[UNIX] Apache mod_access_referer Denial of Service Issue

From: support@securiteam.com
Date: 04/20/03

  • Next message: support@securiteam.com: "[UNIX] Heap Corruption in Gaim-Encryption Plugin" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 20 Apr 2003 18:39:47 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Apache mod_access_referer Denial of Service Issue
    ------------------------------------------------------------------------

    SUMMARY

    Apache module <http://accessreferer.sourceforge.net/> mod_access_referer
    is a module for the Apache HTTP Server that provides access control based
    on "Referer" HTTP header content. The module has been found to contain a
    NULL pointer dereference vulnerability.

    DETAILS

    Vulnerable systems:
     * mod_access_referer version 1.0.2

    In the find_allowdeny() function, the Apache uri_components structure
    named "uptr" is initialized by the Apache ap_parse_uri_components
    function. This struct contains a pointer named "hostname" that is given to
    the is_ip() function in order to determine whether the value given as
    referer header field is an IP address or domain name.

    The relevant code snippets are:
             --- -snip snip- ---

             ap_parse_uri_components (r->pool,
                                           ap_table_get
                                           (r->headers_in,
                                           "Referer"),
                                            &uptr);

             if (!is_ip (uptr.hostname)) {

             --- -snip snip- ---

    static int
    is_ip (const char *host)
    {
            /* this just tests if it matches [\d.]* */
            /* XX is a better test needed? */
            while ((*host == '.') || ap_isdigit (*host))
                    host++;
                    
            return (*host == '\0');
    }

             --- -snip snip- ---

    When the server is send an incorrect referer header field, the
    ap_parse_uri_components will not initialize the uptr.hostname pointer.
    This has the result that is_ip() can be forced to read from a NULL pointer
    with a segmentation fault as result. An example referer header field to
    trigger the issue:

    Referer: ://its-missing-http.com

    Abuse of this NULL pointer dereference vulnerability can possibly be used
    in denial of service attacks against affected systems.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:zillion@safemode.org>
    zillion.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: support@securiteam.com: "[UNIX] Heap Corruption in Gaim-Encryption Plugin"