Optionsbleed: a vulnerability? Nope, a ghost!
A bug really difficult to reproduce!
Hanno Böck, a freelance journalist, has disclosed a bug in Apache Web Server causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets, like the most known (and dangerous) “Heartbleed”.
The vulnerability has been dubbed OptionsBleed (CVE-2017–9798), because the bug is triggered by making HTTP OPTIONS requests, but only with a wrong configuration of .htaccess and when the server is really busy:
The bug appears if a webmaster tries to use the “Limit” directive with an invalid HTTP method.
Example .htaccess:
<Limit abcxyz> </Limit>
Due to its nature the bug doesn’t appear deterministically. It only seems to appear on busy servers. Sometimes it only appears after multiple requests.
A recent scan by Hanno found that only 466 sites in the Alexa Top 1 Million were vulnerable.
How can I test it?
You can use curl in a loop and send OPTIONS requests:
for i in {1..100}; do curl -sI -X OPTIONS https://www.google.com/|grep -i "allow:"; done
Depending on the server configuration it may not answer to OPTIONS requests on some URLs.
Böck has also published a python proof of concept script:
[embed]https://gist.github.com/andreafortuna/25ac67d4fd37400d64849027d068e311[/embed]
There is a patch?
Yep.
Most distributions should have updated packages by now or very soon.
Anyway, a patch for Apache 2.4 can be found here, and for Apache 2.2 is available here.
References
[embed]https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html[/embed]