[NEWS] Apache Portable Runtime Denial of Service and Arbitrary Code Execution Vulnerability

• Previous message: SecuriTeam: "[NEWS] Vignette Server SSI Injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 31 May 2003 10:49:22 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Apache Portable Runtime Denial of Service and Arbitrary Code Execution
Vulnerability
------------------------------------------------------------------------

SUMMARY

The <http://httpd.apache.org/> Apache Software Foundation's HTTP Server
Project is an effort to develop and maintain an open-source web server for
modern OS' including Unix and Microsoft Corp.'s Windows.

The <http://apr.apache.org/> Apache Portable Runtime (APR) provides a
free library of C data structures and routines, forming a system
portability layer to as many OS' as possible.

 <http://www.webdav.org/mod_dav/> mod_dav is an open-source Apache module
that provides Distributed Authoring and Versioning (DAV) capabilities to
the Apache HTTP Server.

Passing an overly long string to the apr_psprintf() APR library function
that is used by the Apache HTTP Server could cause an application to
reference memory that should have already been returned to the heap
allocation pool. Arbitrary code execution remains a possibility but has
not been substantiated at the time of publication of this report.
Considering the strict conditions necessary for successful code execution,
it would be feasible but difficult to develop an exploit capable of
functioning outside of a lab environment.

DETAILS

Vulnerable systems:
Applications that rely on older versions of APR are vulnerable. A list of
such projects is available at
<http://apr.apache.org/projects.html#open_source>
http://apr.apache.org/projects.html#open_source. Both the Windows and Unix
implementations of Apache HTTP Server 2.0.37 through 2.0.45 inclusive are
vulnerable.

Analysis:
The remote denial of service aspect of this vulnerability can be exploited
if a remote attacker is able to pass large strings to the vulnerable
function, as is the case in the mod_dav attack vector, where a specially
crafted XML object request of approximately 12250 bytes crashed HTTP
Server running on a non-Windows OS; approximately 20000 characters crashed
it on a Windows OS.

Workaround:
The following patch should mitigate this vulnerability:

- - --- srclib/apr/memory/unix/apr_pools.c 7 Mar 2003 12:12:43 -0000
  1.195
+++ srclib/apr/memory/unix/apr_pools.c 8 May 2003 20:11:14 -0000
@@ -976,7 +976,7 @@

         if (ps->got_a_new_node) {
             active->next = ps->free;
- - - ps->free = node;
+ ps->free = active;
         }

         ps->got_a_new_node = 1;

Vendor response:
Apache HTTP Server 2.0.46, which contains updates for APR, can be
downloaded at <http://httpd.apache.org/download.cgi>
http://httpd.apache.org/download.cgi.

Disclosure timeline:
03/19/2003 Issue disclosed to iDEFENSE
04/08/2003 iDEFENSE Labs initial research complete
04/09/2003 security@apache.org contacted
04/09/2003 Response from Lars Eilebrecht and Bill Rowe of Apache
04/11/2003 Response from Ian Holsman of Apache
05/08/2003 Response from Mark Cox of Apache
05/08/2003 Initial Research and patch Submitted to iDEFENSE by Joe
Orton of Apache
05/09/2003 Apache patch verified by iDEFENSE Labs
05/12/2003 vendor-sec list notified
05/26/2003 iDEFENSE clients notified
05/30/2003 Coordinated Public Disclosure

ADDITIONAL INFORMATION

The original advisory can be downloaded from:
 <http://www.idefense.com/advisory/05.30.03.txt>
http://www.idefense.com/advisory/05.30.03.txt

The information has been provided by <mailto:labs@idefense.com> iDEFENSE
Labs.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Vignette Server SSI Injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]