From dev-return-73105-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org Thu Nov 3 14:22:18 2011 Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4B068720C for ; Thu, 3 Nov 2011 14:22:18 +0000 (UTC) Received: (qmail 12364 invoked by uid 500); 3 Nov 2011 14:22:17 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 12308 invoked by uid 500); 3 Nov 2011 14:22:17 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 12300 invoked by uid 99); 3 Nov 2011 14:22:17 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Nov 2011 14:22:17 +0000 X-ASF-Spam-Status: No, hits=-5.0 required=5.0 tests=RCVD_IN_DNSWL_HI,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jorton@redhat.com designates 209.132.183.28 as permitted sender) Received: from [209.132.183.28] (HELO mx1.redhat.com) (209.132.183.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Nov 2011 14:22:12 +0000 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id pA3ELp1b004774 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 3 Nov 2011 10:21:51 -0400 Received: from turnip.manyfish.co.uk (vpn-11-120.rdu.redhat.com [10.11.11.120]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id pA3ELnWm015280 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 3 Nov 2011 10:21:51 -0400 Received: from jorton by turnip.manyfish.co.uk with local (Exim 4.72) (envelope-from ) id 1RLyAu-00025r-Va for dev@httpd.apache.org; Thu, 03 Nov 2011 14:21:49 +0000 Date: Thu, 3 Nov 2011 14:21:48 +0000 From: Joe Orton To: dev@httpd.apache.org Subject: [me@halfdog.net: Integer Overflow in Apache ap_pregsub via mod-setenvif] Message-ID: <20111103142148.GC4177@redhat.com> Mail-Followup-To: dev@httpd.apache.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-12-10) Organization: Registered in England and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Mark Hegarty (Ireland), Matt Parson (USA), Charlie Peters (USA) X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 ----- Forwarded message from halfdog ----- Date: Wed, 02 Nov 2011 11:55:26 +0000 From: halfdog To: full-disclosure@lists.grok.org.uk CC: Joe Orton , security@httpd.apache.org Subject: Integer Overflow in Apache ap_pregsub via mod-setenvif User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0a1) Gecko/20111014 Firefox/10.0a1 SeaMonkey/2.7a1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 An exploitable integer overflow in apache allows to crash the apache process or execution of arbitrary code as user running apache. To exploit the vulnerability, a crafted .htaccess file has to be placed on the server, therefore the vulnerability impact is rated "Low". Micro-Advisory: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/ CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607 See advisory for more information about the vulnerability and (very bad) example to execute arbitrary code, using racy code. It should be possible to execute code without the need for a race using crafted stop sequences, but I haven't managed to do it so far. Perhaps someone else might take up the challenge. hd - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk6xLzAACgkQxFmThv7tq+7cfQCdHe9KhFPVQ0qx38+FQtR05aMG iSAAnjJQ4pEJayrIs9Q62qxOsKsD+pLr =AHBz -----END PGP SIGNATURE----- ----- End forwarded message -----