AIS3 Junior 2023

# 專題 ## 很詳細的講解 https://teamt5.org/tw/posts/apache-http-server-vulnerabilty-on-windows-2021/ https://www.secrss.com/articles/34890 https://www.cnblogs.com/AikN/p/16016824.html https://xz.aliyun.com/t/10359 https://www.jianshu.com/p/3076d9ec68cf ## 其他參考資料 https://www.apachefriends.org/zh_tw/download.html https://ic.cgu.edu.tw/p/406-1016-91252,r62.php?Lang=zh-tw https://cybersophia.net/vulnerability/zero-day-path-traversal-vulnerability-in-apache-cve-2021-41773/ https://downloads.apache.org/httpd/ https://xz.aliyun.com/t/10359 下載原始碼的地方 http://archive.apache.org/dist/httpd/ :::spoiler CHANGES 2.4.50 ``` -*- coding: utf-8 -*- Changes with Apache 2.4.50 *) SECURITY: CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (cve.mitre.org) A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. Credits: This issue was reported by Ash Daulton along with the cPanel Security Team *) SECURITY: CVE-2021-41524: null pointer dereference in h2 fuzzing (cve.mitre.org) While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project. Credits: Apache httpd team would like to thank LI ZHI XIN from NSFocus Security Team for reporting this issue. *) core: AP_NORMALIZE_DECODE_UNRESERVED should normalize the second dot in the uri-path when it's preceded by a dot. [Yann Ylavic] *) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>' fails (!= 0 exit), the renewal process is aborted and an error is reported for the MDomain. This provides scripts that distribute information in a cluster to abort early with bothering an ACME server to validate a dns name that will not work. The common retry logic will make another attempt in the future, as with other failures. Fixed a bug when adding private key specs to an already working MDomain, see <https://github.com/icing/mod_md/issues/260>. [Stefan Eissing] *) mod_proxy: Handle UDS URIs with empty hostname ("unix:///...") as if they had no hostname ("unix:/..."). [Yann Ylavic] *) mod_md: fixed a bug in handling multiple parallel OCSP requests. These could run into an assertion which terminated (and restarted) the child process where the task was running. Eventually, all OCSP responses were collected, but not in the way that things are supposed to work. See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>. The bug was possibly triggered when more than one OCSP status needed updating at the same time. For example for several renewed certificates after a server reload. *) mod_rewrite: Fix UDS ("unix:") scheme for [P] rules. PR 57691 + 65590. [Janne Peltonen <janne.peltonen sange.fi>] *) event mpm: Correctly count active child processes in parent process if child process dies due to MaxConnectionsPerChild. PR 65592 [Ruediger Pluem] *) mod_http2: when a server is restarted gracefully, any idle h2 worker threads are shut down immediately. Also, change OpenSSL API use for deprecations in OpenSSL 3.0. Adds all other, never proposed code changes to make a clean sync of http2 sources. [Stefan Eissing] *) mod_dav: Correctly handle errors returned by dav providers on REPORT requests. [Ruediger Pluem] *) core: do not install core input/output filters on secondary connections. [Stefan Eissing] *) core: Add ap_pre_connection() as a wrapper to ap_run_pre_connection() and use it to prevent that failures in running the pre_connection hook cause crashes afterwards. [Ruediger Pluem] *) mod_speling: Add CheckBasenameMatch PR 44221. [Christophe Jaillet] ``` ::: ## 一些筆記 httpd-2.4.49\modules\dav\main\util.c ![](https://hackmd.io/_uploads/Byckd9ihh.png) 根據第二篇有問題的函式（之一？）是這個，是 2.4.49 才加上的東東該函式在 httpd-2.4.49\server\util.c （沒截完整） ![](https://hackmd.io/_uploads/HJ7TJ1i2h.png) 比較 httpd-2.4.49\server\util.c 和 httpd-2.4.50\server\util.c ![](https://hackmd.io/_uploads/SJkI-ei23.png) ## 用 Compare Folder 比較兩個版本的專案 * include\ap_mnn.h : 不重要，改說明跟版本號之類的 * include\ap_release.h : 不重要，改版本號 * include\http_connection.h : 主要和 2.4.50 新增的 ap_pre_connection 有關（而且大部分是註解） * server\mpm\event\event.c : 998 行附近的是和 ap_pre_connection 有關，2811 行附近的不知道，但感覺沒關係感覺 * server\connection.c : 和 ap_pre_connection 有關 * server\core.c : 和 ap_pre_connection 有關 * ==server\util.c : 這邊應該就是重點！和函式 ap_normalize_path 有關== * modules\dav\main\mod_dav.c : 和 ap_pre_connection 有關 * modules\http2 : 總之是都沒看懂，到時候如果有相關函式再回來看 * modules\mappers\mod_rewrite.c : 好像和路徑有關所以可能有關，加了 50 版本的 620~626 行 * modules\mappers\mod_spelling.c : 改蠻多的，有相關函式再回來看 * modules\md :沒看懂但應該是在修其他東西 * modules\proxy\proxy_util.c : 沒看懂但好像是在修其他東西 ## ap_normalize_path 所以現在看起來主要就是 ap_normalize_path 這個函式的問題主要應該是差在這裡 ![](https://hackmd.io/_uploads/r1Z6KYs2n.png) 49 `((path[n] == '.' || (decode_unreserved && path[n] == '%' && path[++n] == '2' && (path[++n] == 'e' || path[n] == 'E')))` 藉由比較原始碼找出問題成因及修復方法在 2.4.49 時新增了 ap_normalize_path 函式來處理路徑解碼 URL 路徑中有 . 的話會被特判處理，但會被解碼為 . 的 %2e 或 %2E 並沒有被特別處理 2.4.50 的修復基本上就是加上特判 %2e / %2E ![](https://hackmd.io/_uploads/HkJA03snn.png) 在 2.4.49 的版本中 .%2e/ 的情況不會被特判到，所以 ![](https://legacy-uploads.teamt5.org/meme_c7a9e6fc2c.jpg)