>From: Auriemma Luigi <[EMAIL PROTECTED]>
>Organization: PivX
>To: [EMAIL PROTECTED]
>Subject: Apache 2.0.39 directory traversal and path disclosure bug
>Date: Fri, 16 Aug 2002 17:01:29 +0000
>
>######################################################################
>
>Auriemma Luigi, PivX security advisory AL#001
>
>Application: Apache WebServer (http://httpd.apache.org)
>Version: 2.0.39 and previous 2.0.x, ONLY on systems that supports
> backslash path delimiters (Win/Netware/OS2 etc...)
>Bug: Directory traversal vulnerability and path disclosure
>Risk (high): An attacker can view ANY file in the system and execute
> code on it.
> An attacker can view the path where is located the
> server.
>Author: Auriemma Luigi, Security Researcher, PivX Solutions, LLC
> e-mail: [EMAIL PROTECTED]
>
>CAN-2002-0654
>CAN-2002-0661
>
>######################################################################
>
>
>1) Introduction
>2) Bug
>3) The Code
>4) Fix
>5) Philosophy
>
>----------------------------------------------------------------------
>
>1) Introduction
>
>The bug I have found about the directory traversal can be classified
>as a high risk bug and the path disclosure as a low risk.
>With the first bug an attacker can see every file in the system and
>execute it using the /cgi-bin/ path.
>The bug was shown to the Apache Group some minutes after it's being
>discovered. The bug was quickly fixed.
>The second bug instead is a simple path disclosure bug, useful for
>obtaining more info about the server (important if the administrator
>hide some information)
>
>- IMPORTANT NOTE -
>
>The ASF recommends all Win32, Netware and OS2 users immediately
>upgrade to the 2.0.40 or, temporary, apply the fix suggested in the
>Fix section of this advisory.
>It is also suggested that any of the un*x-flavors also should consider
>upgrading to 2.0.40 to eliminate the path-revealing bugs that apply to
>all versions.
>
>
>----------------------------------------------------------------------
>
>2) Bug
>
>A) CAN-2002-0654
>----------------
>
>The bug is not dangerous because it does not give remote access to the
>system or other data accesses but for an attacker it is useful in
>gathering detaild information about the server to launch other
>malicious attacks.
>With this bug we can see the path where Apache is installed, so we can
>know if the server run on a Windows machine, if it is the second
>version of Apache (Apache2) and naturally the server version (all of
>the the info is useful if the administrator has obscured the Server
>field or other info about the server, so if the bug is present, we
>know for example that the Apache installed is a version prior the
>2.0.40).
>
>However let's go with the example.
>
> >From the browser we must insert the following string:
>http://127.0.0.1/error/HTTP_NOT_FOUND.html.var
>
>Then the server will answer with this page:
>
>|Not Acceptable
>|
>|An appropriate representation of the requested resource
>/error/HTTP_NOT_FOUND.html.var could not be found on this server.
>|Available variants:
>|
>| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type
>text/html, language de
>| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type
>text/html, language en
>| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type
>text/html, language es
>| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type
>text/html, language fr
>
>As we can see, the server answer with the full path of the file we
>have requested.
>We can request all the files .var in the error folder and we will have
>the same result.
>
>More detailed info can be found on the Apache website
>http://httpd.apache.org
>
>---
>
>B) CAN-2002-0661
>----------------
>
>The problem is in the management of the bad chars that can be used to
>launch some attacks, such as the directory traversal. In fact the
>backslash char ('\' == %5c) is not checked as a bad char, so it can be
>used for seeking the directories of systems that use it as a path
>delimiter (Windows, Netware, OS2 and others).
>
>Then another problem is that the attacker can execute commands on the
>remote host simply using the /cgi-bin/ path.
>
>The following are two simple examples.
>
>for view the file winnt\win.ini:
>http://127.0.0.1/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini
>
>for run the wintty utility in the Apache2/bin folder:
>http://127.0.0.1/cgi-bin/%5c%2e%2e%5cbin%5cwintty.exe?%2dt+HELLO
>
>In human readable form, they mean:
>http://127.0.0.1/error/\..\..\..\..\winnt\win.ini
>http://127.0.0.1/cgi-bin/\..\bin\wintty.exe?-t+HELLO
>
>So in the first example we go down to the root path with \..\..\..\..\
>because we are in "c:\program files\Apache Group\Apache2\error".
>Instead in the second example we use the /cgi-bin/ path and we pass
>arguments with "file.exe?arg1+arg2+arg3+...".
>
>
>More detailed info will be found on the Apache website
>http://httpd.apache.org
>
>
>----------------------------------------------------------------------
>
>3) The Code
>
>Look the examples in section 2.
>
>----------------------------------------------------------------------
>
>4) Fix
>
>Apache 2.0.40 from Apache website (http://httpd.apache.org)
>
>However this is a simple workaround suggested by the Apache Group for
>the directory traversal bug:
>
>---
>A simple one line workaround in the httpd.conf file will disallow the
>vulnerability. Prior to the first 'Alias' or 'Redirect' directive, add
>the following directive to the global server configuration:
>
>RedirectMatch 400 "\\\.\."
>
>---
>
>----------------------------------------------------------------------
>
>5) Philosophy
>
>I'm really hopeful about the FULL-DISCLOSURE policy, because with it
>"everyone" can know the real effects of an attack, the real danger of
>a bug, someone can learn a bit of creative programming (I have learned
>a bit of interesting C from the source code of some published
>exploits under this policy) and it's useful for all the people that
>are hopeful in this type of disclosure.
>No secrets!
>
>----------------------------------------------------------------------
>
>About PivX Solutions
>PivX Solutions, is a premier network security consultancy offering a
>myriad of network security services to our clients, the most notable
>being our proprietary Risk and Vulnerability Assessment (RAVA).
>Dedicated PivX founders have also developed the patented Invisiwall
>network security device which offers the most comprehensive and secure
>intrusion detection system available.
>
>For more information go to http://www.PivX.com
>
>
>
>Any type of feedback is really welcome!
>
>Byez
>
>
>
>--
>PivX Security Researcher
