Vulnerability with Cisco ACE. A2 3.0 (probably all version)
====================
Abstract :
Cisco Application Control Engine (ACE) are hardware loadbalancer
available as appliance
(Model 4710) or catalyst 6000 blade.
====================
Vulnerability :
When used as a Server Load Balancer and/or SSL offloader it's possible
to do requests
to the backend without leaving any ip address in the http server logs.
it's possible
then to do any L7 http attacks anonymousely.
A Bug request has been opened at cisco TAC, it has been classified
"work as designed"
====================
Configuration description :
[Client]------[ACE]----[Backend A]
|
+------[Backend B]
When Cisco ACE is used as SLB or SSL offloader, since the ACE in most
configuration
act as a L7 Proxy, the IP of the real client is added in the Http
client request.
The backend then could log the client real IP.
When Cisco ACE has any http parsing error it stop tagging client request with ip
address but the tcp session continue, all other request in this tcp session are
not ip tagged.
Since the ACE does not respect the ambigous RFC 2616 implied *LWS
rules (chap 2.1) it's
easy to do an "Parse Error" which is honoured by the backend honor.
RFC extracts:
The version of an HTTP message is indicated by an HTTP-Version field
in the first line of the message.
HTTP-Version = "HTTP" "/" 1*DIGIT "." 1*DIGIT
HTTP/1.1 header field values can be folded onto multiple lines if the
continuation line begins with a space or horizontal tab. All linear
white space, including folding, has the same semantics as SP. A
recipient MAY replace any linear white space with a single SP before
interpreting the field value or forwarding the message downstream.
implied *LWS
The grammar described by this specification is word-based. Except
where noted otherwise, linear white space (LWS) can be included
between any two adjacent words (token or quoted-string), and
between adjacent words and separators, without changing the
interpretation of a field. At least one delimiter (LWS and/or
====================
Ace Configuration :
In a one arm deployement this action add the http header
x-forwarded-for with client ip
in all clients requests.
host1/Admin(config)# action-list type modify http HTTP_MODIFY_ACTLIST
host1/Admin(config-actlist-mod)# header insert request x-forwarded-for
header-value %is
====================
Attack demonstration:
This tricks is available on all Apache http servers.
In the Same TCP Session ..
GET / HTTP / 1 . 1
HOST: Myserver.com
CONNECTION: KEEP-ALIVE
GET / HTTP/1.1
HOST: Myserver.com
CONNECTION: KEEP-ALIVE
All two request will not be flagged with the http header "X-Forwarded-for"
The first one because ace did a parse error on "HTTP / 1 . 1", the second one
because since the first parse error, the ace a stop tagging ip header.
Http server log could not tell the ip of the client
Cisco Ace could be detected easily if the trace method is activated on
the backend
====================
Links:
http://www.cisco.com/en/US/products/ps6906/index.html
http://www.ietf.org/rfc/rfc2616.txt
http://en.wikipedia.org/wiki/X-Forwarded-For
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html#wp1131842
