Apache日志文件漏洞,可能执行任意代码

大树 2013-05-31 607457人围观 ,发现 21 个不明物体 漏洞

近日国外安全研究者在Apache服务器中发现一个漏洞,该漏洞是利用modules/mappers/mod_rewrite.c文件中的Rewritelog()函数不正确的处理某些转义序列,导致恶意攻击者发送特制的HTTP请求可以注入到日志文件,如果HTTP请求包含终端模拟器的转义序列,可能允许攻击者无需管理员权限即可执行命令。

目前已知Apache 2.2.x版本存在该漏洞,但其他版本也可能受影响,官方发布的缓解方法如下:

Index: CHANGES
===================================================================
--- CHANGES	(revision 1469310)
+++ CHANGES	(working copy)
@@ -1,8 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.25
 
+  *) SECURITY: CVE-2013-1862 (cve.mitre.org)
+     mod_rewrite: Ensure that client data written to the RewriteLog is
+     escaped to prevent terminal escape sequences from entering the
+     log file.  [Joe Orton]
 
-
 Changes with Apache 2.2.24
 
   *) SECURITY: CVE-2012-3499 (cve.mitre.org)
Index: modules/mappers/mod_rewrite.c
===================================================================
--- modules/mappers/mod_rewrite.c	(revision 1469310)
+++ modules/mappers/mod_rewrite.c	(working copy)
@@ -500,11 +500,11 @@
 
     logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
                                     "(%d) %s%s%s%s" APR_EOL_STR,
-                           rhost ? rhost : "UNKNOWN-HOST",
-                           rname ? rname : "-",
-                           r->user ? (*r->user ? r->user : "\"\"") : "-",
+                           rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST",
+                           rname ? ap_escape_logitem(r->pool, rname) : "-",
+                           r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-",
                            current_logtime(r),
-                           ap_get_server_name(r),
+                           ap_escape_logitem(r->pool, ap_get_server_name(r)),
                            (void *)(r->server),
                            (void *)r,
                            r->main ? "subreq" : "initial",
@@ -514,7 +514,7 @@
                            perdir ? "[perdir " : "",
                            perdir ? perdir : "",
                            perdir ? "] ": "",
-                           text);
+                           ap_escape_logitem(r->pool, text));
 
     nbytes = strlen(logline);
     apr_file_write(conf->rewritelogfp, logline, &nbytes);

补丁地址:http://people.apache.org/~jorton/mod_rewrite-CVE-2013-1862.patch

mod_rewrite.c源文件地址,供研究学习

[via h-online]

这些评论亮了

  • Freedom (3级) 回复
    :mrgreen: 坐等exploit :twisted:
    )12( 亮了
  • @大树 就说apache没有对特殊序列转义,直接存储到log文件当中了.但命令的触发是发生在 通过terminal查看log file的时候吧。假设说 cat thedamnlogfile 的时候没有被转义的text被当作command执行了 那这个洞应该算在apache头上么。。?
    BTW 求大手分析一下
    )8( 亮了
发表评论

已有 21 条评论

取消
Loading...
css.php