.

There are many ways to fix this issue for example:

lib/rex/proto/http/packet.rb:

change

if (self.body_bytes_left == 0 and not self.transfer_chunked)

to

if (self.body_bytes_left <= 0 and not self.transfer_chunked)

But I think this bugfix can cause many side effects so I add it as a bug so a framework pro can have a look at it

[wchen-r7]

But I think this bugfix can cause many side effects so I add it as a bug so a framework pro can have a look at it

cc @jlee-r7.

[jlee-r7]

I think changing == to <= is a necessary, but insufficient fix. If read loop got more bytes than the body should contain, it also needs to put those extra bytes back in the read buffer because they're most likely the beginning a second, pipelined, request.

[todb-r7]

@wchen-r7 I choose you!

[fsacer]

is that still a valid issue?

[firefart]

yes:

msf5 auxiliary(scanner/http/http_header) > run

[*] 172.217.22.237:443   : requesting / via HEAD
[-] 172.217.22.237:443   : connection timed out
[*] Scanned 1 of 2 hosts (50% complete)
[*] 2a00:1450:4016:801::200d:443: requesting / via HEAD
[-] The host (2a00:1450:4016:801::200d:443) was unreachable.
[-] 2a00:1450:4016:801::200d:443: connection timed out
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/http_header) > options

Module options (auxiliary/scanner/http/http_header):

   Name         Current Setting                                                        Required  Description
   ----         ---------------                                                        --------  -----------
   HTTP_METHOD  HEAD                                                                   yes       HTTP Method to use, HEAD or GET (Accepted: GET, HEAD)
   IGN_HEADER   Vary,Date,Content-Length,Connection,Etag,Expires,Pragma,Accept-Ranges  yes       List of headers to ignore, seperated by comma
   Proxies                                                                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       accounts.google.com                                                    yes       The target address range or CIDR identifier
   RPORT        443                                                                    yes       The target port (TCP)
   SSL          true                                                                   no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                                                                      yes       The URI to use
   THREADS      1                                                                      yes       The number of concurrent threads
   VHOST                                                                               no        HTTP server virtual host

msf5 auxiliary(scanner/http/http_header) > curl -X HEAD https://accounts.google.com
[*] exec: curl -X HEAD https://accounts.google.com

* Rebuilt URL to: https://accounts.google.com/
*   Trying 172.217.22.237...
* TCP_NODELAY set
* Connected to accounts.google.com (172.217.22.237) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [100 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2341 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=accounts.google.com
*  start date: Jun 19 11:32:59 2018 GMT
*  expire date: Aug 28 11:31:00 2018 GMT
*  subjectAltName: host "accounts.google.com" matched cert's "accounts.google.com"
*  issuer: C=US; O=Google Trust Services; CN=Google Internet Authority G3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x557dd38b8370)
} [5 bytes data]
> HEAD / HTTP/2
> Host: accounts.google.com
> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0
> Accept: */*
> Referer: 
> 
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 302 
< content-type: text/html; charset=UTF-8
< strict-transport-security: max-age=31536000; includeSubDomains
< x-frame-options: DENY
< content-security-policy: script-src 'unsafe-inline' 'unsafe-eval' https: http:;object-src 'none';base-uri 'self';report-uri /cspreport
< location: https://accounts.google.com/ManageAccount
< content-length: 223
< date: Mon, 30 Jul 2018 05:17:39 GMT
< expires: Mon, 30 Jul 2018 05:17:39 GMT
< cache-control: private, max-age=0
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< server: GSE
< alt-svc: quic=":443"; ma=2592000; v="44,43,39,35"
< 
{ [0 bytes data]
* transfer closed with 223 bytes remaining to read
* Connection #0 to host accounts.google.com left intact
curl: (18) transfer closed with 223 bytes remaining to read
msf5 auxiliary(scanner/http/http_header) > curl https://accounts.google.com
[*] exec: curl https://accounts.google.com

