Case analysis of Apache exploit and security reinforcement

Apache as a carrier of Web applications, once security problems, the security of the Web applications running on it can not be guaranteed, so it is very important to study Apache vulnerability and security. This article will combine examples to talk about the exploits and security hardening measures against Apache.

Apache HTTP Server (Apache) is an open source Web server of the Apache Software Foundation, which can run in most computer operating systems and is one of the most popular Web server software. While the market share of Web servers such as Nginx and LIGHTTPD has grown rapidly in recent years, Apache is still a unique giant in the field, and most Web applications on the Internet still run on Apache.

Apache Vulnerability Analysis

Apache HTTP Server Malformed range option handles remote denial of service vulnerability

CVE Vulnerability Number: cve-2011-3192

Impact version: Apache 2.x, Apache 1.3

Vulnerability Description: A vulnerability exists in Apache HTTP server to generate a response from the range option, which could be exploited by a remote attacker to cause the server to lose its response by sending a malicious request, resulting in a denial of service.

This vulnerability stems from the problem that Apache HTTP server has in handling the large range of overlapping ranges specified in the Range header option, which could allow an attacker to deplete system resources through a specially crafted Htttp request sent to the server, causing Apache to become unresponsive and even run out of operating system resources.

Exploit principle: The range option in the HTTP request defines how the resource file is fragmented, and is commonly used for network breakpoint continuation. By setting a large number of overlapping range-specific commands in the range option of the HTTP request, Apache consumes a large amount of CPU and memory resources to handle such requests, causing Apache to become unresponsive and even run out of operating system resources. This allows an attacker to implement a denial-of-service attack on the target server at a lesser cost, with a simple exploit and a huge scope.
Vulnerability Analysis: Let's look at malicious packets constructed by an attacker, such as 1:

Figure 1

From the point where we can see that the attacker has set a large overlap in the range of the HTTP request, let's look at the core of the exploit code:

/* Build Process */

$PM = new Parallel::forkmanager ($numforks);

$|=1;

Srand (Time ());

/* Default Set shard value is 1300*/

$p = "";

for ($k =0; $k <1300; $k + +) {

$p. = ", 5-$k";

}

/* Cycle through attacks per user input */

for ($k =0; $k < $numforks; $k + +) {

My $pid = $pm->start and next;

/* Construct attack packet */

My $sock = io::socket::inet->new (peeraddr = + $ARGV [0],

Peerport = "80",

Proto = ' TCP ');

$p = "Head/http/1.1\r\nhost: $ARGV [0]\r\nrange:bytes=0-$p \r\naccept-encoding:gzip\r\nconnection:close\r\n\r\n";

Print $sock $p;

while (< $sock >) {

}

$PM->finish;

}

$PM->wait_all_children;

Print ":p pppppppppppppppppp\n";

}

OK, after understanding the exploit principle of the exploit, we use an example to test the attack effect. Take a look at the resource usage before the target server is not compromised, such as 2:

Figure 2

Now let's launch an attack on the target server, 3. From Figure 4, you can see a spike in CPU and memory usage.

Figure 3

Figure 4

Bug FIX: Upgrade Apache version to 2.2.20 or later.

Apache File name parsing features

Apache parses the file name from the back and forth until it encounters a file type it knows. Therefore, if there are files in the Web directory that are named in a format similar to Webshell.php.test, Apache will parse it because it does not know. Test this file type, so it is parsed forward, and when parsing to. PHP, it knows, so it resolves it to a php file.

This parsing feature of Apache is often used to bypass file upload detection for Web applications. When the file upload function of the Web application detects the legality of uploading files, if the file is only judged by the extension of the uploaded file, it can use this file name parsing feature of Apache to bypass the detection of Web application.

Here is an example: the target site backstage there is a upload image function, only allow uploading jpg and GIF image format files. However, the program in verifying the legitimacy of the upload file is a loophole, simply by uploading the file extension to determine whether the file is legitimate, then we can use the Apache File name resolution feature to bypass this detection.
Change the file name to a format similar to phpshell.php.jpg upload, found bypassing the detection, the file was successfully uploaded to the target site, 5.

Figure 5

You can add the following in the httpd.conf configuration file to prevent Apache from parsing this file.

