lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1d1cd2879905fbf80e323f2ab7bc599f13fb13c9@id0.idefense.com>
From: labs at idefense.com (iDEFENSE Labs)
Subject: iDEFENSE Security Advisory 05.30.03: Apache Portable Runtime Denial of Service and Arbitrary Code Execution Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 05.30.03:
http://www.idefense.com/advisory/05.30.03.txt
Apache Portable Runtime Denial of Service and Arbitrary Code
Execution Vulnerability
May 30, 2003

I. BACKGROUND

The Apache Software Foundation's HTTP Server Project is an effort to
develop and maintain an open-source web server for modern OS'
including Unix and Microsoft Corp.'s Windows. More information is
available at http://httpd.apache.org/ .

The Apache Portable Runtime (APR) provides a free library of C data
structures and routines, forming a system portability layer to as
many OS' as possible. More information is available at
http://apr.apache.org/ .

mod_dav is an open-source Apache module that provides Distributed
Authoring and Versioning (DAV) capabilities to the Apache HTTP
Server. More information is available at
http://www.webdav.org/mod_dav/ .

II. DESCRIPTION

Passing an overly long string to the apr_psprintf() APR library
function that is used by the Apache HTTP Server could cause an
application to reference memory that should have already been
returned to the heap allocation pool. Arbitrary code execution
remains a possibility but has not been substantiated at the time of
publication of this report.  Considering the strict conditions
necessary for successful code execution, it would be feasible but
difficult to develop an exploit capable of functioning outside of a
lab environment.

III. ANALYSIS

The remote denial of service aspect of this vulnerability can be
exploited if a remote attacker is able to pass large strings to the
vulnerable function, as is the case in the mod_dav attack vector,
where a specially crafted XML object request of approximately 12250
bytes crashed HTTP Server running on a non-Windows OS; approximately
20000 characters crashed it on a Windows OS.

IV. DETECTION

Applications that rely on older versions of APR are vulnerable. A
list of such projects is available at
http://apr.apache.org/projects.html#open_source . Both the Windows
and Unix implementations of Apache HTTP Server 2.0.37 through 2.0.45
inclusive are vulnerable.

V. WORKAROUND

The following patch should mitigate this vulnerability:

- - --- srclib/apr/memory/unix/apr_pools.c  7 Mar 2003 12:12:43 -0000
  1.195
+++ srclib/apr/memory/unix/apr_pools.c  8 May 2003 20:11:14 -0000
@@ -976,7 +976,7 @@

         if (ps->got_a_new_node) {
             active->next = ps->free;
- - -            ps->free = node;
+            ps->free = active;
         }

         ps->got_a_new_node = 1;


VI. VENDOR FIX

Apache HTTP Server 2.0.46, which contains updates for APR, can be
downloaded at http://httpd.apache.org/download.cgi .

VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2003-0245 to this issue.

VIII. DISCLOSURE TIMELINE

03/19/2003      Issue disclosed to iDEFENSE
04/08/2003      iDEFENSE Labs initial research complete
04/09/2003      security@...che.org contacted
04/09/2003      Response from Lars Eilebrecht and Bill Rowe of Apache
04/11/2003      Response from Ian Holsman of Apache
05/08/2003      Response from Mark Cox of Apache
05/08/2003      Initial Research and patch Submitted to
                iDEFENSE by Joe Orton of Apache
05/09/2003      Apache patch verified by iDEFENSE Labs
05/12/2003      vendor-sec list notified
05/26/2003      iDEFENSE clients notified
05/30/2003      Coordinated Public Disclosure


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@...fense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPtfBkvrkky7kqW5PEQLpoACfZbcO/qJ0WbCRGj/oKXFFImvgpTYAn0UB
OFmhMmVLLiDuaGPQtTcbGnJN
=Icpc
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