[Full-Disclosure] Buffer overflow in apache mod_proxy,yet still apache much better than windows
Mark J Cox
mjc at apache.org
Thu Jun 10 16:46:45 BST 2004
We have assigned CAN-2004-0492 to this issue.
The flaw affects Apache httpd 1.3.26 to 1.3.31 inclusive that have
mod_proxy enabled and configured. Apache httpd 2.0 is unaffected.
The security issue is a buffer overflow which can be triggered by getting
mod_proxy to connect to a remote server which returns an invalid
(negative) Content-Length. This results in a memcpy to the heap with a
large length value, which will in most cases cause the Apache child to
crash. This does not represent a significant Denial of Service attack as
requests will continue to be handled by other Apache child processes.
In order to exploit this issue an attacker would need to get an Apache
installation that was configured as a proxy or used the ProxyPass
functionality to connect to a malicious server.
For the majority of platforms we do not believe that this issue can lead
to arbitrary code execution. However we do believe it is exploitable for
arbitrary code execution in the following cases:
1. On older OpenBSD/FreeBSD distributions it will be easily exploitable
because of the internal implementation of memcpy which rereads it's length
from the stack.
2. On newer BSD distributions it may be exploitable because the
implementation of memcpy will write three arbitrary bytes to an attacker
3. It may be exploitable on any platform if the optional (and not default)
AP_ENABLE_EXCEPTION_HOOK define is enabled. This is used for example by
the experimental "mod_whatkilledus" module.
An official patch to correct this issue is available. See:
Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor
Full-Disclosure is hosted and sponsored by Secunia.