Introduction: HTTP/1.1 200 OK Allow: OPTIONS, TRACE, GET,

Introduction:

We all know about
‘Heartbleed’ in OpenSSL, in which you can make the server reply to your request
with more data than originally requested for. Instead of ignoring your
malformed request, the server responds with sensitive data which is not
intended for you. A similar bug has been found recently, not in OpenSSL but the
program called ‘httpd’ which belongs to Apache Web Server. This
vulnerability has been termed as ‘OptionsBleed’, as the leakage of
information occurs while we send a request to the vulnerable Apache Web Server
using ‘OPTIONS’ method. Let us dive in and take a deeper look into this bug,
which has been designated as CVE-2017-9798.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Background:

The HTTP OPTIONS
method lets us know which HTTP methods are allowed on our target server. When
we send a request using OPTIONS, the server response contains all the allowed
methods, in the ‘Allow:’ header.

For example:

    HTTP/1.1 200 OK

    Allow: OPTIONS,
TRACE, GET, HEAD, POST, PUT

    Public:
OPTIONS, TRACE, GET, HEAD, POST, PUT

    Content-Length:
0

    Date: Wed, 20 Sep 2017 15:08:56 GMT

 

During an
experiment, researcher Hanno Böck observed
that some servers responded with corrupted responses to OPTIONS method, such
as:

 

Allow: GET,HEAD,OPTIONS,, HEAD,,HEAD,,     HEAD,,HEAD,,HEAD,,HEAD,POST, HEAD,!DOCTYPE     html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN”    “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”

 

These kinds of
responses clearly suggested a bleed kind of information leakage, which led to
the deduction that all those leakage were occurring from some particular
versions of Apache servers.

What is actually
happening?

In the .htaccess file
of an Apache Web Server, the directive ‘limit’  is used to restrict the access of specific HTTP
methods for some specific users. If the attacker sets a directive in the .htaccess
file for a method that is not globally registered with the server, i.e. any
invalid method, the corruption happens.

Setting up an invalid
method in the ‘limit’ directive causes Apache to free up memory, but
Apache still continues to refer to that memory, even when the memory is in use
for another program. Therefore, when you query the server with an HTTP OPTIONS
request, it gives you back information about the program which is running on
the freed-up memory, in the ‘Allow’ header.

Affected Versions:

·        
Apache Web Server
2.2.34 and prior.

·        
Apache Web Server
2.4.27 and prior.

 

Recommendations:

 

·        
Apply necessary
patches available for the server.

·        
Ensure using an
unaffected version.

·        
Verify the
configuration of .htaccess file for locally hosted Apache Web Server.

·        
Before applying
the patch, make sure that no unauthorized modifications of the system have been
made.

·        
Frequently
validate what kind of content is being uploaded.

·        
Run all software
as least-privilege user.