views:

254

answers:

2

Slightly unorthodox question here:

I'm currently trying to break an Apache with a handful of custom modules.

What spawned the testing is that Apache internally forwards requests that it considers too large (e.g. 1 MB trash) to modules hooked in appropriately, forcing them to deal with the garbage data - and lack of handling in the custom modules caused Apache in its entirety to go up in flames. Ouch, ouch, ouch.

That particular issue was fortunately fixed, but the question's arisen whether or not there may be other similar vulnerabilities.

Right now I have a tool at my disposal that lets me send a raw HTTP request to the server (or rather, raw data through an established TCP connection that could be interpreted as an HTTP request if it followed the form of one, e.g. "GET ...") and I'm trying to come up with other ideas. (TCP-level attacks like Slowloris and Nkiller2 are not my focus at the moment.)

Does anyone have a few nice ideas how to confuse the server's custom modules to the point of server-self-immolation?

  • Broken UTF-8? (Though I doubt Apache cares about encoding - I imagine it just juggles raw bytes.)
  • Stuff that is only barely too long, followed by a 0-byte, followed by junk?
  • et cetera

I don't consider myself a very good tester (I'm doing this by necessity and lack of manpower; I unfortunately don't even have a more than basic grasp of Apache internals that would help me along), which is why I'm hoping for an insightful response or two or three. Maybe some of you have done some similar testing for your own projects?

(If stackoverflow is not the right place for this question, I apologise. Not sure where else to put it.)

+8  A: 

Apache is one of the most hardened software projects on the face of the planet. Finding a vulnerability in Apache's HTTPD would be no small feat and I recommend cutting your teeth on some easier prey. By comparison it is more common to see vulnerabilities in other HTTPDs such as this one in Nginx that I saw today (no joke). There have been other source code disclosure vulnerablites that are very similar, I would look at this and here is another. lhttpd has been abandoned on sf.net for almost a decade and there are known buffer overflows that affect it, which makes it a fun application to test.

When attacking a project you should look at what kind of vulnerabilities have been found in the past. Its likely that programmers will make the same mistakes again and again and often there are patterns that emerge. By following these patterns you can find more flaws. You should try searching vulnerablites databases such as Nist's search for CVEs. One thing that you will see is that apache modules are most commonly compromised.

A project like Apache has been heavily fuzzed. There are fuzzing frameworks such as Peach. Peach helps with fuzzing in many ways, one way it can help you is by giving you some nasty test data to work with. Fuzzing is not a very good approach for mature projects, if you go this route I would target apache modules with as few downloads as possible. (Warning projects with really low downloads might be broken or difficult to install.)

When a company is worried about secuirty often they pay a lot of money for an automated source analysis tool such as Coverity. The Department Of Homeland Security gave Coverity a ton of money to test open source projects and Apache is one of them. I can tell you first hand that I have found a buffer overflow with fuzzing that Coverity didn't pick up. Coverity and other source code analysis tools like the open source Rats will produce a lot of false positives and false negatives, but they do help narrow down the problems that affect a code base.

(When i first ran RATS on the Linux kernel I nearly fell out of my chair because my screen listed thousands of calls to strcpy() and strcat(), but when i dug into the code all of the calls where working with static text, which is safe.)

Vulnerability resarch an exploit development is a lot of fun. I recommend exploiting PHP/MySQL applications and exploring The Whitebox. This project is important because it shows that there are some real world vulnerabilities that cannot be found unless you read though the code line by line manually. It also has real world applications (a blog and a shop) that are very vulnerable to attack. In fact both of these applications where abandoned due to security problems. A web application fuzzer like Wapiti or acuentix will rape these applications and ones like it. There is a trick with the blog. A fresh install isn't vulnerable to much. You have to use the application a bit, try logging in as an admin, create a blog entry and then scan it. When testing a web application application for sql injection make sure that error reporting is turned on. In php you can set display_errors=On in your php.ini.

