Introduction: Allow: OPTIONS, TRACE, GET, HEAD, POST, PUT Public:

Introduction:

We all know about
‘Heartbleed’ in OpenSSL, in which you can make the target server respond to
your request with more data than originally asked for. Instead of ignoring your
malformed request, the server responds with sensitive data which is not
intended for you. A quite similar bug has been found recently, not in OpenSSL
but the program called ‘httpd’ which belongs to Apache Web Server. This
vulnerability has been termed as ‘OptionsBleed’, as the leakage of
information occurs while we send a request to the vulnerable Apache Web Server
using ‘OPTIONS’ method. Let us dive in and take a deeper look into this bug,
which has been designated as CVE-2017-9798.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Background:

The HTTP OPTIONS
method lets us know which HTTP methods are allowed on our target server. When
we send a request using OPTIONS, the server response contains all the allowed
methods, in the ‘Allow:’ header.

For example:

    HTTP/1.1 200 OK

    Allow: OPTIONS,
TRACE, GET, HEAD, POST, PUT

    Public:
OPTIONS, TRACE, GET, HEAD, POST, PUT

    Content-Length:
0

    Date: Wed, 20 Sep 2017 15:08:56 GMT

 

During an
experiment, researcher Hanno Böck observed
that some servers responded with corrupted responses to OPTIONS method, such
as:

 

Allow: GET,HEAD,OPTIONS,, HEAD,,HEAD,,     HEAD,,HEAD,,HEAD,,HEAD,POST, HEAD,!DOCTYPE     html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN”    “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”

 

These kinds of
responses clearly suggested a bleed sort of information disclosure, which led
to the conclusion that all those leakage occurred from some particular versions
of Apache servers.

What is actually
happening?

In the .htaccess file
of an Apache Web Server, the directive ‘limit’  is used to restrict the access of specific HTTP
methods for some specific users. If the attacker sets a directive in the .htaccess
file for an invalid method, the corruption happens.

Setting up an invalid
method in the ‘limit’ directive makes Apache free up memory, but Apache continues
to refer to that memory, even when the memory is in use for another program.
Therefore, when you send an HTTP OPTIONS request to the server, it gives you
back information about the program which is running on the freed-up memory in
the ‘Allow’ header.

Affected Versions:

·        
Apache Web Server
2.2.34 and previous.

·        
Apache Web Server
2.4.27 and previous.

 

Recommendations:

 

·        
Apply necessary
patches available for the server.

·        
Make sure you use
an unaffected version.

·        
Verify the
configuration of .htaccess file for locally hosted Apache Web Server.

·        
Before applying
the patch, make sure that no unauthorized modifications of the system have been
made.

·        
Frequently
validate what kind of content is being uploaded.

·        
Run all software
as least-privilege user.