This Metasploit module triggers a use-after-free vulnerability in the Apache Software Foundation mod_isapi extension for versions 2.2.14 and earlier. In order to reach the vulnerable code, the target server must have an ISAPI module installed and configured. By making a request that terminates abnormally (either an aborted TCP connection or an unsatisfied chunked request), mod_isapi will unload the ISAPI extension. Later, if another request comes for that ISAPI module, previously obtained pointers will be used resulting in an access violation or potentially arbitrary code execution. Although arbitrary code execution is theoretically possible, a real-world method of invoking this consequence has not been proven. In order to do so, one would need to find a situation where a particular ISAPI module loads at an image base address that can be re-allocated by a remote attacker. Limited success was encountered using two separate ISAPI modules. In this scenario, a second ISAPI module was loaded into the same memory area as the previously unloaded module.
e04d3b9c9de28cf065800495f9d457177003f542be9c1a8e7109f19ae6fb7ca1VMware Security Advisory - VMware Workstation and Player address a potential installer security issue and security issues in libpng. VMware ACE Management Server (AMS) for Windows updates Apache httpd.
c598de56110b9b1285f2b8e0d5afbeeb93abb4d32d2d9e62b9bdc9c16b71278bApache version 2.2.14 mod_isapi remote SYSTEM exploit. Due to the nature of the vulnerability, and exploitation method, DEP should be limited to essential Windows programs and services. At worst, if DEP is enabled for the Apache process, you could cause a constant DoS by looping this (since apache will automatically restart).
c783414f79f43dcae00ce4cd44e85c324652565b650c7c405e711ebdd5c30075By sending a specially crafted request followed by a reset packet it is possible to trigger a vulnerability in Apache 2.2.14 mod_isapi that will unload the target ISAPI module from memory. However function pointers still remain in memory and are called when published ISAPI functions are referenced. This results in a dangling pointer vulnerability. Successful exploitation results in the execution of arbitrary code with SYSTEM privileges.
90f73578fb832e46f16d36335ab9911e89d608d85ddf6502b6fd7c3f8e006935
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed