CVE-2017-9798

HIGH EXPLOITED RANSOMWARE

Apache httpd <2.4.28 - Use After Free

Title source: llm

Exploitation Summary

CVE-2017-9798 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 8 public exploits from researchers including Hanno Bock, brokensound77, nitrado, including a Metasploit module auxiliary/scanner/http/apache_optionsbleed.

AI-analyzed exploit summary This script tests for the Optionsbleed vulnerability (CVE-2017-9798) by sending OPTIONS requests to a target host and analyzing the 'Allow' header for anomalies such as duplicates, spaces, or corrupted data. It supports multiple URL prefixes and repeated testing to detect inconsistencies.

Description

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

Exploits (8)

exploitdb SCANNER

by Hanno Bock · pythonwebappslinux

https://www.exploit-db.com/exploits/42745

View Code ZIP pw:eip

This script tests for the Optionsbleed vulnerability (CVE-2017-9798) by sending OPTIONS requests to a target host and analyzing the 'Allow' header for anomalies such as duplicates, spaces, or corrupted data. It supports multiple URL prefixes and repeated testing to detect inconsistencies.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Apache HTTP Server (versions affected by CVE-2017-9798)

No auth needed

Prerequisites: Network access to the target host · Target host running a vulnerable version of Apache HTTP Server

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 18 stars

by brokensound77 · infoleak

https://github.com/brokensound77/OptionsBleed-POC-Scanner

View Code ZIP pw:eip

This repository contains a scanner for CVE-2017-9798 (OptionsBleed), which exploits an information leak vulnerability in Apache HTTP Server. The scanner sends multiple HTTP OPTIONS and custom method requests to detect inconsistencies in the 'Allow' header responses.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apache HTTP Server 2.2.x, 2.4.x

No auth needed

Prerequisites: Network access to the target server

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 3 stars

by nitrado · local

https://github.com/nitrado/CVE-2017-9798

View Code ZIP pw:eip

This repository contains a Python script that scans for vulnerable .htaccess files affected by CVE-2017-9798. It checks for disallowed HTTP methods in <Limit> directives, which could lead to unauthorized access or privilege escalation.

Classification

Scanner 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Apache HTTP Server with .htaccess configurations

No auth needed

Prerequisites: Access to the file system where .htaccess files are stored

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 2 stars

by pabloec20 · poc

https://github.com/pabloec20/optionsbleed

View Code ZIP pw:eip

This PoC scans for CVE-2017-9798 (OptionsBleed), a vulnerability in Apache HTTP Server where the 'Allow' header may leak arbitrary memory content. The script sends OPTIONS requests and parses the response for unexpected data in the 'Allow' header.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Apache HTTP Server 2.2.x, 2.4.x

No auth needed

Prerequisites: Network access to the target server

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC 1 stars

by vaishakhcv · perlpoc

https://github.com/vaishakhcv/CVE-exploits/tree/master/CVE-2017-9798

View Code ZIP pw:eip

This repository contains a functional Perl script that exploits CVE-2017-9798 (OptionsBleed) in Apache HTTP Server by sending crafted OPTIONS requests to detect memory leakage in the Allow header. The script checks for irregular separators in the header to confirm vulnerability.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apache HTTP Server (versions 2.2.x and 2.4.x with specific configurations)

No auth needed

Prerequisites: Apache server with misconfigured Limit directive (e.g., invalid HTTP method)

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 27, 2026 Full analysis →

github WORKING POC

by winterwolf32 · perlpoc

https://github.com/winterwolf32/CVE_Exploits-/tree/master/CVE-2017-9798

View Code ZIP pw:eip

This repository contains a functional Perl script that exploits CVE-2017-9798 (OptionsBleed) in Apache HTTP Server by sending crafted OPTIONS requests to detect memory leaks in the Allow header. The script checks for irregular separators in the header to confirm vulnerability.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apache HTTP Server (versions affected by CVE-2017-9798)

No auth needed

Prerequisites: Apache HTTP Server with misconfigured Limit directive (e.g., invalid HTTP method)

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec SCANNER

by l0n3rs · local

https://github.com/l0n3rs/CVE-2017-9798

View Code ZIP pw:eip

This repository contains a Python script that scans for vulnerable .htaccess files affected by CVE-2017-9798. It checks for disallowed HTTP methods within <Limit> directives, which could lead to unauthorized access or privilege escalation.

Classification

Scanner 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Apache HTTP Server (versions with vulnerable .htaccess configurations)

No auth needed

Prerequisites: Access to the file system where .htaccess files are stored

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit SCANNER

by Hanno Böck, h00die · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/apache_optionsbleed.rb

View Code ZIP pw:eip

This Metasploit module scans for the Apache Optionsbleed vulnerability (CVE-2017-9798) by sending OPTIONS requests and analyzing the Allow header for memory leakage or other bugs. It checks for repeated or malformed method lists in the response.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Apache HTTP Server (versions 2.2.x, 2.4.x)

No auth needed

Prerequisites: Network access to the target Apache server · Presence of a vulnerable .htaccess file with an invalid Limit method

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (56)

Core 56

Core References

Mailing List

http://seclists.org/fulldisclosure/2024/Sep/22

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3113

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/100872

Patch, Third Party Advisory x_refsource_confirm

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Patch, Third Party Advisory x_refsource_confirm

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Patch, Third Party Advisory x_refsource_confirm

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:2882

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:2972

Exploit, Patch, Technical Description, Third Party Advisory x_refsource_misc

https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch

Third Party Advisory x_refsource_confirm

https://support.apple.com/HT208331

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1039387

Third Party Advisory x_refsource_confirm

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3475

Exploit, Third Party Advisory x_refsource_misc

https://github.com/hannob/optionsbleed

View Exploit ZIP pw:eip

Vendor Advisory x_refsource_misc

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3240

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3195

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3018

Patch, Third Party Advisory x_refsource_confirm

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3239

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3476

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/105598

Vendor Advisory x_refsource_confirm

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798

Patch, Third Party Advisory x_refsource_confirm

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3114

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3477

Mailing List, VDB Entry x_refsource_misc

http://openwall.com/lists/oss-security/2017/09/18/2

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20180601-0003/

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3194

Third Party Advisory x_refsource_misc

https://security-tracker.debian.org/tracker/CVE-2017-9798

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:3193

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2017/dsa-3980

Exploit, Patch, Technical Description, Third Party Advisory x_refsource_misc

https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42745/

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201710-32

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html