Once again Apache is up for discussion as another bug, similar in nature to CVE-2011-3368 identified on 10/05/2011, has been sighted in the wild. The vulnerability targets networks that utilize the reverse proxy feature provided by Apache. By utilizing reverse proxies, a Web server is able to mirror another, providing content from the server as well as improve performance with cache functionality. Additionally, reverse proxies are also used for load balancing services. A vulnerability has been discovered that, when utilizing the reverse proxy feature in apache HTTPD, will allow an attacker to access otherwise inaccessible systems on the internal network. The vulnerability in question, discovered by Prutha Parikh and currently tracked under CVE-2011-4317, currently allows for crafted requests to exploit the current stable fully patched Apache (Version 2.2.21) Web server.

The vulnerability is caused by the mod_proxy module that, when configured improperly in reverse proxy mode, will allow an attacker to send requests to various servers behind the proxy. In the proof of concept demonstrations, Prutha configures a vulnerable RewriteRule and ProxyPassMatch Rule that would leave the system vulnerable as seen below:

 

 

 

Viewing the rule in question, the vulnerability occurs at the $1. If this rule is left in place and an attacker crafts a packet such as “GET @localhost::<PORT> HTTP/1.0\r\n\r\n” , everything after the initial colon will get appended to the host in question, i.e. :8880 which will result in http://10.40.2.159:8880. Therefore, as shown in the proof of concept, by applying that crafted request, the fully patched Apache server returned http://10.40.2.159 on Port 8880 to the user. Applying the same logic, an attacker could utilize the exploit to access ports otherwise inaccessible externally.

The developers of Apache have acknowledged the vulnerability however no patch has been released to address the issue at the moment. As a workaround, modifying the Rewrite rule to include a “/” between the host and $1 will prevent the system from being vulnerable to this exploit.

 

 

References:

http://httpd.apache.org/download.cgi

http://thread.gmane.org/gmane.comp.apache.devel/46440

http://threatpost.com/en_us/blogs/new-apache-reverse-proxy-issue-uncovered-112611

https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue

http://www.techworld.com.au/article/408532/unpatched_apache_reverse_proxy_flaw_allows_access_internal_network/

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3368

http://www.apachetutor.org/admin/reverseproxies

Tags: ,