OrangeCon

Orange Tsai

Orange Tsai, is the principal security researcher of DEVCORE and the core member of CHROOT security group in Taiwan. He is the champion and the "Master of Pwn" title holder at Pwn2Own Vancouver 2021 and Toronto 2022. In addition, Orange has spoken at several top hacker conferences such as Black Hat USA (5 times), DEF CON (5 times), HITCON (11 times), CODE BLUE (6 times), POC, Hexacon, RomHack, HITB, and WooYun!

Currently, Orange is a 0day researcher focusing on Web and Application Security. His research not only earned him the Pwnie Awards winner for "Best Server-Side Bug" in 2019/2021 but also secured 1st place in the "Top 10 Web Hacking Techniques" for 2017/2018. In his free time, Orange also engages in bug bounties. He is especially enthusiastic about RCE, successfully identifying critical RCEs across a broad range of vendors, including Twitter, Facebook, Uber, Apple, Netflix, Tesla, GitHub, Amazon, and more.

You can find Orange on X @orange_8361 and https://blog.orange.tw/


Session

09-05
15:45
40min
Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
Orange Tsai

Apache HTTP Server, as a cornerstone of the entire World Wide Web, accounts for about one-third of the web server market share worldwide. It's not an overstatement to say that its security is synonymous with the security of the Internet. However, while delving into the source by chance, we discovered that the coding style of this open-source project seemed a little bit... open? This research was thus born!

The Apache Httpd is comprised of dozens of different modules, which are coupled together. When a new HTTP request arrives, all modules uphold and maintain a colossal structure, collaborating in harmony to complete the request. While this cooperation might sound ideal, the reality reveals a significant challenge: the modules are not entirely familiar with each other, especially regarding the implementation details. However, they are asked to collaborate to fulfill the task. If any module has an incorrect understanding of any fields of this huge structure, it could potentially lead to fatal issues.

This observation led us to focus on interactions between modules, and discover this new attack surface. Let's see how a seemingly harmless structure modification can be passed through layers, amplifying the impact and affecting other modules to become vulnerabilities. This novel attack surface unearthed 3 distinct types of Confusion Attacks and 8 vulnerabilities, which allow us to navigate easily between Httpd modules, generating various attacks based on the different functionalities of modules: from the simplest arbitrary source code disclosure to misinterpreting a normal image as malicious scripts, bypassing ACL, and enabling unlimited SSRF. Of course, we won't forget about RCE, we will demonstrate how a long-underestimated bug type can be transformed into code execution by leveraging Httpd's internal features!

By understanding this talk, attendees won't be surprised at how we've managed to teach an old dog new tricks. Developers will understand how to avoid writing problematic Httpd modules. Server Admins can utilize this knowledge to examine their sites for potential vulnerabilities, and security researchers are able to explore more hidden issues along this direction. It's a scenario where everyone wins!

Main track
Main track