Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
2024-09-12 , Main hall

The Apache HTTP Server is comprised of dozens of different modules, which are coupled together. While delving into the source by chance, we discovered that the coding style seemed a little bit... open? When a new HTTP request arrives, all modules uphold and maintain a colossal structure, collaborating in harmony to complete the request. While this cooperation might sound ideal, the reality reveals a significant challenge: the modules are not entirely familiar with each other, especially regarding the implementation details. However, they are asked to collaborate to fulfill the task. If any module has an incorrect understanding of any fields of this huge structure, it could potentially lead to fatal issues.

This observation led us to focus on interactions between modules, and discover this new attack surface. Let's see how a seemingly harmless structure modification can be passed through layers, amplifying the impact and affecting other modules to become vulnerabilities. This novel attack surface unearthed 3 distinct types of Confusion Attacks and 8 vulnerabilities, which allow us to navigate easily between Httpd modules, generating various attacks based on the different functionalities of modules: from the simplest arbitrary source code disclosure to bypassing ACL, and enabling unlimited SSRF. Of course, we won't forget about RCE, we will demonstrate how a long-underestimated bug type can be transformed into code execution by leveraging Httpd's internal features!

Orange Tsai, is the principal security researcher of DEVCORE and the core member of CHROOT security group in Taiwan. He is the champion and the "Master of Pwn" title holder at Pwn2Own Vancouver 2021 and Toronto 2022.

Currently, Orange is a 0day researcher focusing on Web and Application Security. His research not only earned him the Pwnie Awards winner for "Best Server-Side Bug" in 2019 and 2021 but also secured 1st place in the "Top 10 Web Hacking Techniques" for 2017 and 2018.