lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0406101641570.8607-100000@pingu.awe.com>
From: mjc at apache.org (Mark J Cox)
Subject: Buffer overflow in apache mod_proxy,yet still
 apache much better than windows

We have assigned CAN-2004-0492 to this issue.

The flaw affects Apache httpd 1.3.26 to 1.3.31 inclusive that have
mod_proxy enabled and configured.  Apache httpd 2.0 is unaffected.

The security issue is a buffer overflow which can be triggered by getting
mod_proxy to connect to a remote server which returns an invalid
(negative)  Content-Length.  This results in a memcpy to the heap with a
large length value, which will in most cases cause the Apache child to
crash.  This does not represent a significant Denial of Service attack as
requests will continue to be handled by other Apache child processes.

In order to exploit this issue an attacker would need to get an Apache
installation that was configured as a proxy or used the ProxyPass
functionality to connect to a malicious server.

For the majority of platforms we do not believe that this issue can lead
to arbitrary code execution.  However we do believe it is exploitable for
arbitrary code execution in the following cases:

1. On older OpenBSD/FreeBSD distributions it will be easily exploitable
because of the internal implementation of memcpy which rereads it's length
from the stack.

2. On newer BSD distributions it may be exploitable because the
implementation of memcpy will write three arbitrary bytes to an attacker
controlled location.

3. It may be exploitable on any platform if the optional (and not default)
AP_ENABLE_EXCEPTION_HOOK define is enabled.  This is used for example by
the experimental "mod_whatkilledus" module.

An official patch to correct this issue is available.  See:
http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=108687304202140   

Mark
--
Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