CVE-2015-2080 Analysis

CVE-2015-2080 Analysis

Jetty is a widely used java container. When developing java Web applications, jetty is used as an embedded container, which is very convenient for debugging. Many large Internet companies use it to replace tomcat. As far as I know, jetty in Alibaba is more popular than tomcat.

Gdssecurity announced a buffer zone data leakage vulnerability in jetty on June 13, February 25, 2015 and how the vulnerability was exploited.

Http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html

This vulnerability may cause attackers to obtain sensitive data from http requests of other users simultaneously accessing the jetty.

There is already a translation article (http://www.bkjia.com/Article/201502/378571.html), I learned a bit, and the principle is summarized as follows:

1. jetty saves all http request content in a specific buffer when processing http requests. Each new request overwrites the buffer. Jetty uses nio, so it is mainly stored in bytebuffer.

2. After receiving the http request, jetty parses and judges the http header and http content one by one. If the http header contains non-ascii characters, an IllegalCharacter exception is thrown.

3. This exception will print some user-friendly debug information in the http return, which requires jetty to continue parsing the values in the buffer. When converting the content in the buffer into debug information, the buffer contains the content of the last normal user request because it is not fully considered. If this request is shorter than the previous request, the content of the previous request is printed together.

I drew a picture and it should be very easy to understand this vulnerability.

The blue part is the illegal data we constructed. When an exception is thrown, only the blue part of the data should be returned. However, jetty continues to read down and reads 16 bytes of the green part. It is omitted with "..." And then reads the last 16 bytes.

In this way, as long as the blue part of a specific length is constructed, all the data in the yellow part can be read and returned.

Fix:

The official website has released the repair code. Https://github.com/eclipse/jetty.project/commit/4df5647f6dfdc5fa7abb812afe9290d60b17c098

We can see that the repair method is also very simple.

for (int i = buffer.position(); i < buffer.limit(); i++) { appendContentChar(buf,buffer.get(i)); if (i == buffer.position() + 16 && buffer.limit() > buffer.position() + 32) { buf.append("..."); i = buffer.limit() - 16; } } buf.append(">>>\""); // ignore content beyond limit() return buf.toString(); 

 

Ignore content beyond limit ()

In this way, the subsequent data is not displayed, and everything is restored.