Mitchell Hanks

If it bleeds...we can kill it!

Blog Post created by Mitchell Hanks Employee on Sep 23, 2017

UPDATE: The functionality from the custom Lua parser described below is now available within the standard HTTP_lua parser provided from RSA Live.  If you are using this parser in your environment, the custom version attached here (including the app rule) is unnecessary.

 

Many of you may already be aware of a recent vulnerability known as "Options Bleed".  This vulnerability affects Apache web servers and allows access to the contents of memory via the HTTP Options request method.  This HTTP method is supposed to return the available methods (i.e. GET, POST, PUT, etc) to the browser.  For mis-configured web hosts with this un-patched vulnerability, some of the contents of memory are returned along with the available methods.

 

See the following post for a good write-up on the details of Options Bleed:

Apache “Optionsbleed” vulnerability – what you need to know – Naked Security 

 

Attached you will find a custom Lua parser and accompanying Application Rule to detect when this vulnerability is exploited.  The parser detects the response string provided by web server given an OPTIONS request method.  It then will identify whether or not the response is valid.  If not, it will register the following meta key/value:

 

analysis.service = 'garbled http options allow string'

 

In addition, I have provided an application rule which will tie in the presence of this garbled string with some other information about the session:

 

App rule name: 'optoins bleed exploit'

App rule logic:  (analysis.session='garbled http options allow string' && service = 80 && action = 'options')

Alert on:  ioc

 

NOTE: This is custom content created by RSA Professional Services.  It is not officially supported by the RSA Content Team, so please use at your own risk.

Outcomes