<files ~ "\. (PHP.) " >

Order Allow,deny

Deny from all

</Files>

You will need to restart the Apache service to take effect after modification.

This way, even if an attacker uploads a file like phpshell.php.jpg, Apache will not parse it into a PHP file, 6.

Figure 6

Safety reinforcement

Apache Security Hardening we mainly consider from the following two points: first, whether the Apache Web server itself is secure, such as the existence of security vulnerabilities, and the second is whether Apache Web server provides the security features that can be used, mainly to check the Apache configuration is appropriate To strike a balance between security, availability, and stability.

Selection and installation considerations for the Apache version

Check to see if there is a security vulnerability in the currently used Apache version, and if so, upgrade to a new secure version. When selecting the Apache version, we generally choose the latest stable version. This provides a good balance between security and stability. When upgrading from a low version to a higher version, it is recommended that you test the pass in a test environment before upgrading to avoid problems with compatibility.

Use a custom installation path at installation time, and configure the Web directory to use customizations.

Apache Security Configuration

1. Apache Down Right

This work is only for Apache running on the Windows platform, because in the Windows environment, Apache runs under System permissions by default, and the consequence is that once the Web application is successfully compromised, a high-privileged webshell,7 is directly obtained.

Figure 7

Now let's do the right-down operation on Apache. First create a new user, set a complex password, and let it not belong to any user group, 8.

Figure 8

Then open the local Security policy---> Local Policies---> User Rights Assignment, find the "Log on as a service" entry, add the newly created user, 9.

Figure 9

Then open the "services" component, locate the Apache service, right-click "Properties"---> "login", run the Apache service with the newly created Apache account, 10.

Figure 10

Then find the Apache log directory, assign "read" and "write" permissions to the Apache account, or the Apache service will not start, 11.

Figure 11

After configuration, restart Apache service to take effect, now Apache service has been running Apache low rights account, 12.

Figure 12

The Linux environment does not have to care about this problem, the Apache main process starts with root, the child process is running as Apache, daemon or other user as the default, this is a low-privileged user.

2. Load only the necessary module (modules)

Apache has many official and unofficial module, many of which are caused by Apache module. So we need to check the Apache module installation, according to the "least privilege principle", should be as much as possible to reduce unnecessary module, for the module to be used, check whether its corresponding version has a known security vulnerability. The module that needs to be loaded or disabled can be configured in httpd.conf.

3. Apache Log security settings

The log is a very important part of the server, and we need to protect it. The same is true of Apache. The first thing to do is to modify the default save path for the log, and then set the Full Control permission to allow only administrators to have the log save directory, 13.

Figure 13

4. Site Directory Permissions Configuration

Principle: Directory has write permission, must not assign Execute permission, Directory has execute permission, must not assign write permission.

Web site upload directory and database directory generally need to assign "write" permission, but must not assign execute permissions. Other directories typically only have read and record access permissions assigned.

5. Turn off the Apache Directory browsing feature

If Apache uses the default configuration, it is dangerous to list all the files and directories in the current directory when there are no default index pages (such as index.html) in the Web directory, which is 14.

Figure 14

There are two ways to turn off the Directory browsing feature:

A. Open the httpd.conf configuration file, look for "Options Indexes followsymlinks", modify it to "options-indexes", then save and restart the Apache service in effect

B. Modify the. htaccess file--Add "options-indexes" (no double quotes) to the. htaccess file to block the display of the directory list.

Apache will return a 403 error page, 15 If you later visit a directory that does not already have a default index page.

Figure 15

6. Modify Apache default banner information

Apache's banner will reveal information about the server's operating system and Apache version, 16 and 17, and this information is very useful for attackers, and we need to modify the default configuration to prevent this information from being compromised.

Figure 16

Figure 17

Open the httpd.conf configuration file, locate Servertokens and serversignature, and change their values to prod and off respectively, with the modified effects such as 18 and figure 19.

Figure 18

Figure 19

Summarize

Through the above analysis of Apache vulnerability and security hardening, I believe that readers of the Apache HTTP Server vulnerability and security hardening have a more in-depth understanding. In fact, the security of Apache is not difficult, many times more important is the security awareness of administrators, as long as there is sufficient security awareness, coupled with the above-described security hardening method, I believe you can create a secure Apache HTTP Server.

Case analysis of Apache exploit and security reinforcement