Apache HTTP Server mod_proxy Reverse Proxy Information Disclosure

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(56972);
  script_version("1.17");
  script_cvs_date("Date: 2018/06/27 18:42:26");

  script_cve_id("CVE-2011-3368", "CVE-2011-4317");
  script_bugtraq_id(49957, 50802);
  script_xref(name:"EDB-ID", value:"17969");

  script_name(english:"Apache HTTP Server mod_proxy Reverse Proxy Information Disclosure");
  script_summary(english:"Make a malformed HTTP request");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The web server running on the remote host has an information
disclosure vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The version of Apache HTTP Server running on the remote host is
affected by an information disclosure vulnerability. When configured
as a reverse proxy, improper use of the RewriteRule and ProxyPassMatch
directives could cause the web server to proxy requests to arbitrary
hosts. This allows a remote attacker to indirectly send requests to
intranet servers."
  );
  # http://mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696%40redhat.com%3E
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7fedbcf7");
  script_set_attribute(attribute:"see_also", value:"https://community.qualys.com/blogs/securitylabs/tags/cve-2011-4317");
  script_set_attribute(attribute:"see_also", value:"http://thread.gmane.org/gmane.comp.apache.devel/46440");
  script_set_attribute(attribute:"see_also", value:"http://httpd.apache.org/security/vulnerabilities_22.html");
  script_set_attribute(
    attribute:"solution",
    value:"Upgrade to Apache httpd 2.2.22 or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2011/10/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/01/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/29");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:http_server");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

# Make sure this looks like Apache unless paranoid
if (report_paranoia < 2)
{
  server = http_server_header(port:port);

  if ( 'ibm_http_server' >!< tolower(server) && 'apache' >!< tolower(server) && 'oracle http server' >!< tolower(server) && 'oracle-http-server' >!< tolower(server) )
    exit(0, 'The web server on port ' + port + ' doesn\'t look like an Apache-based httpd.');

  # looks like Apache _httpd_
  if ('apache' >< tolower(server) && ( 'coyote' >< tolower(server) || 'tomcat' >< tolower(server)) )
    exit(0, 'The web server on port ' + port + ' doesn\'t look like Apache httpd.');
}

pages = make_list('/');

foreach page (pages)
{
  # GET 1324:@target-host/page
  # misconfigured servers reconstruct the URI as http://intended-host@target-host/page
  # instead of responding with an HTTP 400. this PoC should cover both CVEs
  url = strcat(unixtime(), ':@', get_host_ip(), page);
  res = http_send_recv3(method:'GET', item:url, port:port, exit_on_fail:TRUE);
  headers = parse_http_headers(status_line:res[0], headers:res[1]);
  http_code = headers['$code'];

  # the patched server should always send a 400. just to be on the safe side,
  # we'll explicitly check for a 200 or 404
  if (http_code == 404 || http_code == 200)
  {
   # GET 1324:@target-host:likely-closed-port/page
   # misconfigured servers reconstruct the URI as http://intended-host@target-host:likely-closed-port/page
   # instead of responding with an HTTP 400. this PoC should cover both CVEs
   url = strcat(unixtime(), ':@localhost:', (rand() % 535 + 65000), page);
   res = http_send_recv3(method:'GET', item:url, port:port, exit_on_fail:TRUE);
   headers = parse_http_headers(status_line:res[0], headers:res[1]);
   http_code = headers['$code'];

   # the patched server should always send a 400. 
   # we'll explicitly check for a 503 (resulting from trying to connect to a closed port)
   if (http_code == 503)
  {
    # this will prevent the other plugin (that checks for the
    # incomplete fix for this CVE) from running
    set_kb_item(name:'/tmp/CVE-2011-3368', value:TRUE);

    if (report_verbosity > 0)
   {
    report =
      '\nNessus verified this by sending the following request :\n\n' +
      chomp(http_last_sent_request()) + '\n';

    if (report_verbosity > 0)
    {
      report +=
        '\nWhich resulted in a non-400 response :\n\n' +
        res[0] +
        chomp(res[1]) + '\n';
    }

    security_warning(port:port, extra:report);
  }
  else security_warning(port);

  exit(0);
  }
 }
}
exit(1, 'Unable to determine if the system is vulnerable on port ' + port);