lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030416211433.GA14489@hal>
From: zillion at safemode.org (zillion)
Subject: Apache mod_access_referer denial of service issue



==================================================================
      Safemode.org security advisory: mod_access_referer 
==================================================================

Subject:
========

Apache module mod_access_referer 1.0.2 contains a NULL pointer
dereference vulnerability.

Problem description:
====================

In the find_allowdeny() function, the Apache uri_components structure
named "uptr" is initialized by the Apache ap_parse_uri_components
function. This struct contains a pointer named "hostname" that is
given to the is_ip() function in order to determine whether the
value given as referer header field is an IP address or domain name.

The relevant code snippets are:

         --- -snip snip- ---

         ap_parse_uri_components (r->pool,
                                       ap_table_get
                                       (r->headers_in,
                                       "Referer"),
                                        &uptr);

         if (!is_ip (uptr.hostname)) {

         --- -snip snip- ---

static int
is_ip (const char *host)
{
        /* this just tests if it matches [\d.]* */
        /* XX is a better test needed? */
        while ((*host == '.') || ap_isdigit (*host))
                host++;
                
        return (*host == '\0');
}

         --- -snip snip- ---

When the server is send an incorrect referer header field, the 
ap_parse_uri_components will not initialize the uptr.hostname
pointer. This has the result that is_ip() can be forced to read
from a NULL pointer with a segmentation fault as result. An example
referer header field to trigger the issue:

Referer: ://its-missing-http.com

Abuse of this NULL pointer dereference vulnerability can possibly
be used in denial of service attacks against affected systems.


How to counter the issue:
=========================

New, unofficial, fixed RPM files can be found here:
ftp://ftp.pld.org.pl/dists/ra/test/

A simple patch is available here:
http://sourceforge.net/projects/accessreferer/

--

Greets to 0dd, SNO and all @defaced.be
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030416/c5046bf9/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