Apache released an advisory on Wednesday 5th October 2011 to all of its customers following the identification by Context’s researchers of a new class of security vulnerability that could allow hackers to gain full internet access to internal or DMZ systems using insecurely configured reverse web proxies. Context alerted Apache to the weakness last month and have published a blog detailing this new class of attack that it believes is likely to affect other web servers and proxies. The blog also provides advice to mitigate the risks: http://www.contextis.com/research/blog/server-technologies-reverse-proxy-bypass/
Reverse proxies are used to route external HTTP and HTTPS web requests to one of several internal web servers to access data and resources. Typical applications include load balancing, separating static from dynamic content, or to present a single interface to a number of different web servers at different paths.
While other proxies may suffer from the same vulnerability, the specific attack identified by Context researchers was based on an Apache web server using the mod_rewrite proxy function, which uses a rule-based rewriting engine to modify and rewrite web requests dynamically. When the web proxies had not been configured securely, Context was able to use an easy-to-obtain hacking tool in order to force a change in the request to access internal or DMZ systems, including administration interfaces on firewalls, routers, web servers and databases. And if credentials on internal systems were weak, a full network compromise was possible including uploading Trojan WAR files to a server.
The vulnerability can easily be mitigated by checking reverse proxy configurations to ensure that the rewrite rules cannot be abused to allow for the URLs to be rewritten in such a way that they can access internal systems. Context has also released the latest version of its free to download Context Application Tool (CAT) designed to deliver manual web application penetration testing that can be used to identify the vulnerability.
The difference between the two rules can be as simple as adding an extra slash, which ensures that Apache does not interpret the domain and port parts of the request as a username and password.
For example, if the Apache configuration file is configured like this:
RewriteRule ^(.*) http://internalserver:80$1 [P], and not like this:
RewriteRule ^(.*) http://internalserver:80/$1 [P], then access from the internet to any internal system is possible.
“This latest vulnerability presents a potential back door to sensitive internal or DMZ systems but is totally avoidable if the reverse proxies are properly configured,” said Michael Jordon, Research and Development Manger at Context. “We have not investigated other web servers and proxies but it reasonable to assume that the problem is more widespread.” Full details of the reverse proxy bypass vulnerability are also documented in the Context blog published today at: http://www.contextis.com/research/blog/server-technologies-reverse-proxy-bypass/.