Friday, December 27, 2024
HomeCVE/vulnerabilityConfusion Attacks Vulnerability In Apache HTTP Server Allow Attackers To Gain Root...

Confusion Attacks Vulnerability In Apache HTTP Server Allow Attackers To Gain Root Access Remotely

Published on

SIEM as a Service

The Apache HTTP Server relies on hundreds of independently developed modules to handle client requests, sharing a complex data structure for communication. 

While modularity promotes specialization, the lack of standardized interfaces, coupled with the massive scale of the system, introduces potential vulnerabilities. 

As modules evolve independently with minimal understanding of each other, inconsistencies and security risks may arise due to the intricate interactions within this modular ecosystem. 

- Advertisement - SIEM as a Service

Researchers identified a new attack surface, dubbed “Confusion Attack,” that exploits ambiguities in how software modules interpret shared data structures. 

Several phases of an HTTP request

By intentionally misusing structure fields, attackers can manipulate system behavior, which introduced three specific attack types: Filename Confusion, DocumentRoot Confusion, and Handler Confusion, all leveraging the unintended consequences of modules misunderstanding critical data elements. 

Attack analysis revealed nine distinct system weaknesses. 

  1. CVE-2024-38472 – Apache HTTP Server on Windows UNC SSRF
  2. CVE-2024-39573 – Apache HTTP Server proxy encoding problem
  3. CVE-2024-38477 – Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request
  4. CVE-2024-38476 – Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
  5. CVE-2024-38475 – Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path
  6. CVE-2024-38474 – Apache HTTP Server weakness with encoded question marks in backreferences
  7. CVE-2024-38473 – Apache HTTP Server proxy encoding problem
  8. CVE-2023-38709 – Apache HTTP Server: HTTP response splitting
  9. CVE-2024-?????? – [redacted]

Apache HTTP Server 2.4.60 addressed multiple vulnerabilities stemming from fundamental design flaws. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Due to the novel nature of these issues, early discovery provided a significant advantage in CVE attribution, but the required changes introduced backward compatibility breaks, necessitating cautious updates to avoid service disruptions. 

1. Filename Confusion

The Apache HTTP Server’s mod_rewrite module incorrectly treats all rewritten paths as URLs, truncating them after a question mark, which allows attackers to bypass intended file access restrictions by manipulating path components and to misuse RewriteFlags by applying incorrect handlers to unexpected file types, potentially leading to arbitrary code execution. 

Apache mod_proxy’s inconsistent interpretation of `r->filename` as a URL, unlike other modules treating it as a filesystem path, enables an authentication and access control bypass. 

When combined with file-based restrictions like the `Files` directive, attackers can append query parameters to protected filenames, bypassing authentication checks. 

2. DocumentRoot Confusion

By leveraging the `DocumentRoot` confusion vulnerability, attackers can bypass intended file access restrictions.

Apache HTTP Server unexpectedly attempts to access files both within and outside the `DocumentRoot`, enabling access to sensitive files like CGI and PHP scripts. 

Server-Side Deserialization!

Exploiting this, attackers can disclose source code by crafting requests that manipulate the URL structure, effectively confusing the server’s path interpretation logic and causing it to serve files as static content instead of executing them as scripts. 

3. Handler Confusion

The Apache HTTP server suffers from Confusion Attacks due to its legacy code.

Two directives, AddHandler and AddType, can set the same handler, although they use different fields internally, which can be exploited to overwrite the handler and achieve various attacks.

Apache server status

By sending a malformed Content-Length header, attackers can trigger ModSecurity to send a double response, accidentally overwriting the Content-Type to text/html and leaking PHP source code. 

According to Orange, attackers can leverage the Local Redirect Response behavior of CGI to control the Content-Type header and trick Apache into invoking arbitrary handlers, which can lead to information disclosure, script misinterpretation, full SSRF, RCE, etc. 

Apache HTTP Server contains additional vulnerabilities beyond Confusion Attacks, where CVE-2024-38472 exploits Windows UNC paths in apr_filepath_merge(), allowing NTLM authentication coercion on arbitrary hosts, triggered either through the HTTP request parser or Type-Map. 

CVE-2024-39573 leverages full control over RewriteRule prefixes to redirect requests to mod_proxy, enabling potential SSRF attacks. While this vulnerability was initially considered impractical, it gained significance after the UNC-based SSRF discovery.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a...

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated...

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms...

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated...

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms...

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo...