[UNIX] Apache's mod_bf Vulnerable to a Buffer Overflow and DoS

From: support@securiteam.com
Date: 12/25/01

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 25 Dec 2001 22:08:37 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Apache's mod_bf Vulnerable to a Buffer Overflow and DoS


 <http://sourceforge.net/projects/modbf/> mod_bf is a brainf*ck
interpreter that interprets .bf files on Apache webserver machines
(Brainf*ck is very simple, low-level language that allows creation of fast
running code snippets). A security vulnerability in the product allows
remote attackers to execute arbitrary commands by overflowing an internal


Vulnerable systems:
mod_bf version 0.1 under FreeBSD ports
mod_bf version 0.2

Relevant code fragment from mod_bf.c:
  #define ARR_SIZE 100

  static char a[ARR_SIZE];
  static int p;


  static int bf_handler(request_rec *r)

      memset (a, 0, ARR_SIZE);
      p = 0;


      if (!r->header_only)
        interpret (c);



  static void interpret(char *c)
      int b;
      char *d;
      for (; *c; c++) {
        switch (*c) {
        case DEBUG_PR:
          for (b = 0; b < 10; b++)
            ap_rprintf (req, "a[%d]: %d" CRLF, b, a[b]);
          ap_rprintf (req, "a[p]: %d p: %d" CRLF, a[p], p);
          ap_rflush (req);
          ap_reset_timeout (req);
        case '+':
        case '-':
        case '>':
        case '<':
        case '.':
          if (ap_rputc (a[p], req) == EOF)
          ap_rflush (req);
          ap_reset_timeout (req);
        case ',':
          if ((a[p] = *req->args) == EOF || a[p] == CR)
            a[p] = 0;
          ap_reset_timeout (req);
        case '[':
          /* the idea of the following is borrowed from bfi */
          d = ++c;
          for (b = 1; b && *c; c++)
            b += (*c == '[' ? 1 : (*c == ']' ? -1 : 0));
          if (!b) {
            *--c = 0;
            while (a[p])
              interpret (d);
            *c = ']';

a[] is an array of 100 tiny bytes. p is an integer index that points out
memory locations. It can be increased with > or decreased with <. The
memory location pointed out by a[p] be modified with + or -.

An attacker can write something that increases p so that p >= 100 or
decrease it so that p becomes negative, allowing him to set the location
pointed out by a[p] to an arbitrary value (by only using the '+' or '-'

Further, an attacker can dump sensitive memory by using the '.' command:

DoS example:
$ cat > ~GOBBLES/public_html/bad.bf


The information has been provided by Gobbles.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.