We all know about
‘Heartbleed’ in OpenSSL, in which you can make the target server respond to
your request with more data than originally asked for. Instead of ignoring your
malformed request, the server responds with sensitive data which is not
intended for you. A quite similar bug has been found recently, not in OpenSSL
but the program called ‘httpd’ which belongs to Apache Web Server. This
vulnerability has been termed as ‘OptionsBleed’, as the leakage of
information occurs while we send a request to the vulnerable Apache Web Server
using ‘OPTIONS’ method. Let us dive in and take a deeper look into this bug,
which has been designated as CVE-2017-9798.
The HTTP OPTIONS
method lets us know which HTTP methods are allowed on our target server. When
we send a request using OPTIONS, the server response contains all the allowed
methods, in the ‘Allow:’ header.
HTTP/1.1 200 OK
TRACE, GET, HEAD, POST, PUT
OPTIONS, TRACE, GET, HEAD, POST, PUT
Date: Wed, 20 Sep 2017 15:08:56 GMT
experiment, researcher Hanno Böck observed
that some servers responded with corrupted responses to OPTIONS method, such
Allow: GET,HEAD,OPTIONS,, HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST, HEAD,!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”
These kinds of
responses clearly suggested a bleed sort of information disclosure, which led
to the conclusion that all those leakage occurred from some particular versions
of Apache servers.
What is actually
In the .htaccess file
of an Apache Web Server, the directive ‘limit’ is used to restrict the access of specific HTTP
methods for some specific users. If the attacker sets a directive in the .htaccess
file for an invalid method, the corruption happens.
Setting up an invalid
method in the ‘limit’ directive makes Apache free up memory space, which
was meant for a valid method, but Apache continues to refer to that memory,
even when the memory is in use for another program. Therefore, when you send an
HTTP OPTIONS request to the server, it gives you back information about the
program which is running on the freed-up memory in the ‘Allow’ header.
Apache Web Server
2.2.34 and previous.
Apache Web Server
2.4.27 and previous.
patches available for the server.
Make sure you use
an unaffected version.
configuration of .htaccess file for locally hosted Apache Web Server.
the patch, make sure that no unauthorized modifications of the system have been
validate what kind of content is being uploaded to the server.
Use all software
as least-privilege user i.e. without admin privileges. It narrows down the
probability of leakage.