Date: 6th October 2011
October 6th 2011 - The Apache Software Foundation yesterday issued an advisory to all of its customers following the identification by researchers at UK-based Context Information Security of a new class of security vulnerability that could allow hackers to gain full internet access to internal or DMZ systems using insecurely configured reverse web proxies. Context alerted Apache to the weakness last month and has today published a blog detailing this new class of attack that it believes is likely to affect other web servers and proxies. The blog also provides advice to mitigate the risks:
Reverse proxies are used to route external HTTP and HTTPS web requests to one of several internal web servers to access data and resources. Typical applications include load balancing, separating static from dynamic content, or to present a single interface to a number of different web servers at different paths.
While other proxies may suffer from the same vulnerability, the specific attack identified by Context researchers was based on an Apache web server using the mod_rewrite proxy function, which uses a rule-based rewriting engine to modify and rewrite web requests dynamically. When the web proxies had not been configured securely, Context was able to use an easy-to-obtain hacking tool in order to force a change in the request to access internal or DMZ systems, including administration interfaces on firewalls, routers, web servers and databases. And if credentials on internal systems were weak, a full network compromise was possible including uploading Trojan WAR files to a server.
The vulnerability can easily be mitigated by checking reverse proxy configurations to ensure that the rewrite rules cannot be abused to allow for the URLs to be rewritten in such a way that they can access internal systems. Context has also released the latest version of its free to download Context Application Tool (CAT) designed to deliver manual web application penetration testing that can be used to identify the vulnerability.
The difference between the two rules can be as simple as adding an extra slash, which ensures that Apache does not interpret the domain and port parts of the request as a username and password.
For example, if the Apache configuration file is configured like this:
RewriteRule ^(.*) http://internalserver:80$1 [P], and not like this:
RewriteRule ^(.*) http://internalserver:80/$1 [P], then access from the internet to any internal system is possible.
In its advisory to customers, Apache recommends that Apache HTTPD users should examine their configuration files to determine if they have used an insecure configuration for reverse proxying. The full Apache response can be viewed at http://seclists.org/fulldisclosure/2011/Oct/232
“This latest vulnerability present is a potential back door to sensitive internal or DMZ systems but is totally avoidable if the reverse proxies are properly configured,” said Michael Jordon, Research and Development Manger at Context Information Security. “We have not investigated other web servers and proxies but it is reasonable to assume that the problem is more widespread.” Full details of the reverse proxy bypass vulnerability with link to download the free Context Application Tool are published on the Context web site at http://www.contextis.com/
Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. Founded in 1998, the company’s client base has grown steadily based on the value of its product-agnostic, holistic approach and tailored services combined with the independence, integrity and technical skills of its consultants. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. As best security experts need to bring a broad portfolio of skills to the job, Context staff offer extensive business experience as well as technical expertise to deliver effective and practical solutions, advice and support. Context reports always communicate findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report.
For more information for editors, please contact:
Peter Rennison / Allie Andrews
Tel + 44 (0)1442 245030 / 07831 208109
Email: pr[at]prpr[dot]co.uk / allie[at]prpr[dot]co.uk