Optionsbleed: a vulnerability? Nope, a ghost!

A bug really difficult to reproduce!

Hanno Böck, a freelance journalist, has disclosed a bug in Apache Web Server causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets, like the most known (and dangerous) “Heartbleed”.

The vulnerability has been dubbed OptionsBleed (CVE-2017–9798), because the bug is triggered by making HTTP OPTIONS requests, but only with a wrong configuration of .htaccess and when the server is really busy:

The bug appears if a webmaster tries to use the “Limit” directive with an invalid HTTP method.

Example .htaccess:

<Limit abcxyz>
</Limit>
Due to its nature the bug doesn’t appear deterministically. It only seems to appear on busy servers. Sometimes it only appears after multiple requests.

A recent scan by Hanno found that only 466 sites in the Alexa Top 1 Million were vulnerable.

How can I test it?

https://xkcd.com/386/

You can use curl in a loop and send OPTIONS requests:

for i in {1..100}; do curl -sI -X OPTIONS https://www.google.com/|grep -i "allow:"; done

Depending on the server configuration it may not answer to OPTIONS requests on some URLs.

Böck has also published a python proof of concept script:

<a href="https://medium.com/media/58818ee83996161d1827f31f6c73eea5/href">https://medium.com/media/58818ee83996161d1827f31f6c73eea5/href</a>

There is a patch?

Yep.
Most distributions should have updated packages by now or very soon.
Anyway, a patch for Apache 2.4 can be found here, and for Apache 2.2 is available here.

References

Optionsbleed: a vulnerability? Nope, a ghost! was originally published in So Long, and Thanks for All the Fish on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: https://andreafortuna.org/optionsbleed-a-vulnerability-nope-a-ghost-387e2a17ffe7?source=rss----bf18ac17f001---4