Date: Mon, 13 Sep 2004 12:31:28 +0400
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: Jйrфme ATHIAS <jerome.athias@...amail.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Remote buffer overflow in Apache mod_ssl when reverse proxying SSL


Dear Jйrфme ATHIAS,

According  to  provided  information  and fix (without code analysis) it
looks  like access to unallocated memory, not like buffer overflow. It's
just non-working feature of Apache and it unconditionally crashes on any
request  in  specified configuration. Probably it means you can not find
server in this configuration in-the-wild.

Correct me, if I wrong.


--Saturday, September 11, 2004, 10:14:06 AM, you wrote to bugtraq@...urityfocus.com:



JA> http://issues.apache.org/bugzilla/show_bug.cgi?id=30134

JA> Summary: Segmentation fault in char_buffer_read when reverse proxying SSL (Version 2.0.50)
JA> Reporter: lxhankins002 at fastmail.fm (M. "Alex" Hankins)
 
JA> Overview Description:
 
JA> Intermittent segmentation faults occur in char_buffer_read at
JA> ssl_engine_io.c:348 when using a RewriteRule to do reverse proxying to an SSL
JA> origin server running IIS.
 
JA>     Steps to Reproduce:
 
JA> 1) Set up an IIS server using SSL and running eRoom 6.
 
JA> 2) Add the following directives to httpd.conf:
 
JA> Listen 47290
JA> SSLProxyEngine on
JA> RewriteEngine on
JA> RewriteRule /(.*) https://some.eroom6.iis.server.com/$1 [P]
 
JA> 3) Visit a URL similar to the following:
 
JA> http://reverse.proxy.com:47290/eRoomASP/CookieTest.asp?facility=facility&URL=%2FeRoom%2FFacility%2FRoom%2F0_4242
 
JA> If that doesn't cause the segfault, click around for a while.
 
JA> (Yes, reverse proxying from non-SSL to SSL is not a good idea, but it keeps the
JA> example simpler.)
 
JA>     Actual Results:
 
JA> Segmentation fault in error_log:
JA> [Thu Jul 15 19:38:36 2004] [notice] child pid 42 exit signal Segmentation fault
JA> (11), possible coredump in /usr/local/httpd-2.0.50
 
JA>     Build Date & Platform:
 
JA> 2004-07-14 build on SunOS 5.8 SUNW,UltraAX-i2
 
JA>     Additional Information:
 
JA> Here is a stack trace from gdb:
 
JA> #0  0xfef5060c in memcpy ()
JA>    from /usr/platform/SUNW,UltraAX-i2/lib/libc_psr.so.1
JA> #1  0xfeafef54 in char_buffer_read (buffer=0x1649ac,
JA>     in=0x2000 <Address 0x2000 out of bounds>, inl=8192) at ssl_engine_io.c:348
JA> #2  0xfeaff388 in ssl_io_input_read (inctx=0x164990,
JA>     buf=0x1649b8 "Content-Length:
JA> 121\r\nCort/Martonia/0_2615\r\nContent-Length:
JA> 121\r\nCent-Length:
JA> 121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
JA> 121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
JA> 121\r\nCrtonia/0_2615\r\nContent-Le"..., len=0xffbea8cc) at ssl_engine_io.c:561
JA> #3  0xfeaff624 in ssl_io_input_getline (inctx=0x164990,
JA>     buf=0x1649b8 "Content-Length:
JA> 121\r\nCort/Martonia/0_2615\r\nContent-Length:
JA> 121\r\nCent-Length:
JA> 121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
JA> 121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
JA> 121\r\nCrtonia/0_2615\r\nContent-Le"..., len=0xffbea944) at ssl_engine_io.c:712
JA> #4  0xfeb00118 in ssl_io_filter_input (f=0x1669c0, bb=0x158f98,
JA>     mode=4290685252, block=APR_BLOCK_READ, readbytes=0) at ssl_engine_io.c:1226
JA> #5  0x42978 in ap_get_brigade (next=0x1669c0, bb=0x158f98,
JA>     mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0)
JA>     at util_filter.c:474
JA> #6  0x4aab4 in net_time_filter (f=0x158e20, b=0x158f98, mode=AP_MODE_GETLINE,
JA>     block=APR_BLOCK_READ, readbytes=0) at core.c:3600
JA> #7  0x42978 in ap_get_brigade (next=0x158e20, bb=0x158f98,
JA>     mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0)
JA>     at util_filter.c:474
JA> #8  0x43e0c in ap_rgetline_core (s=0xffbeab94, n=8192, read=0xffbeab90,
JA>     r=0x1671b8, fold=1, bb=0x158f98) at protocol.c:214
JA> #9  0x441a4 in ap_getline (s=0xffbeccd8 "Content-Length", n=8192, r=0x1671b8,
JA>     fold=1) at protocol.c:478
JA> #10 0xfe8552d4 in ap_proxy_read_headers (r=0x1821d0, rr=0x1671b8,
JA>     buffer=0xffbeccd8 "Content-Length", size=8192, c=0x1671b8)
JA>     at proxy_util.c:457
JA> #11 0xfe833014 in ap_proxy_http_process_response (p=0x157960, r=0x1821d0,
JA>     p_conn=0x157ee8, origin=0x158168, backend=0x157f00, conf=0xf0268,
JA>     bb=0x157e98, server_portstr=0xffbeed68 ":47290") at proxy_http.c:755
JA> #12 0xfe833ba4 in ap_proxy_http_handler (r=0x1821d0, conf=0xf0268,
JA>     url=0x158038
JA> "/eRoomASP/CookieTest.asp?facility=memeport&URL=%2FeRoom%2Fmemeport%2FMartonia%2F0_2615",
JA> proxyname=0x0, proxyport=60776) at proxy_http.c:1121
JA> #13 0xfe85435c in proxy_run_scheme_handler (r=0x1821d0, conf=0xf0268,
JA>     url=0x1839ce
JA> "https://eroomhost.aaa.bbb.com/eRoomASP/CookieTest.asp?facility=memeport&URL=%2FeRoom%2Fmemeport%2FMartonia%2F0_2615",
JA> proxyhost=0x0,
JA>     proxyport=0) at mod_proxy.c:1113
JA> #14 0xfe852ed8 in proxy_handler (r=0x1821d0) at mod_proxy.c:418
JA> #15 0x359a8 in ap_run_handler (r=0x1821d0) at config.c:151
JA> #16 0x35fa4 in ap_invoke_handler (r=0x1821d0) at config.c:358
JA> #17 0x32c44 in ap_process_request (r=0x1821d0) at http_request.c:246
JA> #18 0x2df14 in ap_process_http_connection (c=0x157a70) at http_core.c:250
JA> #19 0x40090 in ap_run_process_connection (c=0x157a70) at connection.c:42
JA> #20 0x403a4 in ap_process_connection (c=0x157a70, csd=0x157998)
JA>     at connection.c:175
JA> #21 0x3422c in child_main (child_num_arg=5) at prefork.c:609
JA> #22 0x343ac in make_child (s=0x8edb0, slot=5) at prefork.c:703
JA> #23 0x345fc in perform_idle_server_maintenance (p=0x8c690) at prefork.c:838
JA> #24 0x34a34 in ap_mpm_run (_pconf=0x0, plog=0x63400, s=0x83000)
JA>     at prefork.c:1039
JA> #25 0x3ad44 in main (argc=3, argv=0xffbef4ac) at main.c:617


JA> Solution:  A fix is available via CVS at:

JA> http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126



-- 
~/ZARAZA
Клянусь лысиной пророка Моисея - я тебя сейчас съем. (Твен)

Powered by blists - more mailing lists