09-05, 15:45–16:25 (Europe/Amsterdam), Main track
Apache HTTP Server, as a cornerstone of the entire World Wide Web, accounts for about one-third of the web server market share worldwide. It's not an overstatement to say that its security is synonymous with the security of the Internet. However, while delving into the source by chance, we discovered that the coding style of this open-source project seemed a little bit... open? This research was thus born!
The Apache Httpd is comprised of dozens of different modules, which are coupled together. When a new HTTP request arrives, all modules uphold and maintain a colossal structure, collaborating in harmony to complete the request. While this cooperation might sound ideal, the reality reveals a significant challenge: the modules are not entirely familiar with each other, especially regarding the implementation details. However, they are asked to collaborate to fulfill the task. If any module has an incorrect understanding of any fields of this huge structure, it could potentially lead to fatal issues.
This observation led us to focus on interactions between modules, and discover this new attack surface. Let's see how a seemingly harmless structure modification can be passed through layers, amplifying the impact and affecting other modules to become vulnerabilities. This novel attack surface unearthed 3 distinct types of Confusion Attacks and 8 vulnerabilities, which allow us to navigate easily between Httpd modules, generating various attacks based on the different functionalities of modules: from the simplest arbitrary source code disclosure to misinterpreting a normal image as malicious scripts, bypassing ACL, and enabling unlimited SSRF. Of course, we won't forget about RCE, we will demonstrate how a long-underestimated bug type can be transformed into code execution by leveraging Httpd's internal features!
By understanding this talk, attendees won't be surprised at how we've managed to teach an old dog new tricks. Developers will understand how to avoid writing problematic Httpd modules. Server Admins can utilize this knowledge to examine their sites for potential vulnerabilities, and security researchers are able to explore more hidden issues along this direction. It's a scenario where everyone wins!
1. Methodology and Our New Attack Surface
We focus on exploring the interactions between Apache Httpd modules, as mentioned in the abstract. Apache Httpd is a world constructed of modules, even the official documentation highlights that:
URL: https://httpd.apache.org/docs/2.4/mpm.html
Apache HTTP Server 2.0 extends this modular design to the most basic functions of a web server.
Httpd modules are free to register hooks to the phases they're interested in. An HTTP request will walk through all modules, and at each stage, it's up to the modules to decide whether to ACCEPT or REJECT the current request. An issue arises from the fact that:
Modules do not fully understand each other's implementation details. However, they are asked to collaborate to complete the entire HTTP process.
For an HTTP request, all modules share and maintain an internal data structure request_rec with nearly a hundred members. If there is an ambiguity in understanding the same structure member among modules, it can easily lead to problems. Similarly, if a module mistakenly modifies a member that is insignificant to it but crucial to another module in this shared structure, it might affect other modules' decisions and cause problems, too!
2. Proposed THREE Attacks and EIGHT New Vulnerabilities
Based on the concept mentioned above, we have created 3 distinct types of Confusion Attacks on Apache HTTP Server:
- Filename Confusion Attack: For a same HTTP request, some modules treat
r->filenameas a URI, while others treat it as a filesystem path. This inconsistency causes security issues such as source code disclosure or ACL/Authentication Bypass. - DocumentRoot Confusion Attack: For any RewriteRule Mapping, Httpd would try to access both the relative path and absolute path. This leads to unintended files accessing outside the DocumentRoot.
- Handler Confusion Attack: For the same
request_recstructure, under certain conditions,r->content_type,r->handler, andr->filenameare interconnected and can be transformed into each other, leading to security issues such as SSRF or RCE.
These Confusion Attacks can be transformed into different types of vulnerability classes. So far, we have uncovered 8 vulnerabilities in Apache HTTP Server, including:
- CVE-2024-38477 - important: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request
- CVE-2024-38476 - important: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
- CVE-2024-38475 - important: Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path
- CVE-2024-38474 - important: Apache HTTP Server weakness with encoded question marks in backreferences
- CVE-2024-38473 - moderate: Apache HTTP Server proxy encoding problem
- CVE-2024-38472 - important: Apache HTTP Server on Windows UNC SSRF
- CVE-2024-39573 - moderate: Apache HTTP Server: mod_rewrite proxy handler substitution
- CVE-2023-38709 - moderate: Apache HTTP Server: HTTP response splitting
You can check the Apache HTTP Server website for details!
Our presentation will focus mainly on vulnerabilities #2, #3, #4, #5 and #7. The impacts include, but are not limited to:
- Sensitive Information Leakage
- Denial-of-Service Attack
- ACL and Authentication Bypass
- Arbitrary Server-Side Source Code Disclosure
- Arbitrary File Read
- SSRF (Server-Side Request Forgery)
- RCE (Remote Code Execution)
3. Demo
We will demonstrate how a long-underestimated bug type can be transformed into powerful exploits, including Info-Leak, SSRF, and RCE by leveraging Httpd's internal features.
This breakthrough is powered by our innovative Confusion Attack technique, enhancing our capability to intricately navigate and manipulate Httpd modules.
4. Previous Work
As far as I know, attacks that specifically target the inconsistencies within Httpd's internal structure have been rare. The only closest discussion on this topic was presented by Max Dmitriev at ZeroNights 2021:
Title: Apache 0day bug, which still nobody knows of, and which was fixed accidentally
Slide: https://tinyurl.com/bdxdfk8j
However, the discussion did not extensively explore this avenue. The publicly available bug description suggests that the real issue was not precisely identified.
"...a lack of control over an Apache error when using php-cgi and ModSecurity..."
In reality, any handler based on Content-Type should be vulnerable, indicating that not only php-cgi but also the widely utilized mod_php could be at risk.
5. Notes
The issues we have identified are present in the core modules of Apache Httpd, not in third-party modules that are rarely or never installed. :)
Orange Tsai, is the principal security researcher of DEVCORE and the core member of CHROOT security group in Taiwan. He is the champion and the "Master of Pwn" title holder at Pwn2Own Vancouver 2021 and Toronto 2022. In addition, Orange has spoken at several top hacker conferences such as Black Hat USA (5 times), DEF CON (5 times), HITCON (11 times), CODE BLUE (6 times), POC, Hexacon, RomHack, HITB, and WooYun!
Currently, Orange is a 0day researcher focusing on Web and Application Security. His research not only earned him the Pwnie Awards winner for "Best Server-Side Bug" in 2019/2021 but also secured 1st place in the "Top 10 Web Hacking Techniques" for 2017/2018. In his free time, Orange also engages in bug bounties. He is especially enthusiastic about RCE, successfully identifying critical RCEs across a broad range of vendors, including Twitter, Facebook, Uber, Apple, Netflix, Tesla, GitHub, Amazon, and more.
You can find Orange on X @orange_8361 and https://blog.orange.tw/