"OptionBleed" memory disclosure vulnerability in Apache
A memory disclosure vulnerability "Optionbleed" was reported on the Apache Server. This vulnerability is caused by a use-after-free bug in the httpd application. A remote attacker can send a certain crafted HTTP OPTIONS request and reveal small chunks of server memory, causing sensitive information leakage.
The cause of this vulnerability is on the .htaccess configuration file. When the Limited directive is set for a user for a HTTP method that is not globally registered in the server, then a memory corruption vulnerability is triggered. According to Hanno Bock, discoverer of this vulnerability. Below is one example of the memory leak:
Allow: ,GET,,,POST,OPTIONS,HEAD,, Allow: POST,OPTIONS,,HEAD,:09:44 GMT Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" Allow: GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE
The leaked data looks quite similar to the critical vulnerability "HeartBleed" on the OpenSSL Library in Apr 2014, although the data chunck is much smaller than HeartBleed's 64kb. Also there is no way to distinguish normal and attack traffic, makes this attack hard to detect.
A massive on the Alaxa top 1 million websites shows that 466 servers has misconfigured the .htaccess file and sent back odd responses with an Allow header containing what appeared to be corrupted data.
Apache has officially released patches for this vulnerability:
Now Apache server will deny the new methods appeared in .htaccess file.
We recommend Apache users upgrade their server with the latest patch as soon as possible, and also check the LIMIT section under the .htaccess to prevent the vulnerability. SonicWall has also developed the following signature to identify and stop the attacks:
- App Control 12986: "HTTP Protocol -- OPTIONS"
Instructions on configuring the SonicWall App Control feature: https://www.sonicwall.com/en-us/support/knowledge-base/170505381440321
- Optionsbleed - HTTP OPTIONS method can leak Apache's server memory, https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html