[NT] Apache Web Server Directory Traversal and Path Disclosure Vulnerability (non UNIX)

From: support@securiteam.com
Date: 08/18/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 18 Aug 2002 14:25:39 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Apache Web Server Directory Traversal and Path Disclosure Vulnerability
(non UNIX)
------------------------------------------------------------------------

SUMMARY

The Apache server (non UNIX) has been found to contain two security
vulnerabilities, one a directory traversal vulnerability, the second a
path disclosure vulnerability. The first vulnerability allows an attacker
to any file in file system and execute it using a prefix of a /cgi-bin/.
The second vulnerability is a simple path disclosure bug, useful for
obtaining more info about the server (important if the administrator hide
some information).

DETAILS

Vulnerable systems:
 * Apache web server version 2.0.39 and previous 2.0.x
(Windows/Netware/OS2)

Immune systems:
 * Apache web server (UNIX)
 * Apache web server version 2.0.40 (Windows/Netware/OS2)

Path disclosure:
The vulnerability is not dangerous because it does not give remote access
to the system or other data accesses but for an attacker it is useful in
gathering detailed information about the server to launch other malicious
attacks.

Example:
From the browser we must insert the following string:
http://127.0.0.1/error/HTTP_NOT_FOUND.html.var

Then the server will answer with this page:
|Not Acceptable
|
|An appropriate representation of the requested resource
/error/HTTP_NOT_FOUND.html.var could not be found on this server.
|Available variants:
|
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type
text/html, language de
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type
text/html, language en
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type
text/html, language es
| * C:/server/Apache Group/Apache2/error/HTTP_NOT_FOUND.html.var , type
text/html, language fr

As you can see, the server answer with the full path of the file we have
requested. We can request all the files .var in the error folder and we
will have the same result.

Additional information can be found on the Apache website.

Directory traversal:
The problem is in the filtering of bad characters sent by the user. In our
case the backslash character ('\' == %5c) is not filtered out, allowing us
to directories outside the normally bounding HTTP root directory.

This vulnerability is even more severe by the fact that by prefixing the
directory with a /cgi-bin/ we can cause the execution of the file we are
requesting.

Examples:
The following are two simple examples:

The following will view the file winnt\win.ini:
http://127.0.0.1/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini

The following will execute the "wintty" utility found in the Apache2/bin
folder:
http://127.0.0.1/cgi-bin/%5c%2e%2e%5cbin%5cwintty.exe?%2dt+HELLO

The above two examples "translated":
http://127.0.0.1/error/\..\..\..\..\winnt\win.ini
http://127.0.0.1/cgi-bin/\..\bin\wintty.exe?-t+HELLO

Fix:
Apache 2.0.40 from Apache website: <http://httpd.apache.org>
http://httpd.apache.org

Workaround:
However, this is a simple workaround suggested by the Apache Group for the
directory traversal bug:

A simple one-line workaround in the httpd.conf file will disallow the
vulnerability. Prior to the first 'Alias' or 'Redirect' directive, add the
following directive to the global server configuration:

RedirectMatch 400 "\\\.\."

ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@pivx.com> Auriemma
Luigi of PivX Solutions.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • SecurityFocus Microsoft Newsletter #171
    ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #174
    ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter # 150
    ... - automatically set positive security policies for real-time protection, ... MICROSOFT VULNERABILITY SUMMARY ... Meteor FTP Server USER Memory Corruption Vulnerability ... MDaemon SMTP Server Null Password Authentication Vulnerabili... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #69
    ... LANguard Security Event Log Monitor: ... MICROSOFT VULNERABILITY SUMMARY ... BrowseFTP Client Buffer Overflow Vulnerability ... Michael Lamont Savant Web Server Long Request DoS Vulnerability ...
    (Focus-Microsoft)
  • SSRT4717 rev.0 Remote denial of service in Apache HTTP Server
    ... SSRT4717 rev.0 Remote denial of service in Apache HTTP Server ... The information in this Security bulletin should be acted upon ...
    (comp.sys.hp.hpux)