#Hacktivity2024 // Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!

Orange Tsai -Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! This presentation was held at #Hacktivity2024 IT security conference on 14th October 2024. Apache HTTP Server, as a cornerstone of the entire World Wide Web, accounts for about one-third of the web server market share worldwide. It's not an overstatement to say that its security is synonymous with the security of the Internet. However, while delving into the source by chance, we discovered that the coding style of this open-source project seemed a little bit... open? This research was thus born! The Apache Httpd is comprised of dozens of different modules, which are coupled together. When a new HTTP request arrives, all modules uphold and maintain a colossal structure, collaborating in harmony to complete the request. While this cooperation might sound ideal, the reality reveals a significant challenge: the modules are not entirely familiar with each other, especially regarding the implementation details. However, they are asked to collaborate to fulfill the task. If any module has an incorrect understanding of any fields of this huge structure, it could potentially lead to fatal issues. This observation led us to focus on interactions between modules, and discover this new attack surface. Let's see how a seemingly harmless structure modification can be passed through layers, amplifying the impact and affecting other modules to become vulnerabilities. This novel attack surface unearthed 3 distinct types of Confusion Attacks and 8 vulnerabilities, which allow us to navigate easily between Httpd modules, generating various attacks based on the different functionalities of modules: from the simplest arbitrary source code disclosure to misinterpreting a normal image as malicious scripts, bypassing ACL, and enabling unlimited SSRF. Of course, we won't forget about RCE, we will demonstrate how a long-underestimated bug type can be transformed into code execution by leveraging Httpd's internal features! By understanding this talk, attendees won't be surprised at how we've managed to teach an old dog new tricks. Developers will understand how to avoid writing problematic Httpd modules. Server Admins can utilize this knowledge to examine their sites for potential vulnerabilities, and security researchers are able to explore more hidden issues along this direction. It's a scenario where everyone wins! https://www.hacktivity.com #cybersecurity #apache #exploit