Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3377
HistoryAug 20, 2002 - 12:00 a.m.

Apache 2.0.39 directory traversal and path disclosure bug

2002-08-2000:00:00
vulners.com
137

######################################################################

Auriemma Luigi, PivX security advisory AL#001

Application: Apache WebServer (http://httpd.apache.org)
Version: 2.0.39 and previous 2.0.x, ONLY on systems that supports
backslash path delimiters (Win/Netware/OS2 etc…)
Bug: Directory traversal vulnerability and path disclosure
Risk (high): An attacker can view ANY file in the system and execute
code on it.
An attacker can view the path where is located the
server.
Author: Auriemma Luigi, Security Researcher, PivX Solutions, LLC
e-mail: [email protected]

CAN-2002-0654
CAN-2002-0661

######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy


1) Introduction

The bug I have found about the directory traversal can be classified
as a high risk bug and the path disclosure as a low risk.
With the first bug an attacker can see every file in the system and
execute it using the /cgi-bin/ path.
The bug was shown to the Apache Group some minutes after it's being
discovered. The bug was quickly fixed.
The second bug instead is a simple path disclosure bug, useful for
obtaining more info about the server (important if the administrator
hide some information)

  • IMPORTANT NOTE -

The ASF recommends all Win32, Netware and OS2 users immediately
upgrade to the 2.0.40 or, temporary, apply the fix suggested in the
Fix section of this advisory.
It is also suggested that any of the un*x-flavors also should consider
upgrading to 2.0.40 to eliminate the path-revealing bugs that apply to
all versions.


2) Bug

A) CAN-2002-0654

The bug is not dangerous because it does not give remote access to the
system or other data accesses but for an attacker it is useful in
gathering detaild information about the server to launch other
malicious attacks.
With this bug we can see the path where Apache is installed, so we can
know if the server run on a Windows machine, if it is the second
version of Apache (Apache2) and naturally the server version (all of
the the info is useful if the administrator has obscured the Server
field or other info about the server, so if the bug is present, we
know for example that the Apache installed is a version prior the
2.0.40).

However let's go with the example.

>From the browser we must insert the following string:
http://127.0.0.1/error/HTTP_NOT_FOUND.html.var

Then the server will answer with this page:

|Not Acceptable
|
|An appropriate representation of the requested resource
/error/HTTP_NOT_FOUND.html.var could not be found on this server.
|Available variants:
|
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type
text/html, language de
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type
text/html, language en
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type
text/html, language es
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type
text/html, language fr

As we can see, the server answer with the full path of the file we
have requested.
We can request all the files .var in the error folder and we will have
the same result.

More detailed info can be found on the Apache website
http://httpd.apache.org


B) CAN-2002-0661

The problem is in the management of the bad chars that can be used to
launch some attacks, such as the directory traversal. In fact the
backslash char ('\' == %5c) is not checked as a bad char, so it can be
used for seeking the directories of systems that use it as a path
delimiter (Windows, Netware, OS2 and others).

Then another problem is that the attacker can execute commands on the
remote host simply using the /cgi-bin/ path.

The following are two simple examples.

for view the file winnt\win.ini:
http://127.0.0.1/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini

for run the wintty utility in the Apache2/bin folder:
http://127.0.0.1/cgi-bin/%5c%2e%2e%5cbin%5cwintty.exe?%2dt+HELLO

In human readable form, they mean:
http://127.0.0.1/error/\..\..\..\..\winnt\win.ini
http://127.0.0.1/cgi-bin/\..\bin\wintty.exe?-t+HELLO

So in the first example we go down to the root path with \…\…\…\…\
because we are in "c:\program files\Apache Group\Apache2\error".
Instead in the second example we use the /cgi-bin/ path and we pass
arguments with "file.exe?arg1+arg2+arg3+…".

More detailed info will be found on the Apache website
http://httpd.apache.org


3) The Code

Look the examples in section 2.


4) Fix

Apache 2.0.40 from Apache website (http://httpd.apache.org)

However this is a simple workaround suggested by the Apache Group for
the directory traversal bug:


A simple one line workaround in the httpd.conf file will disallow the
vulnerability. Prior to the first 'Alias' or 'Redirect' directive, add
the following directive to the global server configuration:

RedirectMatch 400 "\\\.\."



5) Philosophy

I'm really hopeful about the FULL-DISCLOSURE policy, because with it
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of creative programming (I have learned
a bit of interesting C from the source code of some published
exploits under this policy) and it's useful for all the people that
are hopeful in this type of disclosure.
No secrets!


About PivX Solutions
PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients, the most notable
being our proprietary Risk and Vulnerability Assessment (RAVA).
Dedicated PivX founders have also developed the patented Invisiwall
network security device which offers the most comprehensive and secure
intrusion detection system available.

For more information go to http://www.PivX.com

Any type of feedback is really welcome!

Byez


PivX Security Researcher