TUCoPS :: Web :: Apache :: web5486.htm

Apache mod_ssl off-by-one vulnerability
27th Jun 2002 [SBWID-5486]
COMMAND

	Apache mod_ssl off-by-one vulnerability

SYSTEMS AFFECTED

	mod_ssl 2.4.9 and earlier

PROBLEM

	Frank       Denis       (Jedi/Sector        One)        [j@pureftpd.org]
	[http://www.Jedi.Claranet.Fr/] of  PureFTPd  [http://www.PureFTPd.Org/],
	says :
	

	The Apache  web  server  provides  an  extended  API  (EAPI)  to  easily
	extended the server with  third-party  modules,  through  various  hooks
	called as needed. One of these hooks, rewrite_command, is  called  right
	after  a  configuration  directive  line  was  read  and  before  it  is
	processed.
	

	mod_ssl  registers   such   a   rewrite_command   hook   when   backward
	compatibility is  enabled.  The  ssl_compat_directive()  is  called  for
	every line read in a configuration file.
	

	However, this  function  contains  an  off-by-one  error  in  this  code
	snippet :
	

	  ...

	  char *cp;

	  char caCmd[1024];

	  char *cpArgs;

	  ...

	  cp = (char *)oline;

	  for (i = 0; *cp != \' \' && *cp != \'\\t\' && *cp != NUL && i < 1024; )

	                                                         ^^^^^^^^

	    caCmd[i++] = *cp++;

	  caCmd[i] = NUL;

	  cpArgs = cp;

	  ...

	

	oline is a pointer to a line being parsed, and  whoose  content  can  be
	arbitrary long, and controlled by untrusted users through  \".htaccess\"
	files.
	

	Apart from  global  configuration  files,  Apache  allows  per-directory
	configuration files. Therefore, the bug can be triggered by any  regular
	user through specially crafted \".htaccess\" files.
	

	The stack can be  smashed.  Alexander  Yurchenko  <grange@rt.mipt.ru>
	wrote a proof  of  concept  exploit  for  OpenBSD  to  demonstrate  that
	arbitrary code could be executed through \".htaccess\" files.
	

	As noticed by Michal Zalewski <lcamtuf@coredump.cx>,  you  can  cause
	an overflow in every child running to force all  of  them  do  what  you
	want.  This  is  way  more  dangerous  than  children  forked  for   CGI
	execution.
	

	Possible  implications  include  denial  of  service  (by  sending  STOP
	signals to every child), adding fake entries  to  every  log  file  (not
	only  those  from  the  virtualhost  the  .htaccess  lies  in),  running
	arbitrary commands as the web server  user  regardless  of  ExecCGI  and
	suexec settings and spoofing replies.

SOLUTION

	 Workaround

	 ==========

	

	Disallow   per-directory   configuration   files    by    only    having
	\"AllowOverride None\" directives in your httpd.conf file,  and  restart
	the web server.
	

	

	 Patch

	 =====

	

	A new version has just  been  released.  mod_ssl  2.8.10  addresses  the
	vulnerability and it is freely available from [http://www.modssl.org/]
	

	The following oneliner patch also addresses the problem :
	

	--- pkg.sslmod/ssl_engine_compat.c.orig	Sat Feb 23 19:45:23 2002

	+++ pkg.sslmod/ssl_engine_compat.c	Mon Jun 24 20:43:17 2002

	@@ -309,7 +309,7 @@

	      * Extract directive name

	      */

	     cp = (char *)oline;

	-    for (i = 0; *cp != \' \' && *cp != \'\\t\' && *cp != NUL && i < 1024; )

	+    for (i = 0; *cp != \' \' && *cp != \'\\t\' && *cp != NUL && i < sizeof(caCmd) - 1; )

	         caCmd[i++] = *cp++;

	     caCmd[i] = NUL;

	     cpArgs = cp;

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH