|
|
-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
[Apache2 CSRF, XSS, Memory Corruption and Denial of Service Vulnerability ]=0D
=0D
Author: sp3x=0D
=0D
Date:=0D
- - Written: 06.12.2007=0D
- - Public: 09.01.2008=0D
=0D
SecurityReason Research=0D
SecurityAlert Id: 48=0D
=0D
CVE: CVE-2007-6420=0D
CVE-2007-6421=0D
CVE-2007-6422=0D
CVE-2007-6423=0D
=0D
SecurityRisk: Low=0D
=0D
Affected Software: Apache 2.2.x (mod_proxy_balancer)=0D
Advisory URL:=0D
http://securityreason.com/achievement_securityalert/48=0D
Vendor: http://httpd.apache.org=0D
=0D
- --- 0.Description ---=0D
=0D
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.=0D
=0D
Apache has been the most popular web server on the Internet since April 1996. The November 2005 Netcraft Web Server Survey found that more than 70% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined.=0D
=0D
mod_proxy_balancer : http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html=0D
=0D
- From apache site : "Balancer manager enables dynamic update of balancer members. You can use balancer manager to change the balance factor or a particular member, or put it in the off line mode"=0D
=0D
balancer-manager is an administrative interface which should only be accessible to trusted users. Due to the fact the SecurityRisk is Low.=0D
=0D
- --- 1. Apache2 Cross-Site Request Forgery (CSRF) Vulnerability ---=0D
=0D
During the fact that all actions are performed by GET method there exist "CSRF" .=0D
=0D
The balancer-manager should use POST for requests which have side-effects =0D
which would significantly mitigate the "CSRF" issue.=0D
=0D
- --- 2. Apache2 HTML Injection (XSS) Vulnerability ---=0D
=0D
- --- First XSS ---=0D
=0D
The HTML Injection (XSS) vulnerability exist in "mod_proxy_balancer.c" .=0D
=0D
By Enabling Balancer Manager Support we can trigger XSS vulnerability . =0D
=0D
Input passed to the :=0D
"ss" - called ""StickySession Identifier", =0D
"wr" - called "Route",=0D
"rr" - called "Route Redirect", =0D
parametrs in balancer-manager are not properly sanitised leading to execute arbitrary HTML and script code in a victim's browser.=0D
=0D
- --- Second XSS ---=0D
=0D
Input passed in the URL to "balancer-mamanger" is not properly sanitised leading to execute arbitrary HTML and script code in a victim's browser.=0D
=0D
=0D
- --- 3. Apache2 Denial of Service Vulnerability ---=0D
=0D
The Denial of Service is caused due to an error in the "balancer_handler()" function that manages the loadfactors and member status. When attacker input invalid "bb" variable while editing worker settings leads to "Denial of Service Vulnerability".=0D
=0D
- --- 4. Apache2 Memory Corruption ---=0D
=0D
The Memory corruption is caused due to an error in the "mod_proxy_balancer" when attacker input in the URL 7390 or 7506 or 7622 "A" chars.=0D
=0D
Only for Windows.=0D
=0D
- --- 4. Exploit ---=0D
=0D
SecurityReason is not going to release a exploit to the general public.=0D
Exploit was provided and tested for Apache Team .=0D
=0D
- --- 5. How to fix ---=0D
=0D
Update to Apache 2.2.7-dev=0D
=0D
http://httpd.apache.org/security/vulnerabilities_22.html=0D
=0D
- --- 6. References ---=0D
=0D
CSRF : http://www.owasp.org/index.php/Testing_for_CSRF=0D
=0D
- --- 7. Greets ---=0D
=0D
For: Maksymilian Arciemowicz ( cXIb8O3 ), Infospec, pi3, p_e_a, mpp=0D
=0D
- --- 8. Contact ---=0D
=0D
Author: sp3x=0D
Email: sp3x [at] securityreason [dot] com=0D
GPG: http://securityreason.com/key/sp3x.gpg=0D
http://securityreason.com=0D
-----BEGIN PGP SIGNATURE-----=0D
Version: GnuPG v1.2.7 (GNU/Linux)=0D
=0D
iD8DBQFHhUo6haZ93YsJSwQRAuYmAKCF5gOZ4P804moV5ybi8yjpbnvqNwCeNr9O=0D
+2Taez4t5p+5O7BZ9Yol2eg==0D
=v0YB=0D
-----END PGP SIGNATURE-----=0D