You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by "Paul D. Robertson" <pr...@trusecure.com> on 2003/12/24 17:26:32 UTC

Security tips and dictionary attacks with UserDir

Hi,

I can't reach the Documentation Project Tutorial site suggested as the best
place to start, since it doesn't like the fact that my proxy strips
user-agent headers- so I hope I'm not jumping out of line here...

It's been known for quite some time that the default configuration with
UserDir enabled lets people scan for user-ids because a valid ID returns a
403 if there's no public_html, while an invalid one returns a 404- it's been
years since it was seriously discussed, however a new "script kiddie
friendly" tool is out now which exploits that in conjunction with FTP and
same ID/password combos to compromise servers.

IOW: a get for /~hidden will return a 403, where a get for /~nonexistent
will return a 404- so an attacker can enumerate users on a server by running
a dictionary word list through, and ignoring any hits that 404.

Given that, I'd like to see a section added to "Security Tips" about
UserDir, along the lines of:

========== begin ===========

If your server doesn't have users who need to have ~username directories
accessible, you should substitute the default "UserDir public_html"
statement in the httpd configuration file with UserDir disabled.

If you require UserDir to be enabled, then you might consider either using
the ErrorDocument directive to make the 403 and 404 errors serve up the same
custom response, or limiting which accounts can have UserDirs with something
like:

UserDir disabled
UserDir enabled probertson test foo
UserDir public_html

This will stop Apache from disclosing which user-ids exist on a system,
which attackers may use to figure out hidden, administrative or temporary
ids which might be exploited by other non-Apache attack vectors, such as FTP
or SSH.

=========end==========

I can add a diff if someone can point me at an accessible document that
tells me what original files need to be changed and in what format, or if
someone who can easily submit the changes wants to do that, that'll work
too.  If it's not an appropriate change, I'd appreciate some feedback on
that too.

This information is applicable to both the 1.3 and 2.x trees.

Thanks,

Paul
--------------------------------------------------------------------
Paul D. Robertson Director of Risk Assessment, TruSecure Corporation
Moderator, Firewall-Wizards http://honor.icsalabs.com/
probertson@trusecure.com


***********************************************************************
This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL.  If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited.  If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us
immediately.
***********************************************************************


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: Security tips and dictionary attacks with UserDir

Posted by Joe Orton <jo...@redhat.com>.
On Wed, Jan 28, 2004 at 08:30:49AM -0500, Rich Bowen wrote:
> On a related not, I'd like to discuss whether we want to have UserDir
> disabled by default.
> Pros) Improved default security
> Cons) Increased tech support questions about enabling this feature

I agree it should be disabled by default: we've had it disabled by
default in the stock httpd.conf in Red Hat's httpd packages for a while.  
The ability for remote users to determine presence of given user ID
using the default config is an unacceptable information leak IMO.

It does confuse a few people, though I don't think we've had any bug
reports since we tweaked the wording to be as follows:

<IfModule mod_userdir.c>
    #
    # UserDir is disabled by default since it can confirm the presence
    # of a username on the system (depending on home directory
    # permissions).
    #
    UserDir disable
 
    #
    # To enable requests to /~user/ to serve the user's public_html
    # directory, remove the "UserDir disable" line above, and uncomment
    # the following line instead:
    #
    #UserDir public_html
 
</IfModule>

Regards,

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: Security tips and dictionary attacks with UserDir

Posted by Rich Bowen <rb...@rcbowen.com>.
On Wed, 28 Jan 2004, Paul D. Robertson wrote:

> >> UserDir disabled
> >> UserDir enabled probertson test foo
> >> UserDir public_html
> >> 
> >> This will stop Apache from disclosing which user-ids exist on a system,
> >> which attackers may use to figure out hidden, administrative or temporary
> >> ids which might be exploited by other non-Apache attack vectors, such as FTP
> >> or SSH.
> >> 
> >> =========end==========
> > 
> > Thanks. This is a good additional remark. Linking to this from the
> > security doc (or the other way around) might be good. I think the
> > security doc may already mention this.
> >
> 
> I didn't see a mention (unless there's a different document than
> security_tips that I missed?) so I'd be happy if it got added to the
> security doc.  I wrote it up internally due to the release of a tool which
> takes advantage of this being in the wild, but the less compromised machines
> there are out there, the better.

