簡介

問題發生在 mod_rewrite.c 中，因其對使用者GET或POST的值沒有做適當的處理，而使其直接寫入 rewritelog 中。若管理員權限為 root ，則使用如cat or echo 等指令查看 log 時，就可以進行任意 remote code execution。

Warning

Apache 2.2.x以下。

問題點

Index: CHANGES
===================================================================
--- CHANGES (revision 1469310)
+++ CHANGES (working copy)
@@ -1,8 +1,11 @@
-*- coding: utf-8 -*-
Changes with Apache 2.2.25

+ *) SECURITY: CVE-2013-1862 (cve.mitre.org)
+ mod_rewrite: Ensure that client data written to the RewriteLog is
+ escaped to prevent terminal escape sequences from entering the
+ log file. [Joe Orton]

-
Changes with Apache 2.2.24

*) SECURITY: CVE-2012-3499 (cve.mitre.org)
Index: modules/mappers/mod_rewrite.c
===================================================================
--- modules/mappers/mod_rewrite.c (revision 1469310)
+++ modules/mappers/mod_rewrite.c (working copy)
@@ -500,11 +500,11 @@

logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] "
"(%d) %s%s%s%s" APR_EOL_STR,
- rhost ? rhost : "UNKNOWN-HOST",
- rname ? rname : "-",
- r->user ? (*r->user ? r->user : "\"\"") : "-",
+ rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST",
+ rname ? ap_escape_logitem(r->pool, rname) : "-",
+ r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-",
current_logtime(r),
- ap_get_server_name(r),
+ ap_escape_logitem(r->pool, ap_get_server_name(r)),
(void *)(r->server),
(void *)r,
r->main ? "subreq" : "initial",
@@ -514,7 +514,7 @@
perdir ? "[perdir " : "",
perdir ? perdir : "",
perdir ? "] ": "",
- text);
+ ap_escape_logitem(r->pool, text));

nbytes = strlen(logline);
apr_file_write(conf->rewritelogfp, logline, &nbytes);

可以看到原先是沒有 escape 的，這正是問題的原因點。

結論

避免使用有問題的 Apache ！

POC

;PS1%3d”%5c%5b%5ce%5d0%3bBe+Hacked%5ca%5c%5dhacker%40%5ch%3a%5cw%5c%24″;

來源：http://www.imiyoo.com/tag/cve-2013-1862