Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 96626 invoked from network); 10 Jun 2004 13:10:38 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 10 Jun 2004 13:10:38 -0000 Received: (qmail 87354 invoked by uid 500); 10 Jun 2004 13:10:14 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 87073 invoked by uid 500); 10 Jun 2004 13:10:12 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 86908 invoked by uid 99); 10 Jun 2004 13:10:11 -0000 Received: from [81.91.108.250] (HELO pingu.awe.com) (81.91.108.250) by apache.org (qpsmtpd/0.27.1) with ESMTP; Thu, 10 Jun 2004 06:10:11 -0700 Received: from [127.0.0.1] (helo=localhost) by pingu.awe.com with esmtp (Exim 4.20) id 1BYPIZ-0002dS-R3 for dev@httpd.apache.org; Thu, 10 Jun 2004 14:08:51 +0100 Date: Thu, 10 Jun 2004 14:08:51 +0100 (BST) From: Mark J Cox To: dev@httpd.apache.org Subject: CAN-2004-0492 mod_proxy security issue Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/Mixed; BOUNDARY="-45075602-1983448984-1086872251=:8607" Content-ID: X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. ---45075602-1983448984-1086872251=:8607 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: A security issue has been reported in mod_proxy. See http://www.guninski.com/modproxy1.html The flaw affects Apache httpd 1.3.25 to 1.3.31 that have mod_proxy enabled and configured. Apache httpd 2.0 is unaffected. The security issue is a buffer overflow which can be triggered by getting mod_proxy to connect to a remote server which returns an invalid (negative) Content-Length. This results in a memcpy to the heap with a large length value, which will in most cases cause the Apache child to crash. This does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. Under some circumstances it may be possible to exploit this issue to cause arbitrary code execution. However an attacker would need to get an Apache installation that was configured as a proxy to connect to a malicious site. 1. On older OpenBSD/FreeBSD distributions it is easily exploitable because of the internal implementation of memcpy which rereads it's length from the stack. 2. On newer BSD distributions it may be exploitable because the implementation of memcpy will write three arbitrary bytes to an attacker controlled location. 3. It may be exploitable on any platform if the optional (and not default) define AP_ENABLE_EXCEPTION_HOOK is enabled. This is used for example by the experimental mod_whatkilledus module. In all other circumstances this issue looks to be unexploitable other than to crash the Apache child that is processing the proxy request. A patch to correct this issue is attached. Note that the reporter of this issue contacted security@apache.org on June 8th but was unwilling to keep the issue private until the investigation was completed or a new Apache release was available. He published his advisory on June 10th. Mark -- Mark J Cox ........................................... www.awe.com/mark Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor ---45075602-1983448984-1086872251=:8607 Content-Type: TEXT/PLAIN; CHARSET=iso-8859-1; NAME="CAN-2004-0492.patch" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: ATTACHMENT; FILENAME="CAN-2004-0492.patch" SW5kZXg6IHNyYy9DSEFOR0VTDQo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpS Q1MgZmlsZTogL2hvbWUvY3ZzL2FwYWNoZS0xLjMvc3JjL0NIQU5HRVMsdg0K cmV0cmlldmluZyByZXZpc2lvbiAxLjE5NDINCmRpZmYgLXUgLXAgLXUgLXIx LjE5NDIgQ0hBTkdFUw0KLS0tIHNyYy9DSEFOR0VTCTIgSnVuIDIwMDQgMjI6 NDk6MDMgLTAwMDAJMS4xOTQyDQorKysgc3JjL0NIQU5HRVMJOSBKdW4gMjAw NCAxNTo1ODo0NCAtMDAwMA0KQEAgLTEsNSArMSw5IEBADQogQ2hhbmdlcyB3 aXRoIEFwYWNoZSAxLjMuMzINCiANCisgICopIFNFQ1VSSVRZOiBDQU4tMjAw NC0wNDkyIChjdmUubWl0cmUub3JnKQ0KKyAgICAgUmVqZWN0IHJlc3BvbnNl cyBmcm9tIGEgcmVtb3RlIHNlcnZlciBpZiBzZW50IGFuIGludmFsaWQgKG5l Z2F0aXZlKSANCisgICAgIENvbnRlbnQtTGVuZ3RoLiAgW01hcmsgQ294XQ0K Kw0KICAgKikgRml4IGEgYnVuY2ggb2YgY2FzZXMgd2hlcmUgdGhlIHJldHVy biBjb2RlIG9mIHRoZSByZWdleCBjb21waWxlcg0KICAgICAgd2FzIG5vdCBj aGVja2VkIHByb3Blcmx5LiBUaGlzIGFmZmVjdHMgbW9kX3VzZXJ0cmFjayBh bmQNCiAgICAgIGNvcmUuIFBSIDI4MjE4LiAgW0FuZHLpIE1hbG9dDQpJbmRl eDogc3JjL21vZHVsZXMvcHJveHkvcHJveHlfaHR0cC5jDQo9PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09DQpSQ1MgZmlsZTogL2hvbWUvY3ZzL2FwYWNoZS0xLjMv c3JjL21vZHVsZXMvcHJveHkvcHJveHlfaHR0cC5jLHYNCnJldHJpZXZpbmcg cmV2aXNpb24gMS4xMDYNCmRpZmYgLXUgLXAgLXUgLXIxLjEwNiBwcm94eV9o dHRwLmMNCi0tLSBzcmMvbW9kdWxlcy9wcm94eS9wcm94eV9odHRwLmMJMjkg TWFyIDIwMDQgMTc6NDc6MTUgLTAwMDAJMS4xMDYNCisrKyBzcmMvbW9kdWxl cy9wcm94eS9wcm94eV9odHRwLmMJOCBKdW4gMjAwNCAxNDoyMzowNSAtMDAw MA0KQEAgLTQ4NSw2ICs0ODUsMTMgQEAgaW50IGFwX3Byb3h5X2h0dHBfaGFu ZGxlcihyZXF1ZXN0X3JlYyAqcg0KICAgICAgICAgY29udGVudF9sZW5ndGgg PSBhcF90YWJsZV9nZXQocmVzcF9oZHJzLCAiQ29udGVudC1MZW5ndGgiKTsN CiAgICAgICAgIGlmIChjb250ZW50X2xlbmd0aCAhPSBOVUxMKSB7DQogICAg ICAgICAgICAgYy0+bGVuID0gYXBfc3RydG9sKGNvbnRlbnRfbGVuZ3RoLCBO VUxMLCAxMCk7DQorDQorCSAgICBpZiAoYy0+bGVuIDwgMCkgew0KKwkJYXBf a2lsbF90aW1lb3V0KHIpOw0KKwkJcmV0dXJuIGFwX3Byb3h5ZXJyb3Iociwg SFRUUF9CQURfR0FURVdBWSwgYXBfcHN0cmNhdChyLT5wb29sLA0KKwkJCQkg ICAgICJJbnZhbGlkIENvbnRlbnQtTGVuZ3RoIGZyb20gcmVtb3RlIHNlcnZl ciIsDQorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBO VUxMKSk7DQorCSAgICB9DQogICAgICAgICB9DQogDQogICAgIH0NCg== ---45075602-1983448984-1086872251=:8607--