Optionsbleed: a vulnerability? Nope, a ghost!

A bug really difficult to reproduce!

Hanno Böck, a freelance journalist, has disclosed a bug in Apache Web Server causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets, like the most known (and dangerous) “Heartbleed”.

The vulnerability has been dubbed OptionsBleed (CVE-2017–9798), because the bug is triggered by making HTTP OPTIONS requests, but only with a wrong configuration of .htaccess and when the server is really busy:

The bug appears if a webmaster tries to use the “Limit” directive with an invalid HTTP method.

Example .htaccess:

<Limit abcxyz>
</Limit>

Due to its nature the bug doesn’t appear deterministically. It only seems to appear on busy servers. Sometimes it only appears after multiple requests.

A recent scan by Hanno found that only 466 sites in the Alexa Top 1 Million were vulnerable.

How can I test it?

https://xkcd.com/386/

You can use curl in a loop and send OPTIONS requests:

for i in {1..100}; do curl -sI -X OPTIONS https://www.google.com/|grep -i "allow:"; done

Depending on the server configuration it may not answer to OPTIONS requests on some URLs.

Böck has also published a python proof of concept script:

There is a patch?

Yep.
Most distributions should have updated packages by now or very soon.
Anyway, a patch for Apache 2.4 can be found here, and for Apache 2.2 is available here.

References

https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Comments