OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Auriemma Luigi (aluigi_at_pivx.com)
Date: Fri Aug 16 2002 - 12:01:29 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ######################################################################

    Auriemma Luigi, PivX security advisory AL#001

    Application: Apache WebServer (http://httpd.apache.org)
    Version: 2.0.39 and previous 2.0.x, ONLY on systems that supports
                 backslash path delimiters (Win/Netware/OS2 etc...)
    Bug: Directory traversal vulnerability and path disclosure
    Risk (high): An attacker can view ANY file in the system and execute
                 code on it.
                 An attacker can view the path where is located the
                 server.
    Author: Auriemma Luigi, Security Researcher, PivX Solutions, LLC
                 e-mail: aluigipivx.com

    CAN-2002-0654
    CAN-2002-0661

    ######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix
    5) Philosophy

    ----------------------------------------------------------------------

    1) Introduction

    The bug I have found about the directory traversal can be classified
    as a high risk bug and the path disclosure as a low risk.
    With the first bug an attacker can see every file in the system and
    execute it using the /cgi-bin/ path.
    The bug was shown to the Apache Group some minutes after it's being
    discovered. The bug was quickly fixed.
    The second bug instead is a simple path disclosure bug, useful for
    obtaining more info about the server (important if the administrator
    hide some information)

    - IMPORTANT NOTE -

    The ASF recommends all Win32, Netware and OS2 users immediately
    upgrade to the 2.0.40 or, temporary, apply the fix suggested in the
    Fix section of this advisory.
    It is also suggested that any of the un*x-flavors also should consider
    upgrading to 2.0.40 to eliminate the path-revealing bugs that apply to
    all versions.

    ----------------------------------------------------------------------

    2) Bug

    A) CAN-2002-0654
    ----------------

    The bug is not dangerous because it does not give remote access to the
    system or other data accesses but for an attacker it is useful in
    gathering detaild information about the server to launch other
    malicious attacks.
    With this bug we can see the path where Apache is installed, so we can
    know if the server run on a Windows machine, if it is the second
    version of Apache (Apache2) and naturally the server version (all of
    the the info is useful if the administrator has obscured the Server
    field or other info about the server, so if the bug is present, we
    know for example that the Apache installed is a version prior the
    2.0.40).

    However let's go with the example.

    From the browser we must insert the following string:
    http://127.0.0.1/error/HTTP_NOT_FOUND.html.var

    Then the server will answer with this page:

    |Not Acceptable
    |
    |An appropriate representation of the requested resource /error/HTTP_NOT_FOUND.html.var could not be found on this server.
    |Available variants:
    |
    | * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language de
    | * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language en
    | * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language es
    | * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language fr

    As we can see, the server answer with the full path of the file we
    have requested.
    We can request all the files .var in the error folder and we will have
    the same result.

    More detailed info can be found on the Apache website
    http://httpd.apache.org 

    ---

    B) CAN-2002-0661
----------------

    The problem is in the management of the bad chars that can be used to
launch some attacks, such as the directory traversal. In fact the
backslash char ('\' == %5c) is not checked as a bad char, so it can be
used for seeking the directories of systems that use it as a path
delimiter (Windows, Netware, OS2 and others).

    Then another problem is that the attacker can execute commands on the
remote host simply using the /cgi-bin/ path.

    The following are two simple examples.

    for view the file winnt\win.ini:
http://127.0.0.1/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini

    for run the wintty utility in the Apache2/bin folder:
http://127.0.0.1/cgi-bin/%5c%2e%2e%5cbin%5cwintty.exe?%2dt+HELLO

    In human readable form, they mean:
http://127.0.0.1/error/\..\..\..\..\winnt\win.ini
http://127.0.0.1/cgi-bin/\..\bin\wintty.exe?-t+HELLO

    So in the first example we go down to the root path with \..\..\..\..\
because we are in "c:\program files\Apache Group\Apache2\error".
Instead in the second example we use the /cgi-bin/ path and we pass
arguments with "file.exe?arg1+arg2+arg3+...".

    More detailed info will be found on the Apache website
http://httpd.apache.org

    ----------------------------------------------------------------------

    3) The Code

    Look the examples in section 2.

    ----------------------------------------------------------------------

    4) Fix

    Apache 2.0.40 from Apache website (http://httpd.apache.org)

    However this is a simple workaround suggested by the Apache Group for
the directory traversal bug:

    ---
A simple one line workaround in the httpd.conf file will disallow the
vulnerability. Prior to the first 'Alias' or 'Redirect' directive, add
the following directive to the global server configuration:

    RedirectMatch 400 "\\\.\."

    ---

    ----------------------------------------------------------------------

    5) Philosophy

    I'm really hopeful about the FULL-DISCLOSURE policy, because with it
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of creative programming (I have learned
a bit of interesting C from the source code of some published
exploits under this policy) and it's useful for all the people that 
are hopeful in this type of disclosure.
No secrets!

    ----------------------------------------------------------------------

    About PivX Solutions
PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients, the most notable
being our proprietary Risk and Vulnerability Assessment (RAVA).
Dedicated PivX founders have also developed the patented Invisiwall
network security device which offers the most comprehensive and secure
intrusion detection system available.

    For more information go to http://www.PivX.com

    Any type of feedback is really welcome!

    Byez

    -- 
PivX Security Researcher