CRLF Injections

  • [+]----------------------------------[+] 
    [-]CRLF Injection Attacks            [-] 
    [-]By Ethernet                       [-] 
    [-]EnigmaGroup.9/04/07     [-] 
    [0x] Table of Contents 
    [1x] - What is a CRLF Injection? 
    [2a] - Vulnerability PoC - Comment System 
    [2b] - Vulnerability PoC - Email Form 
    [2c] - Vulnerability PoC - Header Injection  
    [3x] - Patching 
    [4x] - References 
    [5x] - Conclusion 
    [1x] What is a CRLF Injection? 
    Carraige Return Line Feed (CRLF) work due to improper sanatization in user input.  The carriage 
    return is essentially the same as hitting 'Enter' or 'Return', creating a new line.  The  
    carriage return can be represented in a few different ways: CR, ASCII 13 or \r.  Both the carraige 
    return and the line feed do essentially the same thing.  Although, the line feed is represented as 
    LF, ASCII 10 or \n.  These commands are printer commands, the line feed tells the printer to feed  
    out one line and a carriage return said the printer carriage should go to the beginning of the current 
    line.  In the event you know the operating system of the target machine it will prove useful to know 
    that Windows uses CR/LF but *nix systems only use LF. 
    [2a] Vulnerability PoC - Comment System 
    To illustrate the first method of CRLF we will be using a hypothetical comment application which is 
    vulnerable to the attack.  Let's say our current comment system looks like so: 
    8/04/07  - DaveSomething is wrong with the login system? 
    09/04/07 - haZedYeah, you should fix it.... 
    Keep in mind both of these posts are legitimate.  To exploit the vulnerability our attack will craft 
    a post that will make it seem like he's posting as an administrator.  He will enter the following in 
    to the comment box: 
    Yep, doesn't work..\n10/04/07/ - Admin I've relocated the login to, 
    you should be able to login there. 
    This extremelly simple injection will change the comment output the following result. 
    8/04/07  - DaveSomething is wrong with the login system? 
    09/04/07 - haZedYeah, you should fix it.... 
    09/04/07 - EthernetYep, doesn't work.. 
    10/04/07 - Admin I've relocated the login to 
    As you can clearly see in the example, by posing as an administrator we are able to phish passwords 
    from the unsuspecting users.  By inserting our new line character in to the post we can go down a line 
    and pretend to be an administrator.  It's a pretty neat trick. 
    [2b] Vulnerability PoC - Email Form 
    The second and final example involves a script used to send emails to other users.  The catch is that 
    you cannot see the real email address of the person you are sending to.  To exploit this we can simple 
    insert the following in to the 'Subject' header: 
    Hey, it's Dave\nBcc: 
    This injection will send the email over to AND the person we originally specified in the 
    'To' column.  These mail forms can also be exploited by spammers in order to hide their identity.  By  
    using a similar method as above they can'Cc' and 'Bcc' the message to 100's of other people spamming their 
    inboxes anonymously. 
    [2c] Vulnerability PoC - Header Injection 
    As an alternative to inserting the carriage return\line feed in to an input box we can also use a program like 
    Achilles to intercept the POST headers and then modify them.  Using a similar example as to the Email Form 
    example above we could change our headers like so: 
    Content-Type: application/x-www-form-urlencoded 
    Content-Length: 147 
    As you can plainly see in the above example we are able to modify the header in order to spam those email  
    [3x] Patching 
    The CRLF vulnerability is extremely easy to patch.  The following code example assumes the input is set to 
    if (eregi('\n', $_POST['input']))       //This checks for the new line character in the POST variable 
    {  //start if.. 
    	die("CRLF Attack Detected"); //exit program if CRLF is found in the variable 
    }    //end if.. 
    I have commented the code so that you can gain an idea of how we are fixing this vulnerability. As you can see 
    it doesn't take much to thwart this vulnerability.  Sadly, not many people are implementing such a patch. 
    [4x] References 
 - PHP Eregi function used in patch       - General CRLF information  - OWASP CRLF stub article 
    [5x] Conclusion 
    Whether you're dealing with a high risk vulnerability (remote file inclusion) or a low risk one, such as this, 
    you always need to be aware of what you're dealing with.  In creating this article I hoped to enlighten some 
    of you as to how this vulnerability works.  I hope you've enjoyed this article. Feedback and constructive  
    critisism is encouraged. 
    Spread - Copy - Change ... Share and Distribute Everything