-------------------------------------
PUBLIC ADVISORY of xCrZx /18.10.2004/
=====================================

I. Intro
II. Details
III. Exploitation
IV. Solution
V. Outro


--------
I. Intro
========

mod_include is an apache standard module which allow users to
use some features in their html pages such as include file, 
exec commands, echo, etc.

-----------
II. Details
===========

There is an overflow in get_tag() function, that was found by 
me inside of mod_include.c:

static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) 
{                                                                                
...                                                                              
    term = c;                                                                    
    while (1) {                                              
        GET_CHAR(in, c, NULL, p);                            
[1]        if (t - tag == tagbuf_len) {                      
            *t = '\0';                                       
            return NULL;                                     
        }                                                    
/* Want to accept \" as a valid character within a string. */
        if (c == '\\') {                                                         
[2]            *(t++) = c;         /* Add backslash */                           
            GET_CHAR(in, c, NULL, p);                                            
            if (c == term) {    /* Only if */                                    
[3]                *(--t) = c;     /* Replace backslash ONLY for terminator */   
            }                                                                    
        }                                                                        
        else if (c == term) {                                                    
            break;                                                               
        }                                                                        
[4]        *(t++) = c;                                                           
    }                                                                            
    *t = '\0';                                                                   
...                                                                              
}

as we can see there is a [1] check to determine the end of tag buffer            
but this check can be skiped when [2] & [4] conditions will be occured           
at the same time without [3] condition.                                          
                                                                                 
So attacker can create malicious file to overflow static buffer, on              
which tag points out and execute arbitrary code with privilegies of              
httpd child process.

for example, an overflow can be occured from handle_echo:
(or other similar functions handle_*())
                                                             
static int handle_echo(FILE *in, request_rec *r, const char *error)
{
    char tag[MAX_STRING_LEN];
...
    while (1) {
        if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
            return 1;
        }
...

-----------------
III. Exploitation
=================

Exploit was created by me :) and successfully tested on apache 1.3.31 under 
Linux RH9.0 (Shrike).

Vuln versions of apache: 1.3.x

------------
IV. Solution
============

To fix this vulnerability you must change one line in get_tag() function:

[1]        if (t - tag == tagbuf_len) {                      

to

[1']       if (t - tag >= tagbuf_len-1) {

--------
V. Outro
========

y0das old shao lin techniq ownz u :) remember my words
http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3

shoutz to: m00, LByte, ech0, ha1fsatan, 0xbadc0ded and others :)

and special hello to my parents :)


Copyright (C) xCrZx /18.10.2004/