Apache Reverse Proxy Security Bypass Vulnerability (CVE-2011-4317)

Document created by Prutha Parikh on May 4, 2012Last modified by Robert Dell'Immagine on May 8, 2012
Version 2Show Document
  • View in full screen mode

INTRODUCTION

The Apache HTTP Server is a freely available Web server. The Apache HTTP Server ("httpd") is a project of The Apache Software Foundation.

 

Depending on the reverse proxy configuration, Apache HTTP Server is prone to a vulnerability that could allow access to internal systems from the Internet. If a malformed URL request with a scheme was constructed, it would be possible to bypass security.

 

Successful exploitation requires the use of “ProxyPassMatch” and “RewriteRule” configuration directives with a certain pattern match.

 

This problem was confirmed in the following versions of Apache HTTP Server but other versions may be also affected.

Apache HTTP Server 2.2.21

 

Affected Versions:

Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when Revision 1179239 patch is in place

 

Patch:

Apache addressed the vulnerability in Apache HTTP Server Version 2.2.22 (http://httpd.apache.org/security/vulnerabilities_22.html)

 

CVSS Scoring System

The CVSS score is: 4.3

            Base Score: 4.3

            Temporal Score: 3.4

 

We used the following values to calculate the scores:

            Base score is: AV:N/AC:M/Au:N/C:N/I:P/A:N

            Temporal score is: E:POC/RL:O/RC:C

 

 

TRIGGERING THE PROBLEM

To trigger the problem, the following two proof of concepts can be used.

 

POC 1

GET @localhost::<PORT>, where <PORT> is any port number being requested.

 

POC 2

GET <random_string>:@<internalservername>, where <random_string> is any string, <internalservername> is the domain of an internal server being requested.

 

 

DETAILS

Example for POC1:

GET @localhost::8880 HTTP/1.0\r\n\r\n

 

Upon receiving the request, Apache translates the URL by applying the rewrite rules. The "uri" extracted is ":8880" which gets appended, resulting in the URL http://www.example.com:8880. The "uri" extracted in this case is everything following the first occurence of the colon (:) in the request. Since the crafted request has 2 colons (::), the second colon is treated as being part of the URI.

 

So, if www.example.com has something running on port 8880, a malicious user has gained access to the page.

Example for POC2:

GET qualys:@qqq.qq.qualys.com HTTP/1.0\r\n\r\n

 

Upon receiving the request, Apache translates the URL by applying the rewrite rules. The "uri" extracted is "@qqq.qq.qualys.com" which gets appended, resulting in the URL http://www.example.com@qqq.qq.qualys.com. The "uri" extracted in this case is everything following the first occurence of the colon (:) in the request.

 

This is treated as <username>@<host> giving access to <host> if no authentication is required.

 

In order to exploit this vulnerability, a malicious user either needs to identify an open port on an internal server and send a crafted request as shown in Example for POC1 or create a malformed request with an internal server as shown in Example for POC2.

 

 

CREDITS

This vulnerability was discovered by Prutha Parikh, Qualys Vulnerability Signature/Research Team.

Attachments

    Outcomes