Confusion Attacks Vulnerability In Apache HTTP Server Allow Attackers To Gain Root Access Remotely

The Apache HTTP Server relies on hundreds of independently developed modules to handle client requests, sharing a complex data structure for communication. 

While modularity promotes specialization, the lack of standardized interfaces, coupled with the massive scale of the system, introduces potential vulnerabilities. 

As modules evolve independently with minimal understanding of each other, inconsistencies and security risks may arise due to the intricate interactions within this modular ecosystem. 

Researchers identified a new attack surface, dubbed “Confusion Attack,” that exploits ambiguities in how software modules interpret shared data structures. 

Several phases of an HTTP request

By intentionally misusing structure fields, attackers can manipulate system behavior, which introduced three specific attack types: Filename Confusion, DocumentRoot Confusion, and Handler Confusion, all leveraging the unintended consequences of modules misunderstanding critical data elements. 

Attack analysis revealed nine distinct system weaknesses. 

  1. CVE-2024-38472 – Apache HTTP Server on Windows UNC SSRF
  2. CVE-2024-39573 – Apache HTTP Server proxy encoding problem
  3. CVE-2024-38477 – Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request
  4. CVE-2024-38476 – Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
  5. CVE-2024-38475 – Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path
  6. CVE-2024-38474 – Apache HTTP Server weakness with encoded question marks in backreferences
  7. CVE-2024-38473 – Apache HTTP Server proxy encoding problem
  8. CVE-2023-38709 – Apache HTTP Server: HTTP response splitting
  9. CVE-2024-?????? – [redacted]

Apache HTTP Server 2.4.60 addressed multiple vulnerabilities stemming from fundamental design flaws. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Due to the novel nature of these issues, early discovery provided a significant advantage in CVE attribution, but the required changes introduced backward compatibility breaks, necessitating cautious updates to avoid service disruptions. 

1. Filename Confusion

The Apache HTTP Server’s mod_rewrite module incorrectly treats all rewritten paths as URLs, truncating them after a question mark, which allows attackers to bypass intended file access restrictions by manipulating path components and to misuse RewriteFlags by applying incorrect handlers to unexpected file types, potentially leading to arbitrary code execution. 

Apache mod_proxy’s inconsistent interpretation of `r->filename` as a URL, unlike other modules treating it as a filesystem path, enables an authentication and access control bypass. 

When combined with file-based restrictions like the `Files` directive, attackers can append query parameters to protected filenames, bypassing authentication checks. 

2. DocumentRoot Confusion

By leveraging the `DocumentRoot` confusion vulnerability, attackers can bypass intended file access restrictions.

Apache HTTP Server unexpectedly attempts to access files both within and outside the `DocumentRoot`, enabling access to sensitive files like CGI and PHP scripts. 

Server-Side Deserialization!

Exploiting this, attackers can disclose source code by crafting requests that manipulate the URL structure, effectively confusing the server’s path interpretation logic and causing it to serve files as static content instead of executing them as scripts. 

3. Handler Confusion

The Apache HTTP server suffers from Confusion Attacks due to its legacy code.

Two directives, AddHandler and AddType, can set the same handler, although they use different fields internally, which can be exploited to overwrite the handler and achieve various attacks.

Apache server status

By sending a malformed Content-Length header, attackers can trigger ModSecurity to send a double response, accidentally overwriting the Content-Type to text/html and leaking PHP source code. 

According to Orange, attackers can leverage the Local Redirect Response behavior of CGI to control the Content-Type header and trick Apache into invoking arbitrary handlers, which can lead to information disclosure, script misinterpretation, full SSRF, RCE, etc. 

Apache HTTP Server contains additional vulnerabilities beyond Confusion Attacks, where CVE-2024-38472 exploits Windows UNC paths in apr_filepath_merge(), allowing NTLM authentication coercion on arbitrary hosts, triggered either through the HTTP request parser or Type-Map. 

CVE-2024-39573 leverages full control over RewriteRule prefixes to redirect requests to mod_proxy, enabling potential SSRF attacks. While this vulnerability was initially considered impractical, it gained significance after the UNC-based SSRF discovery.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and automate…

14 hours ago

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin nodes,…

16 hours ago

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its game…

16 hours ago

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that could…

18 hours ago

QNAP High Severity Vulnerabilities Let Remote attackers to Compromise System

QNAP Systems, Inc. has identified multiple high-severity vulnerabilities in its operating systems, potentially allowing attackers…

20 hours ago

Healthcare Security Strategies for 2025

Imagine this: It's a typical Tuesday morning in a bustling hospital. Doctors make their rounds,…

21 hours ago