Apache CVE-2017-7659 Issue Analyse

This article shows the detail of CVE-2017-7659 vulnerability, and also shows how to develop a CVE-2017-7659 payload.

Recently, Apache released Apache httpd 2.4.26. And 2.4.26 fix several issues. You can find the detail of the patch from this link. CVE-2017-7659 is one of the issues.

This article shows the detail of CVE-2017-7659 vulnerability, and also shows how to develop a CVE-2017-7659 payload.

For the CVE-2017-7659, Apache provides the following description:

A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process.

From the GitHub change log, we can find that only one line changed, which is that the application checks the h2_request_rcreate function return value.

h2_stream.c Change Log
h2_stream.c Change Log

The CVE-2017-7659 issue is related h2_request_rcreate function. So, let’s check this function.

If we read the issue code, we can find that Apache HTTP uses h2_request_rcreate function to create HTTP 2.0 data structure req. If h2_request_rcreat is failed, req will become to NULL. When ap_log_rerror uses it, it will lead the HTTP process break down.

ap_log_rerror source code
ap_log_rerror code

Then, we go to h2_request_rcreate function. We can find that in the begin, this function setup req to 0, then check 4 variables: r->method, scheme, r->hostname and path. If any of these variables is NULL, it will return failed. And if it returns failed, the req still is 0, and the HTTP process will be broken down.

h2_request_rcreate function
h2_request_rcreate Function

In these above variables, only hostname can be controlled, and it can be NULL. Therefore, if we create an HTTP request without hostname, it will break down the Apache HTTP process.

Now, let’s create CVE-2017-7659 payload. To trigger this issue, its musts meet the following requirements:

  1. The target website supports HTTP 2.0
  2. We are able to submit HTTP 1.0 request without Hostname parameter.

The following HTTP request is the payload:

GET / HTTP/1.0
User-Agent: curl/7.50.1
Accept: */*
Connection: Upgrade, HTTP2-Settings
Upgrade: h2c
Content-Length: 2

First, I implement an Apache HTTP server on my Kali Linux. The version is 2.4.25.

Apache HTTP Version 2.4.25
Apache HTTP Version 2.4.25

Then, I start Apache, the website and server is working very well.

Then, using burp to submit the above payload to Apache HTTP Server.

Submit the Payload
Submit the Payload

After submit the payload, the website does not give any response. If you check the Apache Log, you will find some segment fault errors and the HTTPD process is dead.

CVE-2017-7659 Lead to DDoS Attack
CVE-2017-7659 Lead to DDoS Attack