A recent research presentation at Black Hat USA 2024 revealed architectural vulnerabilities within the Apache HTTP Server, a widely used web server software.
The research highlights several technical debts within Httpd, including three types of Confusion Attacks, nine new vulnerabilities, 20 exploitation techniques, and over 30 case studies.
Apache HTTP Server operates through a modular design, where hundreds of small modules work together to handle HTTP requests. These modules rely on a shared request_rec structure for synchronization, communication, and data exchange.
As HTTP requests pass through various phases, modules modify this structure as needed.
While this collaboration allows each module to focus on its specific task, the complexity increases when scaled to hundreds of modules.
According to Orange Tsai’s research, the modules’ lack of deep understanding and the absence of stringent development guidelines create gaps and inconsistencies, making the system vulnerable to potential exploitation.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
9 Discovered Vulnerabilities
The research discovered nine new vulnerabilities in the Apache HTTP Server, including:
- CVE-2024-38472 – Apache HTTP Server on Windows UNC SSRF
- CVE-2024-39573 – Apache HTTP Server proxy encoding problem
- CVE-2024-38477 – Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request
- CVE-2024-38476 – Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
- CVE-2024-38475 – Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path
- CVE-2024-38474 – Apache HTTP Server weakness with encoded question marks in backreferences
- CVE-2024-38473 – Apache HTTP Server proxy encoding problem
- CVE-2023-38709 – Apache HTTP Server: HTTP response splitting
- CVE-2024-?????? -Yet to be fixed
Confusion Attacks
Confusion Attacks are a new type of attack surface that exploits the internal mechanisms and architectural design of Apache HTTP Server.
Three principal vulnerabilities in Apache HTTP Server, focusing on filename confusion, DocumentRoot confusion, and handler confusion. Here’s a summary of each:
These attacks occur when different modules within the server software fail to fully understand each other, leading to ambiguities in how they interpret the same fields. This can result in potential security risks, including access control and authentication bypasses.
The research identified three types of Confusion Attacks:
- Filename Confusion: This attack occurs when some modules treat the
r->filenamefield as a URL, while others treat it as a filesystem path. This inconsistency can lead to security issues, such as path truncation and access control bypasses. - DocumentRoot Confusion: This attack occurs when the
DocumentRootdirective is not properly validated, allowing attackers to access sensitive files and directories. - Handler Confusion: This attack occurs when the
Handlerdirective is not properly validated, allowing attackers to execute arbitrary code.
1. Filename Confusion
This vulnerability arises from inconsistent handling of the r->filename field in Apache HTTP Server, where some modules treat it as a filesystem path while others, like mod_rewrite, treat it as a URL. This inconsistency can lead to several security issues:
- Path Truncation:
mod_rewritetruncates the path after a question mark, potentially allowing attackers to bypass security checks and access unintended files. - Misleading RewriteFlags Assignment: Attackers can manipulate
RewriteRulepatterns to trick the server into applying incorrect handlers or flags, enabling the execution of unauthorized scripts. - ACL Bypass: Inconsistencies between modules like
mod_proxyand others that interpretr->filenamedifferently can allow attackers to bypass access controls, particularly when file-based access controls are used.
2. DocumentRoot Confusion
This attack leverages the confusion between paths with and without the DocumentRoot prefix. Apache HTTP Server attempts to access both, which can lead to unintended file access:
- Source Code Disclosure: Attackers can access the source code of server-side scripts (e.g., CGI, PHP) by exploiting this confusion, especially when file paths are exposed outside the web root.
- Local Gadgets Manipulation: By accessing files within directories like
/usr/share, attackers can manipulate local scripts or configurations to perform unauthorized actions, such as information disclosure, XSS, LFI, SSRF, or even RCE. - Jailbreak from Local Gadgets: The FollowSymLinks option allows attackers to use symbolic links within
/usr/shareto access sensitive files or escalate attacks, potentially leading to a full server compromise.
3. Handler Confusion
This vulnerability arises from the interchangeable use of AddType and AddHandler directives, leading to potential overwrites or misuse of handlers:
- Overwrite the Handler: If a module accidentally overwrites the
Content-Type, it can cause Apache to mishandle requests, exposing PHP source code or enabling other unintended behaviors. - Invoke Arbitrary Handlers: Attackers can exploit the legacy behavior in Apache HTTP Server that treats
Content-Typeas a handler. By controlling response headers, they can invoke any internal module handler, leading to information disclosure, SSRF, RCE, or even access to local Unix domain sockets.
Each of these vulnerabilities demonstrates how subtle inconsistencies and legacy behaviors in Apache HTTP Server can be exploited to compromise the security of web servers, leading to a wide range of potential attacks.
The vulnerabilities discovered can significantly impact organizations using Apache HTTP Server. To mitigate these risks, administrators are advised to update their servers to the latest version (2.4.60) and carefully review their configurations to prevent disruptions.
The research highlights the importance of understanding the internal mechanisms and architectural design of widely used software like Apache HTTP Server. By exposing these vulnerabilities, the research can help organizations protect themselves against potential attacks and improve the overall security of the internet.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download