Talk Summary

☀️ Quick Takes

Is this Talk Clickbait?

1-Sentence-Summary

Favorite Quote from the Author

if we can control the content type we can invoke arbitrary handle

💨 tl;dr

Apache HTTP Server's age brings vulnerabilities, especially with CGI enabled by default. Confusion attacks exploit module misunderstandings, leading to security risks like file access issues and authentication bypass. Nine new vulnerabilities show this attack surface is largely ignored. Key lessons include careful content type management, awareness of legacy code issues, and the importance of consistent URL handling.

💡 Key Ideas

• Apache HTTP Server, being nearly 30 years old, has accumulated significant technical debt and vulnerabilities due to its complexity and default configurations.
• CGI is enabled by default, increasing the attack surface and leading to various security risks, especially in PHP environments.
• Confusion attacks exploit misunderstandings in module interactions, leading to vulnerabilities like file name confusion, document root confusion, and handler confusion.
• Nine new vulnerabilities related to confusion attacks highlight an underexplored attack surface in Apache.
• Access control inconsistencies can be exploited to bypass authentication, exposing sensitive files outside the web root.
• Symbolic links and legacy conversion mechanisms can be exploited, allowing access to sensitive configurations and secrets.
• The lack of clear guidelines for content type handling in Apache can result in arbitrary handler invocation and security vulnerabilities.
• Hidden traps in rewrite rules can inadvertently expose sensitive areas, while server-side redirect vulnerabilities can be triggered through CRF injection and SSRF attacks.
• Future exploration is needed to assess security in various Apache configurations across different distributions.

🎓 Lessons Learnt

• Be Cautious with Content Types: Modifying content types can inadvertently expose sensitive data; manage these changes carefully.

• Legacy Code Poses Challenges: Many vulnerabilities stem from outdated architectural issues, requiring careful updates to avoid potential disruptions.

• Exploiting Inconsistencies is Key: Understanding how different modules handle the same fields inconsistently can reveal significant security risks.

• Hidden Features in Rewrite Rules Can Be Exploited: Apache's rewrite rules can unintentionally introduce vulnerabilities; awareness of their behavior is crucial.

• Authentication Can Be Bypassed Easily: Simple URL manipulations like adding a question mark can bypass authentication, highlighting the need for robust security measures.

• Access Control Risks with URL Handling: Inconsistent handling of URLs can allow bypassing of file-based access controls, necessitating uniform management across modules.

• Bug Bounty Hunting is a Practical Application: Engaging in bug bounty programs can effectively utilize learned techniques to uncover real-world vulnerabilities.

🌚 Conclusion

To secure Apache, focus on understanding module interactions, tighten access controls, and stay vigilant against confusion attacks. Bug bounty programs can help uncover these vulnerabilities in real-world scenarios.

In-Depth

All Key Ideas

Apache HTTP Server Security Considerations

• Apache HTTP Server is an open-source project nearly 30 years old, accumulating significant technical debt over time.
• Apache enables CGI by default, increasing its attack surface.
• There are numerous configurations for setting up a PHP environment, leading to complexity and potential security risks.
• Directives like 'AddHandler' and 'AddType' can both effectively run PHP but may have different security implications.
• Administrators using Apache often manage large environments, which can complicate security.
• Common misconfigurations in Apache, like problematic rewrite rules, can introduce vulnerabilities.
• The talk will introduce new exploitation techniques specific to CGI vulnerabilities.

Confusion Attacks and Vulnerabilities in Patch Source Code

• The patch source code has over 100 modules that must work together, with half of them commonly used by admins.
• All modules rely on a large shared structure to communicate and exchange data during HTTP request processing.
• Any module can modify values in this structure, which can lead to issues if there are misunderstandings about what is important.
• Three types of confusion attacks were identified: file name confusion, document root confusion, and handler confusion.
• The researcher discovered nine new vulnerabilities related to these confusion attacks, highlighting a new attack surface.
• Many patches are not backward compatible, making updates risky for production machines.
• File name confusion occurs when different modules handle the 'F' field inconsistently, leading to vulnerabilities.

Web Security Vulnerabilities

• The authentication manager in PHP can be bypassed using a question mark in the URL, allowing unauthorized access to files like admin.php.
• Confusion attacks exploit inconsistencies between access control and proxy modules, enabling access to files outside the web root.
• The document root can unintentionally expose sensitive files due to the way Apache handles rewrite rules and virtual hosts.
• Access to SL USR SL share allows exploitation of existing documentation and examples, facilitating access to sensitive information.
• Symbolic links can be followed by default in Apache, allowing further access beyond SL USR SL share.