* Rebuilt URL to: https://accounts.google.com/
*   Trying 172.217.22.237...
* TCP_NODELAY set
* Connected to accounts.google.com (172.217.22.237) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [100 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2341 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=accounts.google.com
*  start date: Jun 19 11:32:59 2018 GMT
*  expire date: Aug 28 11:31:00 2018 GMT
*  subjectAltName: host "accounts.google.com" matched cert's "accounts.google.com"
*  issuer: C=US; O=Google Trust Services; CN=Google Internet Authority G3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55aa7f3ef370)
} [5 bytes data]
> GET / HTTP/2
> Host: accounts.google.com
> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0
> Accept: */*
> Referer: 
> 
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 302 
< content-type: text/html; charset=UTF-8
< strict-transport-security: max-age=31536000; includeSubDomains
< x-frame-options: DENY
< content-security-policy: script-src 'unsafe-inline' 'unsafe-eval' https: http:;object-src 'none';base-uri 'self';report-uri /cspreport
< location: https://accounts.google.com/ManageAccount
< content-length: 223
< date: Mon, 30 Jul 2018 05:16:44 GMT
< expires: Mon, 30 Jul 2018 05:16:44 GMT
< cache-control: private, max-age=0
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< server: GSE
< alt-svc: quic=":443"; ma=2592000; v="44,43,39,35"
< 
{ [5 bytes data]
* Connection #0 to host accounts.google.com left intact
<HTML>
<HEAD>
<TITLE>Moved Temporarily</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Moved Temporarily</H1>
The document has moved <A HREF="https://accounts.google.com/ManageAccount">here</A>.
</BODY>
</HTML>
msf5 auxiliary(scanner/http/http_header) > 

[firefart]

PS: also happens if I "force" IPv4:

msf5 auxiliary(scanner/http/http_header) > run

[*] 172.217.22.237:443   : requesting / via HEAD
[-] 172.217.22.237:443   : connection timed out
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/http_header) > options

Module options (auxiliary/scanner/http/http_header):

   Name         Current Setting                                                        Required  Description
   ----         ---------------                                                        --------  -----------
   HTTP_METHOD  HEAD                                                                   yes       HTTP Method to use, HEAD or GET (Accepted: GET, HEAD)
   IGN_HEADER   Vary,Date,Content-Length,Connection,Etag,Expires,Pragma,Accept-Ranges  yes       List of headers to ignore, seperated by comma
   Proxies                                                                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       172.217.22.237                                                         yes       The target address range or CIDR identifier
   RPORT        443                                                                    yes       The target port (TCP)
   SSL          true                                                                   no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                                                                      yes       The URI to use
   THREADS      1                                                                      yes       The number of concurrent threads
   VHOST        accounts.google.com                                                    no        HTTP server virtual host

msf5 auxiliary(scanner/http/http_header) > 

[todb-r7]

This was a 4 year old bug when this last got tested. I suppose it's on me to test it again to reconfirm its bugitude.

[ccondon-r7]

I suppose it is, @todb-r7! Can you add the confirmed label if it's still an issue?

[adfoster-r7]

Confirmed still an issue in Metasploit 5.0.91

msf5 > use auxiliary/scanner/http/http_header
msf5 auxiliary(scanner/http/http_header) > set RHOSTS accounts.google.com
RHOSTS => accounts.google.com
msf5 auxiliary(scanner/http/http_header) > set RPORT 443
RPORT => 443
msf5 auxiliary(scanner/http/http_header) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf5 auxiliary(scanner/http/http_header) > set verbose true
verbose => true
msf5 auxiliary(scanner/http/http_header) > run

[*] 2a00:1450:4009:817::200d:443: requesting / via HEAD
[-] 2a00:1450:4009:817::200d:443: connection timed out
[*] Scanned 1 of 2 hosts (50% complete)
[*] 216.58.204.237:443   : requesting / via HEAD
[-] 216.58.204.237:443   : connection timed out
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed