SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Mod_ssl Vendors:   Modssl.org
mod_ssl Format String Error in 'ssl_engine_ext' May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010717
SecurityTracker URL:  http://securitytracker.com/id/1010717
CVE Reference:   CVE-2004-0700   (Links to External Site)
Updated:  Jul 23 2004
Original Entry Date:  Jul 16 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.8.19-1.3.31
Description:   A format string vulnerability was reported in mod_ssl. In certain cases where Apache mod_proxy is also used, a remote user may be able to cause arbitrary code to be executed on the target user's system.

Ralf S. Engelschall reported that if Apache is used as a proxy and an HTTPS URL such as 'https://foo%s.example.com/' is supplied and a hostname 'foo%s' exists in the 'example.com' zone, the flaw can reportedly be triggered.

The flaw reportedly resides in an error message call in 'ssl_engine_ext.c'.

The report credits Virulent <virulent@siyahsapka.org> with reporting a similar bug (that was reportedly not exploitable) and triggering a review of the code.

Impact:   A remote user may be able to cause arbitrary code to be executed on the target system in certain cases.
Solution:   The vendor has released a fixed version (2.8.19-1.3.31), available at:

http://www.modssl.org/source/mod_ssl-2.8.19-1.3.31.tar.gz

Vendor URL:  www.modssl.org/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 23 2004 (Debian Issues Fix) mod_ssl Format String Error in 'ssl_engine_ext' May Let Remote Users Execute Arbitrary Code
Debian has released a fix.
Jul 26 2004 (Slackware Issues Fix) mod_ssl Format String Error in 'ssl_engine_ext' May Let Remote Users Execute Arbitrary Code
Slackware has released a fix.
Jul 28 2004 (Mandrake Issues Fix) mod_ssl Format String Error in 'ssl_engine_ext' May Let Remote Users Execute Arbitrary Code
Mandrake has issued a fix.
Oct 15 2004 (Fedora Issues Fix for RH Linux) mod_ssl Format String Error in 'ssl_engine_ext' May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Linux 7.3
Jan 18 2005 (VMware Issues Fix) mod_ssl Format String Error in 'ssl_engine_ext' May Let Remote Users Execute Arbitrary Code
VMware has issued a fix for VMware ESX Server.



 Source Message Contents

Subject:  mod_ssl format string


Ralf S. Engelschall reported a format string vulnerability in mod_ssl.

If Apache is used as a proxy and an HTTPS URL such as 'https://foo%s.example.com/' is 
supplied and a hostname 'foo%s' exists in the 'example.com' zone, the flaw can reportedly 
be triggered.

The report credits Virulent <virulent@siyahsapka.org> with reporting a similar bug (that 
was reportedly not exploitable) and triggering a review of the code.

Index: ssl_engine_ext.c
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_ext.c,v
retrieving revision 1.50
diff -u -d -r1.50 ssl_engine_ext.c
--- ssl_engine_ext.c    11 May 2004 18:44:15 -0000  1.50
+++ ssl_engine_ext.c    16 Jul 2004 07:57:33 -0000
@@ -524,7 +524,7 @@
  #endif
          errmsg = ap_psprintf(r->pool, "SSL proxy connect failed (%s): peer %s: %s",
                               cpVHostID, peer, ERR_reason_error_string(ERR_get_error()));
-        ssl_log(r->server, SSL_LOG_ERROR, errmsg);
+        ssl_log(r->server, SSL_LOG_ERROR, "%s", errmsg);
          SSL_free(ssl);
          ap_ctx_set(fb->ctx, "ssl", NULL);
          return errmsg;

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC