[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CA+CewVBXStkpJB+CRW=9=UNh27rStw-LyUe79r09jYoY7t3ABg@mail.gmail.com>
Date: Mon, 13 Apr 2015 06:32:02 +0100
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: bugtraq@...urityfocus.com, cve-assign@...re.org
Subject: Apache HTTPD 2.4.12/ 2.2.29 Security Audit Notes - Advanced
Information Security Corp
-=[Advanced Information Security Corp]=-
Author: Nicholas Lemonias
Advisory Date: 13/4/2015
Email: lem.nikolas (at) gmail (dot) com
Introduction
==========
During a source-code audit of the Apache HTTPD 2.2.29 release
implementation for linux; conducted internally by the Advanced
Information Security
Group, instances of insecure function use were observed, which could
possibly lead to some attacks.
Software Overview
===============
The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for modern operating systems including UNIX
and Windows NT. The goal of this project is to provide a secure,
efficient and extensible server that provides HTTP services in sync
with the current HTTP standards.
Apache httpd was launched in 1995, has been the most popular web
server on the Internet since April 1996, and celebrates its 20th
birthday as a project this February.
Module Overview
=================
* mod_tls.c - Apache SSL/TLS module for NetWare by Mike Gardiner.
*
* This module gives Apache the ability to do SSL/TLS with a minimum amount
* of effort. All of the SSL/TLS logic is already on NetWare versions 5 and
* above and is interfaced through WinSock on NetWare. As you can see in
* the code below SSL/TLS sockets can be created with three WinSock calls.
*
PoC 1 - Code Snippet [CWE-476]
==============================
(..\httpd-2.2.29\modules\arch\netware\mod_nw_ssl.c:1104-1130)
(..\httpd-2.4.12\modules\arch\netware\mod_nw_ssl.c:1104-1130)
Description: A Null Pointer dereference security issue has been
realized on [line 1104] where (request_rec *r = f->r;) and precisely
at the calling of ssl_io_filter_Upgrade() function.
User input can be supplied to the called function, and an illegal
input to be provided.
Furthermore, it is noted that there are no security validation
controls on the state of r->connection , or the context of
&nwssl_module or f->r.
Kind Regards,
Nicholas Lemonias
Powered by blists - more mailing lists