Oops. No. It's the public_html document that has this mentioned.

> Should diffs come to this list, or elsewhere?

Difs to the list is fine. 

> > On a related not, I'd like to discuss whether we want to have UserDir
> > disabled by default.
> > Pros) Improved default security
> > Cons) Increased tech support questions about enabling this feature
> 
> Given Apache's penetration into the corporate server space, I'd bet that
> less than 5% of servers rely on userdir (ISPs and geek colo boxes mostly)-
> so I'd bet that the fall-out wouldn't be huge (mostly folks who know how to
> turn it back on.)  But 5% of the Apache install base is a big number- if the
> original statements were commented out in the default config, the hurdle
> wouldn't be that high for the semi-clued.

I expect that the statistics are rather less skewed than this, but I
have no actual statistical support for this belief.

-- 
When we are young, wandering the face of the earth,
wondering what our dreams might be worth,
learning that we're only immortal for a limited time.


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: Security tips and dictionary attacks with UserDir

Posted by "Paul D. Robertson" <pr...@trusecure.com>.
On 2004/01/28 8:30, "Rich Bowen" <rb...@rcbowen.com> wrote:

> On Wed, 24 Dec 2003, Paul D. Robertson wrote:
> 
>> Hi,
>> 
>> I can't reach the Documentation Project Tutorial site suggested as the best
>> place to start, since it doesn't like the fact that my proxy strips
>> user-agent headers- so I hope I'm not jumping out of line here...
> 
> No. Not at all. Thanks for the comments, and sorry that they seem to
> have been ignored thus far.
> 

Thanks for the response!  I was beginning to wonder.  My employer maintains
an "Essential Configuration" guide for customers, but for stuff where
there's no real "fix" planned, I've always felt that going to the source and
getting it documented there is better (plus then I don't have to maintain a
whole new document!)

>> It's been known for quite some time that the default configuration with
>> UserDir enabled lets people scan for user-ids because a valid ID returns a
>> 403 if there's no public_html, while an invalid one returns a 404- it's been
>> years since it was seriously discussed, however a new "script kiddie
>> friendly" tool is out now which exploits that in conjunction with FTP and
>> same ID/password combos to compromise servers.
>> 
>> IOW: a get for /~hidden will return a 403, where a get for /~nonexistent
>> will return a 404- so an attacker can enumerate users on a server by running
>> a dictionary word list through, and ignoring any hits that 404.
>> 
>> Given that, I'd like to see a section added to "Security Tips" about
>> UserDir, along the lines of:
>> 
>> ========== begin ===========
>> 
>> If your server doesn't have users who need to have ~username directories
>> accessible, you should substitute the default "UserDir public_html"
>> statement in the httpd configuration file with UserDir disabled.
>> 
>> If you require UserDir to be enabled, then you might consider either using
>> the ErrorDocument directive to make the 403 and 404 errors serve up the same
>> custom response, or limiting which accounts can have UserDirs with something
>> like:
>> 
>> UserDir disabled
>> UserDir enabled probertson test foo
>> UserDir public_html
>> 
>> This will stop Apache from disclosing which user-ids exist on a system,
>> which attackers may use to figure out hidden, administrative or temporary
>> ids which might be exploited by other non-Apache attack vectors, such as FTP
>> or SSH.
>> 
>> =========end==========
> 
> Thanks. This is a good additional remark. Linking to this from the
> security doc (or the other way around) might be good. I think the
> security doc may already mention this.
>

I didn't see a mention (unless there's a different document than
security_tips that I missed?) so I'd be happy if it got added to the
security doc.  I wrote it up internally due to the release of a tool which
takes advantage of this being in the wild, but the less compromised machines
there are out there, the better.

