lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 13 Apr 2015 06:32:02 +0100
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: bugtraq@...urityfocus.com, cve-assign@...re.org
Subject: Apache HTTPD 2.4.12/ 2.2.29 Security Audit Notes - Advanced
 Information Security Corp

-=[Advanced Information Security Corp]=-

Author: Nicholas Lemonias
Advisory Date: 13/4/2015
Email: lem.nikolas (at) gmail (dot) com

Introduction
==========
During a source-code audit of the Apache HTTPD 2.2.29 release
implementation for linux; conducted internally by the Advanced
Information Security
Group, instances of insecure function use were observed, which could
possibly lead to some attacks.

Software Overview
===============


The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for modern operating systems including UNIX
and Windows NT. The goal of this project is to provide a secure,
efficient and extensible server that provides HTTP services in sync
with the current HTTP standards.

Apache httpd was launched in 1995, has been the most popular web
server on the Internet since April 1996, and celebrates its 20th
birthday as a project this February.


Module Overview

=================

*  mod_tls.c - Apache SSL/TLS module for NetWare by Mike Gardiner.
 *
 * This module gives Apache the ability to do SSL/TLS with a minimum amount
 * of effort.  All of the SSL/TLS logic is already on NetWare versions 5 and
 * above and is interfaced through WinSock on NetWare.  As you can see in
 * the code below SSL/TLS sockets can be created with three WinSock calls.
 *


PoC 1 - Code Snippet [CWE-476]
==============================
(..\httpd-2.2.29\modules\arch\netware\mod_nw_ssl.c:1104-1130)
(..\httpd-2.4.12\modules\arch\netware\mod_nw_ssl.c:1104-1130)

Description: A Null Pointer dereference security issue has been
realized on [line 1104]   where (request_rec *r = f->r;) and precisely
at the calling of ssl_io_filter_Upgrade() function.

 User input can be supplied to the called function, and an illegal
input to be provided.

  Furthermore, it is noted that there are no security validation
controls on the state of  r->connection , or the context of
&nwssl_module or f->r.


Kind Regards,
Nicholas Lemonias

Powered by blists - more mailing lists