COMMAND

	Apache code audit reveals potential problems

SYSTEMS AFFECTED

	Apache 1.3.26

PROBLEM

	David Wagner says :
	

	I recently did a very  brief  (and  non-exhaustive)  security  audit  of
	Apache 1.3.26, and noticed some small potential  bugs  in  some  of  the
	helper programs that come with the distribution.
	

	Apache maintainers have been notified, and the  most  serious  of  these
	bugs have been fixed in 1.3.27. I'm sending this primarily  to  document
	for the record what vulnerabilities existed and were fixed.  This  audit
	can be found on Sardonix at https://sardonix.org/audit/apache-45.html
	

	Also, I noticed a few suspicious code fragments, which weren't fixed  in
	1.3.27. For the most  part,  their  security  consequences  looked  less
	dire, or minimal. I'll describe these  as  well  for  completeness.  Can
	anyone else take a look at these and see if I overlooked anything?
	

	1. Buffer overrun in support/ab.c:read_connection()
	

	  char buffer[8192];

	  char servername[1024];

	  static void read_connection(struct connection * c) {

	      ...

	      r = ab_read(c->fd, buffer, sizeof(buffer));

	      ...

	                char *p, *q;

	                p = strstr(c->cbuff, "Server:");

	                q = servername;

	                if (p) {

	                    p += 8;

	                    while (*p > 32)

	                        *q++ = *p++;

	                }

	                *q = 0;

	

	Impact: Anyone using  ab  to  connect  to  a  malicious  server  may  be
	vulnerable                Fixed                in                1.3.27:
	http://www.apacheweek.com/features/security-13
	

	2. Race condition in support/htpasswd.c:main()
	

	      tempfilename = tmpnam(tname_buf);

	      ftemp = fopen(tempfilename, "w+");

	      ...

	      copy_file(ftemp, fpw);

	

	Impact: any local user can read,  modify  contents  of  Apache  password
	file, if she exploits this bug when an administrator runs  htpasswd  Not
	fixed in 1.3.27
	

	3. Race condition in support/htdigest.c:main()
	

	      tn = tmpnam(NULL);

	      if (!(tfp = fopen(tn, "w"))) ...

	      ...

	      sprintf(command, "cp %s %s", tn, argv[1]);

	      system(command);

	

	Impact: any local user can read,  modify  contents  of  Apache  password
	file, if she exploits this bug when an administrator runs  htdigest  Not
	fixed in 1.3.27
	

	4. Also, totally bogus call to system() in support/htdigest.c:main()
	

	  (see above)

	

	Impact: probably  none,  but  htdigest  shouldn't  be  called  from  CGI
	scripts, etc. Not fixed in 1.3.27
	

	5. Buffer overruns in support/htdigest.c:main(),  There  are  many,  but
	here's one:
	

	  #define MAX_STRING_LEN 256

	  int main(int argc, char *argv[]) {

	      char user[MAX_STRING_LEN];

	      strcpy(user, argv[3]);

	

	Impact: probably  none,  but  htdigest  shouldn't  be  called  from  CGI
	scripts, etc. Not fixed in 1.3.27
	

	6. strncat() used incorrectly in support/ab.c:main()
	

	  char cookie[1024];

	  int main(int argc, char **argv) {

	    while ((c = getopt(argc, argv, "..."))) {

	    switch (c) {

	    case 'C':

	      strncat(cookie, "Cookie: ", sizeof(cookie));

	      strncat(cookie, optarg, sizeof(cookie));

	      strncat(cookie, "\r\n", sizeof(cookie));

	      break;

	

	Also, -A, -P, and -H are broken as well. Impact: probably none,  but  ab
	shouldn't  be  called  from  CGI  scripts,   etc.   Fixed   in   1.3.27:
	http://www.apacheweek.com/features/security-13
	

	Acknowledgements: This audit was aided  by  RATS.  Thanks  to  the  RATS
	authors!

SOLUTION

	Upgrade to Apache 1.3.27