httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark J Cox <m...@awe.com>
Subject CAN-2004-0492 mod_proxy security issue
Date Thu, 10 Jun 2004 13:08:51 GMT
A security issue has been reported in mod_proxy.  See

http://www.guninski.com/modproxy1.html

The flaw affects Apache httpd 1.3.25 to 1.3.31 that have mod_proxy enabled
and configured.  Apache httpd 2.0 is unaffected.

The security issue is a buffer overflow which can be triggered by getting
mod_proxy to connect to a remote server which returns an invalid
(negative)  Content-Length.  This results in a memcpy to the heap with a 
large length value, which will in most cases cause the Apache child to 
crash.  This does not represent a significant Denial of Service attack as 
requests will continue to be handled by other Apache child processes.

Under some circumstances it may be possible to exploit this issue to cause 
arbitrary code execution.   However an attacker would need to get an
Apache installation that was configured as a proxy to connect to
a malicious site.  

1. On older OpenBSD/FreeBSD distributions it is easily exploitable because
of the internal implementation of memcpy which rereads it's length from 
the stack.

2. On newer BSD distributions it may be exploitable because the 
implementation of memcpy will write three arbitrary bytes to an attacker 
controlled location.

3. It may be exploitable on any platform if the optional (and not default)
define AP_ENABLE_EXCEPTION_HOOK is enabled.  This is used for example by
the experimental mod_whatkilledus module.

In all other circumstances this issue looks to be unexploitable other than 
to crash the Apache child that is processing the proxy request.

A patch to correct this issue is attached.

Note that the reporter of this issue contacted security@apache.org on June
8th but was unwilling to keep the issue private until the investigation 
was completed or a new Apache release was available.  He published his 
advisory on June 10th.

Mark
--
Mark J Cox ........................................... www.awe.com/mark
Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor


Mime
View raw message