|
COMMAND Apache mod_ssl off-by-one vulnerability SYSTEMS AFFECTED mod_ssl 2.4.9 and earlier PROBLEM Frank Denis (Jedi/Sector One) [j@pureftpd.org] [http://www.Jedi.Claranet.Fr/] of PureFTPd [http://www.PureFTPd.Org/], says : The Apache web server provides an extended API (EAPI) to easily extended the server with third-party modules, through various hooks called as needed. One of these hooks, rewrite_command, is called right after a configuration directive line was read and before it is processed. mod_ssl registers such a rewrite_command hook when backward compatibility is enabled. The ssl_compat_directive() is called for every line read in a configuration file. However, this function contains an off-by-one error in this code snippet : ... char *cp; char caCmd[1024]; char *cpArgs; ... cp = (char *)oline; for (i = 0; *cp != \' \' && *cp != \'\\t\' && *cp != NUL && i < 1024; ) ^^^^^^^^ caCmd[i++] = *cp++; caCmd[i] = NUL; cpArgs = cp; ... oline is a pointer to a line being parsed, and whoose content can be arbitrary long, and controlled by untrusted users through \".htaccess\" files. Apart from global configuration files, Apache allows per-directory configuration files. Therefore, the bug can be triggered by any regular user through specially crafted \".htaccess\" files. The stack can be smashed. Alexander Yurchenko <grange@rt.mipt.ru> wrote a proof of concept exploit for OpenBSD to demonstrate that arbitrary code could be executed through \".htaccess\" files. As noticed by Michal Zalewski <lcamtuf@coredump.cx>, you can cause an overflow in every child running to force all of them do what you want. This is way more dangerous than children forked for CGI execution. Possible implications include denial of service (by sending STOP signals to every child), adding fake entries to every log file (not only those from the virtualhost the .htaccess lies in), running arbitrary commands as the web server user regardless of ExecCGI and suexec settings and spoofing replies. SOLUTION Workaround ========== Disallow per-directory configuration files by only having \"AllowOverride None\" directives in your httpd.conf file, and restart the web server. Patch ===== A new version has just been released. mod_ssl 2.8.10 addresses the vulnerability and it is freely available from [http://www.modssl.org/] The following oneliner patch also addresses the problem : --- pkg.sslmod/ssl_engine_compat.c.orig Sat Feb 23 19:45:23 2002 +++ pkg.sslmod/ssl_engine_compat.c Mon Jun 24 20:43:17 2002 @@ -309,7 +309,7 @@ * Extract directive name */ cp = (char *)oline; - for (i = 0; *cp != \' \' && *cp != \'\\t\' && *cp != NUL && i < 1024; ) + for (i = 0; *cp != \' \' && *cp != \'\\t\' && *cp != NUL && i < sizeof(caCmd) - 1; ) caCmd[i++] = *cp++; caCmd[i] = NUL; cpArgs = cp;