|
McAfee, Inc.=0D
McAfee Avert(tm) Labs Security Advisory=0D
Public Release Date: 2006-07-09=0D
=0D
Apache 1.3.29/2.X mod_rewrite Buffer Over Vulnerability=0D
=0D
CVE-2006-3747=0D
______________________________________________________________________=0D
=0D
* Synopsis=0D
=0D
Mod_rewrite is an Apache module that can be used to remap requests =0D
based on regular expression matches of the requested URI. A buffer =0D
overflow vulnerability exists when dealing with rewritten URI's that =0D
are prefixed with the LDAP protocol scheme. =0D
=0D
Exploitation leads to remote access to the vulnerable machine and =0D
therefore the risk factor is critical.=0D
=0D
______________________________________________________________________=0D
=0D
* Vulnerable Systems=0D
=0D
Apache 1.3.29/mod_rewrite=0D
Apache 2.0.x/mod_rewrite - only 2.0.46 and higher are vulnerable=0D
Apache 2.2.x/mod_rewrite=0D
=0D
______________________________________________________________________=0D
=0D
* Vulnerability Information=0D
=0D
The mod_rewrite module contains an off-by-one buffer overflow =0D
vulnerability when escaping an absolute URI scheme. The vulnerability =0D
occurs within escape_absolute_uri( ) when separating out tokens =0D
within an LDAP URL. Triggering the vulnerability results in a pointer =0D
to user-controlled data to be written outside of the bounds of a =0D
character pointer array, which in many cases can be used to gain =0D
complete control of the affected host.=0D
=0D
Note that an LDAP-specific rule does not need to be exist to exploit =0D
the vulnerability. However, a rule must exist with the following =0D
properties:=0D
=0D
- A rule must exist where the user can control the initial part of the rewritten URL=0D
- The rule must not contain a forbidden or gone flag [F or G]=0D
- Rules with "noescape" [NE] flag settings are not affected.=0D
=0D
=0D
______________________________________________________________________=0D
=0D
* Resolution=0D
=0D
http://www.apache.org/dist/httpd/Announcement2.2.html=0D
=0D
______________________________________________________________________=0D
=0D
* Credits=0D
=0D
This vulnerability was discovered by Mark Dowd of McAfee Avert Labs.=0D
=0D
______________________________________________________________________=0D
=0D
______________________________________________________________________=0D
=0D
* Legal Notice=0D
=0D
Copyright (C) 2006 McAfee, Inc.=0D
The information contained within this advisory is provided for the=0D
convenience of McAfee's customers, and may be redistributed provided=0D
that no fee is charged for distribution and that the advisory is not=0D
modified in any way. McAfee makes no representations or warranties=0D
regarding the accuracy of the information referenced in this document,=0D
or the suitability of that information for your purposes.=0D
=0D
McAfee, Inc. and McAfee Avert Labs are registered Trademarks of McAfee,=0D
Inc. and/or its affiliated companies in the United States and/or other=0D
Countries. All other registered and unregistered trademarks in this=0D
document are the sole property of their respective owners.=0D
=0D
______________________________________________________________________=0D
=0D