Security Vulnerabilities in Apache

• Symbolic links in systems like Cacti and Redmine can be exploited to access sensitive configurations and secrets through a method known as 'double hop jump.'
• The confusion between handler and content type directives in Apache can lead to security vulnerabilities, allowing PHP files to be misprocessed.
• Legacy conversion mechanisms in Apache can cause the content type to be improperly assigned, potentially exposing sensitive information.
• The lack of clear guidelines for content type usage in Apache can lead to arbitrary handler invocation and exploitation.
• RFC 3875 introduces the concept of local redirect responses, which can be manipulated to control content type and invoke arbitrary handlers in Apache.

Web Security Vulnerabilities

• Triggering server-side redirects can be achieved through CRF injection and SSRF attacks.
• Overwriting content types can expose sensitive information and facilitate backdoor creation.
• SSRF allows control over response headers and access to local Unix domain circuits.
• Apache's long history presents challenges in maintaining convenience and compatibility amidst legacy code.
• The question mark can exploit arbitrary paths, bypassing access control and authentication.
• Rewrite rules contain hidden traps that allow access to sensitive areas.
• There are potential future works in exploring different configurations in various distributions.

All Lessons Learnt

PHP Security Considerations

• Understanding PHP Directives is Crucial: Both Handler and Type directives can successfully run PHP, but one may introduce vulnerabilities. Misunderstanding their intentions can lead to security risks.
• Complex Configurations Increase Risk: There are numerous ways to set up a PHP environment, which multiplies the complexity and potential for mistakes. Awareness of this complexity is necessary for secure configurations.
• Apache's Default CGI Can Be Risky: Apache enables CGI by default, increasing the attack surface. Knowing this can help admins mitigate potential vulnerabilities.
• Common Configurations Can Be Vulnerable: Common practices like using rewrite rules to hide file extensions can introduce security risks. Awareness of these practices is essential for securing Apache servers.
• Exploit Techniques Evolve: New exploitation techniques can emerge from understanding how different components interact, so staying updated on vulnerabilities is crucial for security research.

Security Concerns in Module Collaboration

• Collaboration Requires Standards: If multiple modules (MERS) are working together without clear guidelines, inconsistencies can lead to vulnerabilities. Each module needs to understand its role and the implications of modifying shared structures.
• Confusion Attacks as a New Threat: The identification of confusion attacks highlights a new attack surface in Apache HTTP Server, indicating that security researchers should investigate these interactions further to uncover vulnerabilities.
• Legacy Architecture Risks: Many vulnerabilities stem from legacy architectural issues, making updates potentially disruptive. Caution is advised when upgrading systems as it could break existing configurations.
• Inconsistent Field Handling Can Lead to Vulnerabilities: Different MERS treating the same field (like 'file name') in varied ways can create security risks. Consistent treatment of fields across modules is crucial.
• Access Control Risks with URL Handling: Relying on file-based access control can be bypassed if URL handling isn't consistent. Ensuring all modules manage access control uniformly is essential for security.

Security Vulnerabilities

• Bypassing Authentication with a Question Mark: You can bypass the original authentication required interface simply by adding a question mark in the URL, exploiting inconsistencies in the authentication and proxy modules.
• Accessing Files Outside the Web Root: Apache's handling of rewrite rules allows access to files outside the web root, especially in the SL USR SL share directory, which can be exploited to gather sensitive information.
• Leveraging Local Gadgets for Exploitation: Using available libraries and tutorials can help exploit vulnerabilities in the system, as you can find numerous local gadgets to manipulate for unauthorized access or data retrieval.
• Symbolic Links Allowing Escaping from SL USR: Apache's default settings permit following symbolic links, enabling potential escape from the SL USR directory, which can be exploited for further access.

Security Considerations in Content Type Handling

• Understand legacy conversion mechanisms in Apache: Recognizing how legacy conversions can affect content type handling helps in exploiting vulnerabilities related to handler confusion.
• Be cautious with content type modifications: Modifying the content type can unintentionally expose sensitive information if not managed properly.
• Leverage RFC 3875 for server-side redirects: Knowing how local redirect responses work according to RFC 3875 can help in controlling content types and invoking arbitrary handlers in CGI contexts.
• Recognize the significance of error handling in security: Triggering errors can lead to unintended changes in content types, exposing sensitive data, highlighting the importance of robust error handling in security practices.

Lessons Learnt

• Be cautious with content types.
• SSRF can be a powerful exploit.
• Legacy code poses challenges.
• Exploiting inconsistencies is key.
• Hidden features in rewrite rules can be exploited.
• Future configurations can reveal vulnerabilities.
• Bug bounty hunting is a practical application of learned techniques.