Confusion Attacks Vulnerability In Apache HTTP Server Allow Attackers To Gain Root Access Remotely


The Apache HTTP Server relies on hundreds of independently developed modules to handle client requests, sharing a complex data structure for communication. 

While modularity promotes specialization, the lack of standardized interfaces, coupled with the massive scale of the system, introduces potential vulnerabilities. 

As modules evolve independently with minimal understanding of each other, inconsistencies and security risks may arise due to the intricate interactions within this modular ecosystem. 

Researchers identified a new attack surface, dubbed “Confusion Attack,” that exploits ambiguities in how software modules interpret shared data structures. 

Several phases of an HTTP request

By intentionally misusing structure fields, attackers can manipulate system behavior, which introduced three specific attack types: Filename Confusion, DocumentRoot Confusion, and Handler Confusion, all leveraging the unintended consequences of modules misunderstanding critical data elements. 

Attack analysis revealed nine distinct system weaknesses. 

  1. CVE-2024-38472 – Apache HTTP Server on Windows UNC SSRF
  2. CVE-2024-39573 – Apache HTTP Server proxy encoding problem
  3. CVE-2024-38477 – Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request
  4. CVE-2024-38476 – Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
  5. CVE-2024-38475 – Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path
  6. CVE-2024-38474 – Apache HTTP Server weakness with encoded question marks in backreferences
  7. CVE-2024-38473 – Apache HTTP Server proxy encoding problem
  8. CVE-2023-38709 – Apache HTTP Server: HTTP response splitting
  9. CVE-2024-?????? – [redacted]

Apache HTTP Server 2.4.60 addressed multiple vulnerabilities stemming from fundamental design flaws. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Due to the novel nature of these issues, early discovery provided a significant advantage in CVE attribution, but the required changes introduced backward compatibility breaks, necessitating cautious updates to avoid service disruptions. 

1. Filename Confusion

The Apache HTTP Server’s mod_rewrite module incorrectly treats all rewritten paths as URLs, truncating them after a question mark, which allows attackers to bypass intended file access restrictions by manipulating path components and to misuse RewriteFlags by applying incorrect handlers to unexpected file types, potentially leading to arbitrary code execution. 

Apache mod_proxy’s inconsistent interpretation of `r->filename` as a URL, unlike other modules treating it as a filesystem path, enables an authentication and access control bypass. 

When combined with file-based restrictions like the `Files` directive, attackers can append query parameters to protected filenames, bypassing authentication checks. 

2. DocumentRoot Confusion

By leveraging the `DocumentRoot` confusion vulnerability, attackers can bypass intended file access restrictions.

Apache HTTP Server unexpectedly attempts to access files both within and outside the `DocumentRoot`, enabling access to sensitive files like CGI and PHP scripts. 

Confusion Attacks Vulnerability In Apache HTTP Server Allow Attackers To Gain Root Access Remotely
Server-Side Deserialization!

Exploiting this, attackers can disclose source code by crafting requests that manipulate the URL structure, effectively confusing the server’s path interpretation logic and causing it to serve files as static content instead of executing them as scripts. 

3. Handler Confusion

The Apache HTTP server suffers from Confusion Attacks due to its legacy code.

Two directives, AddHandler and AddType, can set the same handler, although they use different fields internally, which can be exploited to overwrite the handler and achieve various attacks.

Confusion Attacks Vulnerability In Apache HTTP Server Allow Attackers To Gain Root Access Remotely
Apache server status

By sending a malformed Content-Length header, attackers can trigger ModSecurity to send a double response, accidentally overwriting the Content-Type to text/html and leaking PHP source code. 

According to Orange, attackers can leverage the Local Redirect Response behavior of CGI to control the Content-Type header and trick Apache into invoking arbitrary handlers, which can lead to information disclosure, script misinterpretation, full SSRF, RCE, etc. 

Apache HTTP Server contains additional vulnerabilities beyond Confusion Attacks, where CVE-2024-38472 exploits Windows UNC paths in apr_filepath_merge(), allowing NTLM authentication coercion on arbitrary hosts, triggered either through the HTTP request parser or Type-Map. 

CVE-2024-39573 leverages full control over RewriteRule prefixes to redirect requests to mod_proxy, enabling potential SSRF attacks. While this vulnerability was initially considered impractical, it gained significance after the UNC-based SSRF discovery.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download



Source link