SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Mod_ssl Vendors:   Modssl.org
Apache mod_ssl Stack Overflow in ssl_util_uuencode_binary() May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010322
SecurityTracker URL:  http://securitytracker.com/id/1010322
CVE Reference:   CVE-2004-0488   (Links to External Site)
Date:  May 28 2004
Impact:   Execution of arbitrary code via network, User access via network


Description:   A buffer overflow vulnerability was reported in Apache mod_ssl. A remote user may be able to execute arbitrary code on the target system in certain situations.

Georgi Guninski reported that the ssl_util_uuencode_binary() function in 'ssl_util.c' may allow a remote user to supply a specially crafted Subject-DN in a client certificate to trigger the overflow. According to OpenPKG, the overflow resides in the "SSLOptions +FakeBasicAuth" implementation of mod_ssl and can be triggered if the Subject-DN is longer than 6 KB and mod_ssl is configured to trust the certificate's issuing CA.

Impact:   A remote user may be able to execute arbitrary code on the target system in certain cases.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.modssl.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 1 2004 (Mandrake Issues Fix) Apache mod_ssl Stack Overflow in ssl_util_uuencode_binary() May Let Remote Users Execute Arbitrary Code
Mandrake has issued a fix.
Jun 1 2004 (Mandrake Issues Fix) Apache mod_ssl Stack Overflow in ssl_util_uuencode_binary() May Let Remote Users Execute Arbitrary Code
Mandrake has released a fix.
Jun 2 2004 (Trustix Issues Fix) Apache mod_ssl Stack Overflow in ssl_util_uuencode_binary() May Let Remote Users Execute Arbitrary Code
Trustix has released a fix.
Jun 2 2004 (Mandrake Issues Fix) Apache mod_ssl Stack Overflow in ssl_util_uuencode_binary() May Let Remote Users Execute Arbitrary Code
Mandrake has released a fix.
Jun 2 2004 (Slackware Issues Fix) Apache mod_ssl Stack Overflow in ssl_util_uuencode_binary() May Let Remote Users Execute Arbitrary Code
Slackware has released a fix.
Jul 1 2004 (Vendor Issues Fix) Apache mod_ssl Stack Overflow in ssl_util_uuencode_binary() May Let Remote Users Execute Arbitrary Code
Apache has issued a fix.
Jul 6 2004 (Red Hat Issues Fix for RH Enterprise Linux) Apache mod_ssl Stack Overflow in ssl_util_uuencode_binary() May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 3.
Jul 23 2004 (Debian Issues Fix) Apache mod_ssl Stack Overflow in ssl_util_uuencode_binary() May Let Remote Users Execute Arbitrary Code
Debian has released a fix.
Sep 8 2004 (Apple Issues Fix) Apache mod_ssl Stack Overflow in ssl_util_uuencode_binary() May Let Remote Users Execute Arbitrary Code
Apple has released a fix for Mac OS X.
Oct 14 2004 (HP Issues Fix for CSWS) Apache mod_ssl Stack Overflow in ssl_util_uuencode_binary() May Let Remote Users Execute Arbitrary Code
HP has issued fixes for the Compaq Secure Web Server (CSWS).
Oct 15 2004 (Fedora Issues Fix for RH Linux) Apache mod_ssl Stack Overflow in ssl_util_uuencode_binary() May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Linux 7.3
Oct 15 2004 (Fedora Issues Fix) Apache mod_ssl Stack Overflow in ssl_util_uuencode_binary() May Let Remote Users Execute Arbitrary Code
Fedora has released a fix for Red Hat Linux 9 and Fedora Core 1.
Dec 2 2004 (Apple Issues Fix for OS X) Apache mod_ssl Stack Overflow in ssl_util_uuencode_binary() May Let Remote Users Execute Arbitrary Code
Apple has issued a fix for Apache on Mac OS X.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC