近日国外安全研究者在Apache服务器中发现一个
漏洞,该漏洞是利用modules/mappers/mod_rewrite.c文件中的Rewritelog()函数不正确的处理某些转义序列,导致恶意攻击者发送特制的HTTP请求可以注入到日志文件,如果HTTP请求包含终端模拟器的转义序列,可能允许攻击者无需管理员权限即可执行命令。
目前已知Apache 2.2.x版本存在该漏洞,但其他版本也可能受影响,官方发布的缓解方法如下:
?12345678910111213141516171819202122232425262728293031323334353637383940414243444546 Index: CHANGES =================================================================== --- CHANGES (revision 1469310) +++ CHANGES (working copy) @@ -1,8 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.25 + *) SECURITY: CVE-2013-1862 (cve.mitre.org) + mod_rewrite: Ensure that client data written to the RewriteLog is + escaped to prevent terminal escape sequences from entering the + log file. [Joe Orton] - Changes with Apache 2.2.24 *) SECURITY: CVE-2012-3499 (cve.mitre.org) Index: modules/mappers/mod_rewrite.c =================================================================== --- modules/mappers/mod_rewrite.c (revision 1469310) +++ modules/mappers/mod_rewrite.c (working copy) @@ -500,11 +500,11 @@ logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] " "(%d) %s%s%s%s" APR_EOL_STR, - rhost ? rhost : "UNKNOWN-HOST", - rname ? rname : "-", - r->user ? (*r->user ? r->user : "\"\"") : "-", + rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST", + rname ? ap_escape_logitem(r->pool, rname) : "-", + r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-", current_logtime(r), - ap_get_server_name(r), + ap_escape_logitem(r->pool, ap_get_server_name(r)), (void *)(r->server), (void *)r, r->main ? "subreq" : "initial", @@ -514,7 +514,7 @@ perdir ? "[perdir " : "", perdir ? perdir : "", perdir ? "] ": "", - text); + ap_escape_logitem(r->pool, text)); nbytes = strlen(logline); apr_file_write(conf->rewritelogfp, logline, &nbytes);
补丁地址:
http://people.apache.org/~jorton/mod_rewrite-CVE-2013-1862.patch
mod_rewrite.c源文件地址,供研究学习
