SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  Apache Vendors:  Apache Software Foundation
Apache ap_resolve_env() Buffer Overflow in Reading Configuration Files May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1011303
SecurityTracker URL:  http://securitytracker.com/id?1011303
CVE Reference:  CVE-2004-0747   (Links to External Site)
Updated:  Apr 30 2009
Original Entry Date:  Sep 16 2004
Impact:  Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): prior to 2.0.51
Description:  A vulnerability was reported in Apache in the processing of configuration and access control files. A local user may be able to execute arbitrary code.

The Swedish IT Incident Centre (SITIC) reported that a local user can create a specially crafted '.htaccess' or 'httpd.conf' file to trigger a buffer overflow in Apache. The overflow occurs in the expansion of environment variables contained in the files. The overflow resides in the ap_resolve_env() function in 'server/util.c'.

A local user with the ability to create a malicious '.htaccess' file may be able to gain elevated privileges on the target system.

Ulf Harnhammar is credited with discovering this flaw.
Impact:  A local user may be able to gain the privileges of the web server process.
Solution:  The vendor has issued a fixed version (2.0.51), available at:

http://httpd.apache.org/download.cgi?update=200409150645
Vendor URL:  httpd.apache.org/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  jonas.thambert@pts.se
Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 16 2004 (Red Hat Issues Fix for RHEL) Apache ap_resolve_env() Buffer Overflow in Reading Configuration Files May Let Local Users Gain Elevated Privileges   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 3.
Oct 14 2004 (HP Issues Fix for CSWS) Apache ap_resolve_env() Buffer Overflow in Reading Configuration Files May Let Local Users Gain Elevated Privileges
HP has issued fixes for the Compaq Secure Web Server (CSWS).
Oct 15 2004 (Fedora Issues Fix) Apache ap_resolve_env() Buffer Overflow in Reading Configuration Files May Let Local Users Gain Elevated Privileges   (Marc Deslauriers <marcdeslauriers@videotron.ca>)
Fedora has released a fix for Red Hat Linux 9 and Fedora Core 1.
Oct 27 2004 (HP Issues Fix for HP-UX) Apache ap_resolve_env() Buffer Overflow in Reading Configuration Files May Let Local Users Gain Elevated Privileges
HP has issued a fixed version for HP-UX.
Oct 29 2004 (HP Issues Fix for CSWS) Apache ap_resolve_env() Buffer Overflow in Reading Configuration Files May Let Local Users Gain Elevated Privileges
HP has issued an interim fix for the (Compaq) Secure Web Server.
Dec 2 2004 (Apple Issues Fix for OS X) Apache ap_resolve_env() Buffer Overflow in Reading Configuration Files May Let Local Users Gain Elevated Privileges
Apple has issued a fix for Apache on Mac OS X.
Apr 30 2009 (CA Issues Fix for CA ARCserve Backup) Apache ap_resolve_env() Buffer Overflow in Reading Configuration Files May Let Local Users Gain Elevated Privileges   ("Williams, James K" <James.Williams@ca.com>)
CA has issued a fix for CA ARCserve Backup on UNIX-based systems.


 Source Message Contents
Date:  Wed, 15 Sep 2004 15:20:32 +0200
From:  jonas.thambert@pts.se
Subject:  SA04-002 - Apache config file env variable buffer overflow

 

* SITIC Vulnerability Advisory *

           Advisory Name: Apache config file env variable buffer overflow
      Advisory Reference: SA04-002
 Date of initial release: 2004-09-15
                 Product: Apache 2.0.x
                Platform: Linux, BSD systems, Unix, Windows
                  Effect: Code execution when processing .htaccess files
Vulnerability Identifier: CAN-2004-0747


Overview:

Apache suffers from a buffer overflow when expanding environment variables
in configuration files such as .htaccess and httpd.conf. In a setup typical
of ISPs, for instance, users are allowed to configure their own public_html
directories with .htaccess files, leading to possible privilege escalation.


Details:

The buffer overflow occurs when expanding ${ENVVAR} constructs in .htaccess
or httpd.conf files. The function ap_resolve_env() in server/util.c copies
data from environment variables to the character array tmp with strcat(3),
leading to a buffer overflow.

HTTP requests that exploit this problem are not shown in the access log. The
error log will show Segmentation faults, though.


Mitigating factors:

Exploitation requires manual installation of malicious .htaccess files by
someone with normal user rights.


Affected versions:

  o  Apache 2.0.50
  o  many other 2.0.x versions


Recommendations:

  o  A fix for this issue is incorporated into Apache 2.0.51
  o  For Apache 2.0.*: The Apache Software Foundation has published a patch
     which is the official fix for this issue.


Patch information:

  o  The Apache 2.0.51 release is available from the following source:
     http://httpd.apache.org/
  o  For Apache 2.0.*, the patch is available from the following source:
     http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/


Acknowledgments:


This vulnerability was discovered by Ulf Harnhammar for SITIC, Swedish IT 
Incident Centre.


Contact information:

Swedish IT Incident Centre, SITIC
P O Box 5398, SE-102 49 Stockholm, Sweden
Telephone: +46-8-678 5799
Email: sitic at pts dot se
http://www.sitic.se


Revision history:

Initial release 2004-09-15


About SITIC:

The Swedish IT Incident Centre within the National Post and Telecom Agency
has the task to support society in working with protection against IT
incidents. SITIC facilitates exchange of information regarding IT incidents
between organisations in society, and disseminates information about new
problems which potentially may impede the functionality of IT systems. In
addition, SITIC provides information and advice regarding proactive measures
and compiles and publishes statistics.


Disclaimer:

The decision to follow or act on information or advice contained in this
Vulnerability Advisory is the responsibility of each user or organisation.
SITIC accepts no responsibility for any errors or omissions contained within
this Vulnerability Advisory, nor for any consequences which may arise from
following or acting on information or advice contained herein.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC