Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Apache mod_ssl 'Off-by-One' Bug May Let Local Users Crash the Web Server or Possibly Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1004636 |
|
SecurityTracker URL: http://securitytracker.com/id/1004636
|
|
CVE Reference:
CAN-2002-0653
(Links to External Site)
|
Date: Jun 27 2002
|
Impact:
Denial of service via local system, Execution of arbitrary code via local system, Modification of user information, User access via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2.4.9 and prior
|
Description:
A vulnerability was reported in mod_ssl. A local user that can create '.htaccess' files may be able to cause mod_ssl to crash or execute arbitrary code on the system with the privileges of the web server.
An 'off-by-one' error has been reported in mod_ssl. The flaw reportedly exists in the ssl_compat_directive() while invoking the Apache web server rewrite_command extended API (EAPI) hook. According to the report, when backward compatibility is enabled, mod_ssl registers a rewrite_command hook and calls the ssl_compat_directive() function for every line read in a configuration file.
A local user that can create a '.htaccess' file on the web server can place specially crafted information in the file to cause Apache mod_ssl to execute arbitrary code when reading the file (e.g., when a remote user attempts to access a file in a directory protected by the '.htaccess' file).
Servers that allow virtual hosts and have the "AllowOverride" directive not set to "None" for virtual hosts may be affected if local users have access to any part of the web directory. Other configurations may also be vulnerable.
According to the report, mod_ssl compiled without backward compatibility is not vulnerable. However, the backward compatibility feature is reportedly enabled by default during compilation.
|
Impact:
A local user could cause denial of service conditions or could possibly execute arbitrary code with the privileges of the web server.
|
Solution:
The vendor has released a fixed version (2.8.10), available at:
http://www.modssl.org/
|
Vendor URL: www.modssl.org/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 24 Jun 2002 22:46:47 +0159
Subject: Apache mod_ssl off-by-one vulnerability
|
Product: mod_ssl - http://www.modssl.org/
Date: 06/24/2002
Summary: Off-by-one in mod_ssl 2.4.9 and earlier
By: Frank Denis - j@pureftpd.org
---------------------------------------------------------------------
DESCRIPTION
---------------------------------------------------------------------
This module provides strong cryptography for the Apache 1.3 webserver via the
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols by the help of the Open Source SSL/TLS toolkit OpenSSL, which is
based on SSLeay from Eric A. Young and Tim J. Hudson.
The mod_ssl package was created in April 1998 by Ralf S. Engelschall and was
originally derived from software developed by Ben Laurie for use in the
Apache-SSL HTTP server project. The mod_ssl package is licensed under a
BSD-style license, which basically means that you are free to get and use it
for commercial and non-commercial purposes.
---------------------------------------------------------------------
VULNERABILITY
---------------------------------------------------------------------
The Apache web server provides an extended API (EAPI) to easily extended the
server with third-party modules, through various hooks called as needed. One
of these hooks, rewrite_command, is called right after a configuration
directive line was read and before it is processed.
mod_ssl registers such a rewrite_command hook when backward compatibility is
enabled. The ssl_compat_directive() is called for every line read in a
configuration file.
However, this function contains an off-by-one error in this code snippet :
...
char *cp;
char caCmd[1024];
char *cpArgs;
...
cp = (char *)oline;
for (i = 0; *cp != ' ' && *cp != '\t' && *cp != NUL && i < 1024; )
^^^^^^^^
caCmd[i++] = *cp++;
caCmd[i] = NUL;
cpArgs = cp;
...
oline is a pointer to a line being parsed, and whoose content can be
arbitrary long, and controlled by untrusted users through ".htaccess" files.
---------------------------------------------------------------------
IMPACT
---------------------------------------------------------------------
Apart from global configuration files, Apache allows per-directory
configuration files. Therefore, the bug can be triggered by any regular user
through specially crafted ".htaccess" files.
The stack can be smashed. Alexander Yurchenko <grange@rt.mipt.ru> wrote a
proof of concept exploit for OpenBSD to demonstrate that arbitrary code could
be executed through ".htaccess" files.
As noticed by Michal Zalewski <lcamtuf@coredump.cx>, you can cause an
overflow in every child running to force all of them do what you want. This
is way more dangerous than children forked for CGI execution.
Possible implications include denial of service (by sending STOP signals to
every child), adding fake entries to every log file (not only those from the
virtualhost the .htaccess lies in), running arbitrary commands as the web
server user regardless of ExecCGI and suexec settings and spoofing replies.
---------------------------------------------------------------------
VULNERABLE SYSTEMS
---------------------------------------------------------------------
Any system running the Apache web server with mod_ssl compiled in, and the
"AllowOverride" directive not set to "None" for virtual hosts may be
vulnerable if virtual hosts are managed by untrusted users.
Systems may be vulnerable even if no virtual host actually use SSL features,
as long as mod_ssl is compiled in.
Apache 2.0 doesn't seem to ship this part of the mod_ssl source code and it
is therefore not vulnerable.
mod_ssl compiled without backward compatibility is not vulnerable. However,
this feature is enabled by default.
---------------------------------------------------------------------
WORKAROUND
---------------------------------------------------------------------
Disallow per-directory configuration files by only having
"AllowOverride None" directives in your httpd.conf file, and restart the web
server.
---------------------------------------------------------------------
FIXES
---------------------------------------------------------------------
The mod_ssl development team was very reactive and a new version has just
been released. mod_ssl 2.8.10 addresses the vulnerability and it is
freely available from http://www.modssl.org/ . Upgrading from an earlier
release is painless.
The bug has also been fixed in OpenBSD-current, thanks to fgsch.
The following oneliner patch also addresses the problem :
--- pkg.sslmod/ssl_engine_compat.c.orig Sat Feb 23 19:45:23 2002
+++ pkg.sslmod/ssl_engine_compat.c Mon Jun 24 20:43:17 2002
@@ -309,7 +309,7 @@
* Extract directive name
*/
cp = (char *)oline;
- for (i = 0; *cp != ' ' && *cp != '\t' && *cp != NUL && i < 1024; )
+ for (i = 0; *cp != ' ' && *cp != '\t' && *cp != NUL && i < sizeof(caCmd) - 1; )
caCmd[i++] = *cp++;
caCmd[i] = NUL;
cpArgs = cp;
Best regards,
-Frank.
--
__ /*- Frank DENIS (Jedi/Sector One) <j@42-Networks.Com> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/
|
|
Go to the Top of This SecurityTracker Archive Page
|
