A fresh compare presentation at Dusky Hat USA 2024 printed architectural vulnerabilities for the duration of the Apache HTTP Server, a broadly old fashion internet server software.

The compare highlights numerous technical cash owed within Httpd, along with three forms of Confusion Assaults, 9 new vulnerabilities, 20 exploitation solutions, and over 30 case reports.

Apache HTTP Server operates through a modular create, the establish hundreds of dinky modules work collectively to handle HTTP requests. These modules rely on a shared request_rec structure for synchronization, dialog, and data alternate.

As HTTP requests plug through diverse phases, modules adjust this structure as wanted.

While this collaboration enables each module to center of attention on its particular assignment, the complexity increases when scaled to hundreds of modules.

In step with Orange Tsai’s compare, the modules’ lack of deep working out and the absence of stringent pattern tips make gaps and inconsistencies, making the system weak to seemingly exploitation.

9 Learned Vulnerabilities

The compare came upon 9 new vulnerabilities in the Apache HTTP Server, along with:

• CVE-2024-38472 – Apache HTTP Server on Residence windows UNC SSRF
• CVE-2024-39573 – Apache HTTP Server proxy encoding topic
• CVE-2024-38477 – Apache HTTP Server: Break ensuing in Denial of Service in mod_proxy by design of a malicious expect
• CVE-2024-38476 – Apache HTTP Server would possibly per chance also utilize exploitable/malicious backend application output to speed native handlers by design of inside of redirect
• CVE-2024-38475 – Apache HTTP Server weakness in mod_rewrite when first section of substitution fits filesystem course
• CVE-2024-38474 – Apache HTTP Server weakness with encoded inquire of marks in backreferences
• CVE-2024-38473 – Apache HTTP Server proxy encoding topic
• CVE-2023-38709 – Apache HTTP Server: HTTP response splitting
• CVE-2024-?????? -Yet to be mounted

Confusion Assaults

Confusion Assaults are a new selection of assault floor that exploits the inside of mechanisms and architectural create of Apache HTTP Server.

Three major vulnerabilities in Apache HTTP Server, focusing on filename confusion, DocumentRoot confusion, and handler confusion. Here’s a summary of each:

These attacks occur when different modules for the duration of the server software fail to absolutely realize one every other, ensuing in ambiguities in how they interpret the identical fields. This would per chance also slay up in seemingly security risks, along with get admission to defend a watch on and authentication bypasses.

The compare identified three forms of Confusion Assaults:

1. Filename Confusion: This assault happens when some modules deal with the r->filename enviornment as a URL, while others deal with it as a filesystem course. This inconsistency can lead to security components, equivalent to course truncation and get admission to defend a watch on bypasses.
2. DocumentRoot Confusion: This assault happens when the DocumentRoot directive isn’t any longer well validated, allowing attackers to get admission to pretty info and directories.
3. Handler Confusion: This assault happens when the Handler directive isn’t any longer well validated, allowing attackers to construct arbitrary code.

1. Filename Confusion

This vulnerability arises from inconsistent going through of the r->filename enviornment in Apache HTTP Server, the establish some modules deal with it as a filesystem course while others, relish mod_rewrite, deal with it as a URL. This inconsistency can lead to numerous security components:

• Path Truncation: mod_rewrite truncates the path after a inquire of mark, potentially allowing attackers to avoid security tests and get admission to unintended info.
• Deceptive RewriteFlags Project: Attackers can manipulate RewriteRule patterns to trick the server into making utilize of unsuitable handlers or flags, enabling the execution of unauthorized scripts.
• ACL Bypass: Inconsistencies between modules relish mod_proxy and others that interpret r->filename in every other design can allow attackers to avoid get admission to controls, critically when file-essentially essentially based get admission to controls are old fashion.

2. DocumentRoot Confusion

This assault leverages the confusion between paths with and with out the DocumentRoot prefix. Apache HTTP Server attempts to get admission to both, which is entertaining to lead to unintended file get admission to:

• Source Code Disclosure: Attackers can get admission to the source code of server-aspect scripts (e.g., CGI, PHP) by exploiting this confusion, especially when file paths are uncovered outside the acquire root.
• Local Items Manipulation: By having access to info within directories relish /usr/share, attackers can manipulate native scripts or configurations to construct unauthorized actions, equivalent to info disclosure, XSS, LFI, SSRF, and even RCE.
• Jailbreak from Local Items: The FollowSymLinks option enables attackers to make utilize of symbolic hyperlinks within /usr/share to get admission to pretty info or escalate attacks, potentially ensuing in a corpulent server compromise.

3. Handler Confusion

This vulnerability arises from the interchangeable utilize of AddType and AddHandler directives, ensuing in seemingly overwrites or misuse of handlers:

• Overwrite the Handler: If a module by probability overwrites the Content-Type, it will purpose Apache to mishandle requests, exposing PHP source code or enabling other unintended behaviors.
• Invoke Arbitrary Handlers: Attackers can exploit the legacy habits in Apache HTTP Server that treats Content-Type as a handler. By controlling response headers, they would possibly be able to invoke any inside of module handler, ensuing in info disclosure, SSRF, RCE, and even get admission to to native Unix enviornment sockets.

Every of those vulnerabilities demonstrates how subtle inconsistencies and legacy behaviors in Apache HTTP Server can even be exploited to compromise the safety of internet servers, ensuing in a wide quantity of seemingly attacks.

The vulnerabilities came upon can very a lot impact organizations utilizing Apache HTTP Server. To mitigate these risks, directors are suggested to vary their servers to the latest version (2.4.60) and fastidiously overview their configurations to prevent disruptions.

The compare highlights the importance of working out the inside of mechanisms and architectural create of broadly old fashion software relish Apache HTTP Server. By exposing these vulnerabilities, the compare can support organizations give protection to themselves against seemingly attacks and enhance the final security of the acquire.

Also Read:

0.0.0.0 Day – 18 one year Veteran Vulnerability Let Attackers Bypass All Browser Security

AMD Patches A pair of Memory Vulnerabilities That Leads Substandard The Visitor VM

Cisco Shrimp Trade IP Phones Vulnerabilities: Attackers Can Attain Arbitrary Commands

Cisco Shrimp Trade IP Phones Vulnerabilities: Attackers Can Attain Arbitrary Commands