| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Apr 2015 06:32:02 +0100 From: "Nicholas Lemonias." <lem.nikolas@...glemail.com> To: bugtraq@...urityfocus.com, cve-assign@...re.org Subject: Apache HTTPD 2.4.12/ 2.2.29 Security Audit Notes - Advanced Information Security Corp -=[Advanced Information Security Corp]=- Author: Nicholas Lemonias Advisory Date: 13/4/2015 Email: lem.nikolas (at) gmail (dot) com Introduction ========== During a source-code audit of the Apache HTTPD 2.2.29 release implementation for linux; conducted internally by the Advanced Information Security Group, instances of insecure function use were observed, which could possibly lead to some attacks. Software Overview =============== The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Apache httpd was launched in 1995, has been the most popular web server on the Internet since April 1996, and celebrates its 20th birthday as a project this February. Module Overview ================= * mod_tls.c - Apache SSL/TLS module for NetWare by Mike Gardiner. * * This module gives Apache the ability to do SSL/TLS with a minimum amount * of effort. All of the SSL/TLS logic is already on NetWare versions 5 and * above and is interfaced through WinSock on NetWare. As you can see in * the code below SSL/TLS sockets can be created with three WinSock calls. * PoC 1 - Code Snippet [CWE-476] ============================== (..\httpd-2.2.29\modules\arch\netware\mod_nw_ssl.c:1104-1130) (..\httpd-2.4.12\modules\arch\netware\mod_nw_ssl.c:1104-1130) Description: A Null Pointer dereference security issue has been realized on [line 1104] where (request_rec *r = f->r;) and precisely at the calling of ssl_io_filter_Upgrade() function. User input can be supplied to the called function, and an illegal input to be provided. Furthermore, it is noted that there are no security validation controls on the state of r->connection , or the context of &nwssl_module or f->r. Kind Regards, Nicholas Lemonias
Powered by blists - more mailing lists