Re: Apache 2.0.39 directory traversal and path disclosure bug

["William A. Rowe, Jr." <wrowe () rowe-clan net>]

At 12:01 PM 8/16/2002, Auriemma Luigi wrote:
> B) CAN-2002-0661
> ----------------
>
> The problem is in the management of the bad chars that can be used to
> launch some attacks, such as the directory traversal. In fact the
> backslash char ('\' == %5c) is not checked as a bad char, so it can be
> used for seeking the directories of systems that use it as a path
> delimiter (Windows, Netware, OS2 and others).
>
> Then another problem is that the attacker can execute commands on the
> remote host simply using the /cgi-bin/ path.
>
> The following are two simple examples.
>
> for view the file winnt\win.ini:
> http://127.0.0.1/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini
>
> for run the wintty utility in the Apache2/bin folder:
> http://127.0.0.1/cgi-bin/%5c%2e%2e%5cbin%5cwintty.exe?%2dt+HELLO
>
> In human readable form, they mean:
> http://127.0.0.1/error/\..\..\..\..\winnt\win.ini
> http://127.0.0.1/cgi-bin/\..\bin\wintty.exe?-t+HELLO
>
> So in the first example we go down to the root path with \..\..\..\..\
> because we are in "c:\program files\Apache Group\Apache2\error".
> Instead in the second example we use the /cgi-bin/ path and we pass
> arguments with "file.exe?arg1+arg2+arg3+...".

Note that neither of these examples leverage the DocumentRoot
'container', which is a protected mapping.  Both rely on Alias redirection,
although similar behavior could be forced via mod_rewrite.  In both cases,
the path composition followed a different course.

In Auriemma's the first example, a normal 'Alias' is used to bypass the
document root, (the alias-to the error docs location), and in the second
case, the 'ScriptAlias' is used, which also forces the cgi-script handler.

In a properly secured server, the following will prevent the examples above;

  <Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
  </Directory>

This protection will refuse to serve any directories that are not explicitly
permitted by their own overriding <Directory > blocks.  Of course, all
<Directory > blocks containing web content will require the following lines
(or similar) to permit access as desired...

  Order allow,deny
  Allow from all

However, ScriptAlias circumvents the Options ExecCGI, so the following
would still work in the usual configuration;

  http://127.0.0.1/cgi-bin/%5c%2e%2e%5chtdocs%5cindex.html.en

which invokes htdocs\index.html.en as a script.  Not useful, certainly,
but other more sinister purposes could be invented.

As a further safety precaution, using the Alias directive in lieu of the
ScriptAlias directive.  The following structure will close the third example
vulnerability;

  Alias /cgi-bin/ "/Path-to-Apache2/cgi-bin/"

  <Directory "/Path-to-Apache2/cgi-bin/">
    AllowOverride None
    Options ExecCGI
    Order allow,deny
    Allow from all
    SetHandler cgi-script
  </Directory>

which only enables script execution in the given directory,
and not as a consequence of ScriptAlias translation.

Finally, it may be desirable not to use the SetHandler directive, but
instead call out each and every AddHandler cgi-script pl cgi ... and all
other permitted cgi files or file types.

A more complete report will be prepared and distributed by the Apache
HTTP project.  Follow the project's guidance for all Win32, OS2, Netware
and Cygwin Apache 2.0.x servers (prior to .40), and add the:

  RedirectMatch 400 "\\\.\."

escape in the global server context (right after the global DocumentRoot
directive would the the safest place to assure it is the first evaluated
RedirectMatch directive.)  Then upgrade to Apache 2.0.40 on any of
those platforms.

Bill