Good Luck!

Rook
@The Rook +1 for a comprehensive answer but feat not feet!
Martin Smith
@Martin Smith Haha, thats what edits are for.
Rook
"*Finding a vulnerability in Apache's HTTPD would be no small feat*" - I'm not trying to find a vulnerability in Apache, but one related to how Apache feeds its modules, since we have custom modules, and *because* Apache is so hardened, it's easy to fall prey to traps like the overlong request one. I'll change the bolded question to be clearer in that regard (reading just that makes me think, what the hell was I on when I wrote that! it's begging to be mistaken). (Will write another comment in a second!)
pinkgothic
I upvoted your question for now. I'm ***loving*** some of the links you supplied. They're largely not really an answer to my question, but I want you to know I am nonetheless *eternally* grateful for them. They will, without a doubt, come in handy. The Nist and PeachFuzzing look like they might help me in this particular case, but I've only given them a preliminary glance so far. I'll report back!
pinkgothic
@pinkgothic cool i'm glad you dig it.
Rook
@pinkgothic If you have any questions feel free to post here, i check my messages.
Rook
@The Rook: Sorry about that. Was off work from Thursday to Sunday and my home laptop is a bit iffy at the moment. I hope I'll have time to look into this before the bounty expires.
pinkgothic
@The Rook: Just some feedback for you: the Peach Fuzzer is definitely extremely appreciated, thank you so much for that link! :)
pinkgothic
@pinkgothic I'm glad you like it.
Rook
+3  A: 

Depending on what other modules you have hooked in, and what else activates them (or is it only too-large requests?), you might want to try some of the following:

  • Bad encodings - e.g. overlong utf-8 like you mentioned, there are scenarios where the modules depend on that, for example certain parameters.
  • parameter manipulation - again, depending on what the modules do, certain parameters may mess with them, either by changing values, removing expected parameters, or adding unexpected ones.
  • contrary to your other suggestion, I would look at data that is just barely short enough, i.e. one or two bytes shorter than the maximum, but in different combinations - different parameters, headers, request body, etc.
  • Look into HTTP Request Smuggling (also here and here) - bad request headers or invalid combinations, such as multiple Content-Length, or invalid terminators, might cause the module to misinterpret the command from Apache.
  • Also consider gzip, chunked encoding, etc. It is likely that the custom module implements the length check and the decoding, out of order.
  • What about partial request? e.g requests that cause a 100-Continue response, or range-requests?
  • The fuzzing tool, Peach, recommended by @TheRook, is also a good direction, but don't expect great ROI first time using it.
  • If you have access to source code, a focused security code review is a great idea. Or, even an automated code scan, with a tool like Coverity (as @TheRook mentioned), or a better one...
  • Even if you don't have source code access, consider a security penetration test, either by experienced consultant/pentester, or at least with an automated tool (there are many out there) - e.g. appscan, webinspect, netsparker, acunetix, etc etc.
AviD
Thanks for your response! This sounds *excellently* helpful. Regarding your last two points: We're looking into getting someone who can review the code, but alas, that's a month in, so far, and without luck. You'd think finding a C Code Auditer would be easier than this. :) And pentesting will be done, just a notch later; development/testing is a bit waterfall-y in this, so development tries to nudge in some testing of their own before things are passed on to test.
pinkgothic
re the waterfall/pentest, you should probably be able to set up a dev server, even just to run a limited, initial pentest/fuzzing. Might be a bit duplication of effort, but I've found it is often worth doing this early on as possible - unless there are politics around ownership and such... In any event, if you're planning a code review anyway, its fine to push off the pentest till after that anyway.
AviD
Figured I'd accept your answer since it's more of an *answer* than The Rook's (wish there was a way of splitting a bounty). :) (P.S. I'd contact you via linkedin (at the very least to unclutter stackoverflow comments) but I don't use that site and apparently I need to pay to do that, which seems excessive for a site I, well, don't use.)
pinkgothic