lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 14 Apr 2015 10:55:04 +0100
From: "Nicholas Lemonias." <lem.nikolas@...glemail.com>
To: bugtraq@...urityfocus.com, cve-assign@...re.org
Subject: Security Advisory - Apache HTTP Server 2.2.29 / 2.4.12 NULL Pointer
 dereference in protocol.c

-=[Advanced Information Security Corporation]=-


Advisory for Apache Http Server 2.2.29 / 2.4.12  NULL Pointer Dereference

 Author: Nicholas Lemonias
 Advisory Date: 14/4/2015
 Email: lem.nikolas (at) gmail (dot) com

 Introduction
 ==========
 During a source-code audit of the Apache HTTPD 2.2.29 / 2.4.12 release
 implementation for linux; conducted internally by the Advanced
 Information Security
 Group, instances of insecure function use were observed, which could
 possibly lead to attacks.

 Software Overview
 ===============

 The Apache HTTP Server Project is an effort to develop and maintain an
 open-source HTTP server for modern operating systems including UNIX
 and Windows NT. The goal of this project is to provide a secure,
 efficient and extensible server that provides HTTP services in sync
 with the current HTTP standards.

 Apache httpd was launched in 1995, has been the most popular web
 server on the Internet since April 1996.

  Affected code
 ===============
 * protocol.c --- routines which directly communicate with the client.
 *
 * Code originally by Rob McCool; much redone by Robert S. Thau
 * and the Apache Software Foundation.


 PoC 1 - Code Snippet [CWE-476]
 ==============================
 (..\httpd-2.2.29\server\protocol.c:1286)
 (..\httpd-2.4.12\server\protocol.c:1286)

...

AP_CORE_DECLARE_NONSTD(apr_status_t) ap_content_length_filter(
    ap_filter_t *f,
    apr_bucket_brigade *b)
{
    request_rec *r = f->r;
    struct content_length_ctx *ctx;
    apr_bucket *e;
    int eos = 0;
    apr_read_type_e eblock = APR_NONBLOCK_READ;

    ctx = f->ctx;
    if (!ctx) {
        f->ctx = ctx = apr_palloc(r->pool, sizeof(*ctx));
        ctx->data_sent = 0;
    }

Description: Code at line 1286 is vulnerable to a Null Pointer
Derference security issue,  where (request_rec *r = f->r;).  The
filter is used to compute the Content-Length, but it also computes the
number of bytes sent to the client.
......................................................................................................
The filter will always run through all of the buckets in all brigades.
The (request_rec *r = f->r;) is user-controllable and can be set to
NULL using a supplied parameter. The issue stems from the lack of any
control metrics on the return value of (f) ~ line 1286 (to ensure that
is non-NULL.)

The value of (f) can be set to NULL using a user-supplied parameter.


 [1] CWE Mitre. (2015) CWE - Null Pointer Dereference - 476  [Online]
 Available at: https://cwe.mitre.org/data/definitions/476.html
 [Last Accessed 14 April, 2015]

Powered by blists - more mailing lists