December 9, 2016

Apache Reverse Proxy Vulnerability Exposes Internal Servers

(LiveHacking.Com) – The Apache foundation has issued a security advisory regarding the use of the Apache HTTP Server in reverse proxy mode. If the server is configured using the RewriteRule or ProxyPassMatch directives with pattern matching, it is possible to unintentionally expose servers on your internal network that should be hidden by your firewall.

The problem is that the Apache HTTP server does not check that the incoming URL is valid. This means that attackers who send specially formed requests can force the pattern matching algorithms to expand the input to an unintended target URL.

The problem was originally found by Context Information Security Ltd who then worked with Apache to produce a patch which reduces the risks of an attacker exploiting a misconfigured server.

According to the advisory:

For future releases of the Apache HTTP Server, the software will validate the request URI, correcting this specific vulnerability. For future releases, the server has been patched to reject such requests, instead returning a “400 Bad Request” error. The documentation has been updated to reflect the more general risks with pattern matching in a reverse proxy configuration.

Details

A configuration like one of the following examples:

RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P]
ProxyPassMatch (.*)\.(jpg|gif|png) http://images.example.com$1.$2

could result in an exposure of internal servers. A request of the form:

GET @other.example.com/something.png HTTP/1.1

would get translated to a target of:

http://images.example.com () other example com/something.png

This will cause the proxy to connect to the hostname “other.example.com”, as the “images.example.com@” segment would be treated as user credentials when parsing the URL. This would allow a remote attacker the ability to proxy to hosts other than those expected, which could be a security exposure in some circumstances.

The request-URI string in this example, “@other.example.com/something.png”, is not valid according to the HTTP specification, since it neither an absolute URI
(“http://example.com/path”;) nor an absolute path (“/path”).

Actions

The Apache foundation have released a patch and also recommend system administrators check the use of the RewriteRule and change them according to the example below:

RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P]
to
RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P]

to ensure the pattern only matches against paths starting with a “/”.