logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache Permission-Denial Bypass
Author
Tape



Joined: 30 Nov 2015
Posts: 3

PostPosted: Sat 26 Mar '16 23:36    Post subject: Apache Permission-Denial Bypass Reply with quote

When sending a CONNECT request with a specific pattern or an OPTIONS request, Apache will bypass "403 Permission Denied" and serve the root directory index.php output.

- It happens even though CONNECT is not in OPTIONS and not allowed.
- The index.php file must exist for the bypass to happen (otherwise "CONNECT a:1" and OPTIONS return "302 Found" as per .htaccess settings).
- If the index file isn't PHP, Apache will output "Method Not Allowed - The requested method CONNECT is not allowed for the URL /index.htm", or in the case of OPTIONS it will output only the headers but including the Allow header; both are still bypassing the 403.

Exploit:
In HTTP request header:
CONNECT a:1
CONNECT google.com:80 HTTP/1.1
CONNECT str:int<nothing or " any/any">
OPTIONS / HTTP/1.1

Confirmed on:
Apache/2.4.9 (Win64)

Config:
WAMP
Permissions set to deny everyone except set IP's via root .htaccess.

.htaccess:
ErrorDocument 404 /
<Limit GET POST>
order deny,allow
deny from all
allow from 127.0.0.1
allow from <SECONDIP>
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
ErrorDocument 403 "http://<SECONDIP>/public/"

Fix:
<Limit PUT DELETE CONNECT OPTIONS>
order deny,allow
deny from all
</Limit>

Keep in mind:
- CONNECT is not allowed in the first place.
- OPTIONS return "302 Found" if the index doesn't exist (i.e. it is affacted by limits not reffering it directly), or it returns only the headers including the Allow headers (like it's normally supposed to) if eg. index.htm exists.
- OPTIONS is not meant to return the body, but it will if index.php exists.

I found out about this because I saw entries in the access log like:
61.228.90.59 - - [17/Nov/2015:22:10:10 0100] "CONNECT 163mx00.mxmail.netease.com:25 HTTP/1.0" 200 2829
141.212.122.96 - - [24/Nov/2015:00:21:35 0100] "CONNECT proxytest.zmap.io:80 HTTP/1.1" 200 2945
141.212.122.112 - - [25/Nov/2015:22:01:27 0100] "CONNECT proxytest.zmap.io:80 HTTP/1.1" 200 2946
111.248.101.180 - - [27/Nov/2015:09:06:18 0100] "CONNECT 163mx00.mxmail.netease.com:25 HTTP/1.0" 200 2832
111.248.103.196 - - [28/Nov/2015:06:27:28 0100] "CONNECT 126mx00.mxmail.netease.com:25 HTTP/1.0" 200 2831
141.212.122.128 - - [30/Nov/2015:19:02:27 0100] "CONNECT proxytest.zmap.io:80 HTTP/1.1" 200 2946
(skipped several)
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Tue 29 Mar '16 10:24    Post subject: Reply with quote

What is your question on this?
Back to top
Tape



Joined: 30 Nov 2015
Posts: 3

PostPosted: Tue 29 Mar '16 17:15    Post subject: Reply with quote

You might notice that I didn't include any question marks.

I posted to this category because, ironically, it's the closest to the topic at hand; basically it's a mitigation of the inherent incompetence of this forum.

Please move the threads to another category if you believe any other is better suiting (or create a "Vulnerabilities" [awareness/reports of in-the-wild vulnerabilities], "Apache Discussion" or "Unofficial Apache Documentation" category).
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Tue 29 Mar '16 18:38    Post subject: Reply with quote

I understood this to have no question, simply informative. It's in the right catagory as well. That said;

I wonder if this is a flaw in mod_access_compat. Can you duplicate this bypass without mod_access_compat loaded, thereby using just the Require directive (as that is 2.4's native style)?

For example;

Pre-2.4 style w/ mod_access_compat
Code:
<Limit GET POST>
order deny,allow
deny from all
allow from 127.0.0.1
allow from <SECONDIP>
</Limit>

2.4 style w/o mod_access_compat
Code:
<Limit GET POST>
Require ip 127.0.0.1
Require ip <SECONDIP>
</Limit>
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Tue 29 Mar '16 19:02    Post subject: Reply with quote

On second thought.

In your non-fixed example you do not Limit CONNECT or OPTIONS, so anything goes with those 2. Your fix just adds them along with PUT & DELETE.
Back to top


Reply to topic   Topic: Apache Permission-Denial Bypass View previous topic :: View next topic
Post new topic   Forum Index -> Apache