Satisnet Ltd, Basepoint Innovation Centre, 110 Butterfield Great Marlings, Luton, Bedfordshire, LU2 8DL
+44 (0) 1582 434320

New Memory bug for Apache servers - Optionsbleed

New Memory bug for Apache servers - Optionsbleed

New Memory bug for Apache servers - Optionsbleed

These days’ hackers are trying to find persistence way of hacking the web application and the web server, now apache servers that are a bit older versions are a recent hit in terms of vulnerabilities. A new memory bug called “Optionsbleed” is infecting the Apache Web Server program, httpd. The bug allows for a corrupted “Allow” header, possibly including sensitive data, to be constructed in response to an HTTP OPTIONS request. The maximum threat is to organisations that have outsourced servers to a web hosting providers, although there is a limited threat to organisations hosting its own webserver.

In Linux, Apache’s configuration is spread throughout the directory tree using “.htaccess.” This file sets configuration options for the resident directory, unless another .htaccess, is present lower in the structure. This assembly allows for multiple websites, or virtual hosts, to only use one server, one directory tree, and one copy of httpd.

After inspecting we could find that within .htaccess file there are settings, which Apache calls directives. Within the directives, there is a configuration setting called Limits, which allows an administrator to limit allowed methods within the current directory tree.

The HTTP OPTIONS method is used therefore user knows what official methods the web server supports. The ordinary server OPTIONS replies do not contain body content. Setting an inapplicable Limit causes Apache to free up the memory, but Apache continues to refer to the memory space, even if the memory has been reallocated to another part of the Apache program.

The Optionsbleed vulnerability exists when a misconfigured .htaccess file causes the OPTIONS response to contain body content associated with the freed memory. The Optionsbleed vulnerability will only work when the misconfigured .htaccess file is queried.

If any of the HTTP methods an administrator configures in their directive are not applicable, the Optionsbleed vulnerability is triggered and the data returned comes from the memory of the Apache server software, which can include content from other websites or from the server itself and possibly include sensitive information. An unauthenticated, remote attacker can purposely trigger the vulnerability by sending an HTTP OPTIONS request to the server, affecting environments where multiple websites are on the same web server or when a single website is on a web server. This can be triggered:

An unauthenticated, remote attacker can also create a website on the web server and purposefully trigger the Optionsbleed bug in their .htaccess file and continuously run OPTIONS requests in order to gather leaked data from a webserver.