Introduction:We all know about’Heartbleed’ in OpenSSL, in which you can make the server reply to your requestwith more data than originally requested for. Instead of ignoring yourmalformed request, the server responds with sensitive data which is notintended for you. A similar bug has been found recently, not in OpenSSL but theprogram called ‘httpd’ which belongs to Apache Web Server. Thisvulnerability has been termed as ‘OptionsBleed’, as the leakage ofinformation occurs while we send a request to the vulnerable Apache Web Serverusing ‘OPTIONS’ method. Let us dive in and take a deeper look into this bug,which has been designated as CVE-2017-9798.Background:The HTTP OPTIONSmethod lets us know which HTTP methods are allowed on our target server. Whenwe send a request using OPTIONS, the server response contains all the allowedmethods, in the ‘Allow:’ header.
For example: HTTP/1.1 200 OK Allow: OPTIONS,TRACE, GET, HEAD, POST, PUT Public:OPTIONS, TRACE, GET, HEAD, POST, PUT Content-Length:0 Date: Wed, 20 Sep 2017 15:08:56 GMT During anexperiment, researcher Hanno Böck observedthat some servers responded with corrupted responses to OPTIONS method, suchas: Allow: GET,HEAD,OPTIONS,, HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST, HEAD,!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd” These kinds ofresponses clearly suggested a bleed kind of information leakage, which led tothe deduction that all those leakage were occurring from some particularversions of Apache servers.
What is actuallyhappening?In the .htaccess fileof an Apache Web Server, the directive ‘limit’ is used to restrict the access of specific HTTPmethods for some specific users. If the attacker sets a directive in the .htaccessfile for a method that is not globally registered with the server, i.e. anyinvalid method, the corruption happens. Setting up an invalidmethod in the ‘limit’ directive causes Apache to free up memory, butApache still continues to refer to that memory, even when the memory is in usefor another program.
Therefore, when you query the server with an HTTP OPTIONSrequest, it gives you back information about the program which is running onthe freed-up memory, in the ‘Allow’ header.Affected Versions:· Apache Web Server2.2.34 and prior.
· Apache Web Server2.4.27 and prior.
Recommendations: · Apply necessarypatches available for the server.· Ensure using anunaffected version.· Verify theconfiguration of .htaccess file for locally hosted Apache Web Server.· Before applyingthe patch, make sure that no unauthorized modifications of the system have beenmade.· Frequentlyvalidate what kind of content is being uploaded.· Run all softwareas least-privilege user.