 
>> I can add a diff if someone can point me at an accessible document that
>> tells me what original files need to be changed and in what format, or if
>> someone who can easily submit the changes wants to do that, that'll work
>> too.  If it's not an appropriate change, I'd appreciate some feedback on
>> that too.
> 
> You can see the cvs tree at http://cvs.apache.org/viewcvs.cgi/ and
> instructions for getting checkouts at
> http://httpd.apache.org/dev/anoncvs.txt

Should diffs come to this list, or elsewhere?

> 
> On a related not, I'd like to discuss whether we want to have UserDir
> disabled by default.
> Pros) Improved default security
> Cons) Increased tech support questions about enabling this feature

Given Apache's penetration into the corporate server space, I'd bet that
less than 5% of servers rely on userdir (ISPs and geek colo boxes mostly)-
so I'd bet that the fall-out wouldn't be huge (mostly folks who know how to
turn it back on.)  But 5% of the Apache install base is a big number- if the
original statements were commented out in the default config, the hurdle
wouldn't be that high for the semi-clued.

Thanks,

Paul
--------------------------------------------------------------------
Paul D. Robertson Director of Risk Assessment, TruSecure Corporation
Moderator, Firewall-Wizards http://honor.icsalabs.com/
probertson@trusecure.com


***********************************************************************
This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL.  If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited.  If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us
immediately.
***********************************************************************


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: Security tips and dictionary attacks with UserDir

Posted by Rich Bowen <rb...@rcbowen.com>.
On Wed, 24 Dec 2003, Paul D. Robertson wrote:

> Hi,
> 
> I can't reach the Documentation Project Tutorial site suggested as the best
> place to start, since it doesn't like the fact that my proxy strips
> user-agent headers- so I hope I'm not jumping out of line here...

No. Not at all. Thanks for the comments, and sorry that they seem to
have been ignored thus far.

> It's been known for quite some time that the default configuration with
> UserDir enabled lets people scan for user-ids because a valid ID returns a
> 403 if there's no public_html, while an invalid one returns a 404- it's been
> years since it was seriously discussed, however a new "script kiddie
> friendly" tool is out now which exploits that in conjunction with FTP and
> same ID/password combos to compromise servers.
> 
> IOW: a get for /~hidden will return a 403, where a get for /~nonexistent
> will return a 404- so an attacker can enumerate users on a server by running
> a dictionary word list through, and ignoring any hits that 404.
> 
> Given that, I'd like to see a section added to "Security Tips" about
> UserDir, along the lines of:
> 
> ========== begin ===========
> 
> If your server doesn't have users who need to have ~username directories
> accessible, you should substitute the default "UserDir public_html"
> statement in the httpd configuration file with UserDir disabled.
> 
> If you require UserDir to be enabled, then you might consider either using
> the ErrorDocument directive to make the 403 and 404 errors serve up the same
> custom response, or limiting which accounts can have UserDirs with something
> like:
> 
> UserDir disabled
> UserDir enabled probertson test foo
> UserDir public_html
> 
> This will stop Apache from disclosing which user-ids exist on a system,
> which attackers may use to figure out hidden, administrative or temporary
> ids which might be exploited by other non-Apache attack vectors, such as FTP
> or SSH.
> 
> =========end==========

Thanks. This is a good additional remark. Linking to this from the
security doc (or the other way around) might be good. I think the
security doc may already mention this.

> I can add a diff if someone can point me at an accessible document that
> tells me what original files need to be changed and in what format, or if
> someone who can easily submit the changes wants to do that, that'll work
> too.  If it's not an appropriate change, I'd appreciate some feedback on
> that too.

You can see the cvs tree at http://cvs.apache.org/viewcvs.cgi/ and
instructions for getting checkouts at
http://httpd.apache.org/dev/anoncvs.txt

On a related not, I'd like to discuss whether we want to have UserDir
disabled by default.
Pros) Improved default security
Cons) Increased tech support questions about enabling this feature

-- 
When we are young, wandering the face of the earth,
wondering what our dreams might be worth,
learning that we're only immortal for a limited time.


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org