We all know about
‘Heartbleed’ in OpenSSL, in which you can make the server reply to your request
with more data than originally requested for. Instead of ignoring your
malformed request, the server responds with sensitive data which is not
intended for you. A similar bug has been found recently, not in OpenSSL but the
program called ‘httpd’ which belongs to Apache Web Server. This
vulnerability has been termed as ‘OptionsBleed’, as the leakage of
information occurs while we send a request to the vulnerable Apache Web Server
using ‘OPTIONS’ method. Let us dive in and take a deeper look into this bug,
which has been designated as CVE-2017-9798.
The HTTP OPTIONS
method lets us know which HTTP methods are allowed on our target server. When
we send a request using OPTIONS, the server response contains all the allowed
methods, in the ‘Allow:’ header.
HTTP/1.1 200 OK
TRACE, GET, HEAD, POST, PUT
OPTIONS, TRACE, GET, HEAD, POST, PUT
Date: Wed, 20 Sep 2017 15:08:56 GMT
experiment, researcher Hanno Böck observed
that some servers responded with corrupted responses to OPTIONS method, such
Allow: GET,HEAD,OPTIONS,, HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST, HEAD,!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”
These kinds of
responses clearly suggested a bleed kind of information leakage, which led to
the deduction that all those leakage were occurring from some particular
versions of Apache servers.
What is actually
In the .htaccess file
of an Apache Web Server, the directive ‘limit’ is used to restrict the access of specific HTTP
methods for some specific users. If the attacker sets a directive in the .htaccess
file for a method that is not globally registered with the server, i.e. any
invalid method, the corruption happens.
Setting up an invalid
method in the ‘limit’ directive causes Apache to free up memory, but
Apache still continues to refer to that memory, even when the memory is in use
for another program. Therefore, when you query the server with an HTTP OPTIONS
request, it gives you back information about the program which is running on
the freed-up memory, in the ‘Allow’ header.
Apache Web Server
2.2.34 and prior.
Apache Web Server
2.4.27 and prior.
patches available for the server.
Ensure using an
configuration of .htaccess file for locally hosted Apache Web Server.
the patch, make sure that no unauthorized modifications of the system have been
validate what kind of content is being uploaded.
Run all software
as least-privilege user.