We all know about
‘Heartbleed’ in OpenSSL, in which you can make the target server respond to
your request with more data than originally asked for. Instead of ignoring your
malformed request, the server responds with sensitive data which is not
intended for you. A quite similar bug has been found recently, not in OpenSSL
but the program called ‘httpd’ which belongs to Apache Web Server. This
vulnerability has been termed as ‘OptionsBleed’, as the leakage of
information occurs while we send a request to the vulnerable Apache Web Server
using ‘OPTIONS’ method. Let us dive in and take a deeper look into this bug,
which has been designated as CVE-2017-9798.
The HTTP OPTIONS
method lets us know which HTTP methods are allowed on our target server. When
we send a request using OPTIONS, the server response contains all the allowed
methods, in the ‘Allow:’ header.
HTTP/1.1 200 OK
TRACE, GET, HEAD, POST, PUT
OPTIONS, TRACE, GET, HEAD, POST, PUT
Date: Wed, 20 Sep 2017 15:08:56 GMT
experiment, researcher Hanno Böck observed
that some servers responded with corrupted responses to OPTIONS method, such
Allow: GET,HEAD,OPTIONS,, HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST, HEAD,!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”
These kinds of
responses clearly suggested a bleed sort of information disclosure, which led
to the conclusion that all those leakage occurred from some particular versions
of Apache servers.
What is actually
In the .htaccess file
of an Apache Web Server, the directive ‘limit’ is used to restrict the access of specific HTTP
methods for some specific users. If the attacker sets a directive in the .htaccess
file for an invalid method, the corruption happens.
Setting up an invalid
method in the ‘limit’ directive makes Apache free up memory, but Apache continues
to refer to that memory, even when the memory is in use for another program.
Therefore, when you send an HTTP OPTIONS request to the server, it gives you
back information about the program which is running on the freed-up memory in
the ‘Allow’ header.
Apache Web Server
2.2.34 and previous.
Apache Web Server
2.4.27 and previous.
patches available for the server.
Make sure you use
an unaffected version.
configuration of .htaccess file for locally hosted Apache Web Server.
the patch, make sure that no unauthorized modifications of the system have been
validate what kind of content is being uploaded.
Run all software
as least-privilege user.