[HN Gopher] Confusion Attacks: Exploiting Hidden Semantic Ambigu...
___________________________________________________________________
Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache
HTTP Server
Author : tptacek
Score : 5 points
Date : 2024-08-09 05:47 UTC (1 days ago)
(HTM) web link (blog.orange.tw)
(TXT) w3m dump (blog.orange.tw)
| tptacek wrote:
| These are pretty beautiful attacks, which build off what I think
| are two basic issues Apache deals with that other webservers
| don't:
|
| * A maybe ill-advised architecture where lots of independently-
| developed modules cooperate to handle a request, all working on
| an over-complicated under-specified request "object".
|
| * The requirement to honor `httpd.conf` file structures dating
| back to the 1990s, which has led to legacy support code paths
| that do surprising things.
|
| The core of this article is a two-step attack that exploits (1)
| the fact that modules alternately interpret `request->filename`
| as a filename _and_ as a URL, which allows attackers to truncate
| URLs at path separator characters, which by itself can slip you
| past some basic ACLs, and (2) the fact that Apache will try to
| serve request both with and without the `DocumentRoot` applied,
| which, combined with the first attack pattern, means that config
| directives that have attacker-controlled targets give attackers
| full filesystem access. Hilarity ensues.
|
| There's a really slick attack here that takes you from CRLF-
| injection to SSRF and RCE, which is neat, because CRLF-injection
| ("header splitting") would ordinarily not be that interesting of
| an attack.
|
| This is great stuff that just makes me wish more people ran
| Apache in 2024.
___________________________________________________________________
(page generated 2024-08-10 23:00 UTC)