[NEWS] Apache Portable Runtime Denial of Service and Arbitrary Code Execution Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 05/31/03

  • Next message: SecuriTeam: "[NEWS] Additional Details of Apache 2.x Security Flaw (Attack Vectors)"
    To: list@securiteam.com
    Date: 31 May 2003 10:49:22 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Apache Portable Runtime Denial of Service and Arbitrary Code Execution


    The <http://httpd.apache.org/> Apache Software Foundation's HTTP Server
    Project is an effort to develop and maintain an open-source web server for
    modern OS' including Unix and Microsoft Corp.'s Windows.

    The <http://apr.apache.org/> Apache Portable Runtime (APR) provides a
    free library of C data structures and routines, forming a system
    portability layer to as many OS' as possible.

     <http://www.webdav.org/mod_dav/> mod_dav is an open-source Apache module
    that provides Distributed Authoring and Versioning (DAV) capabilities to
    the Apache HTTP Server.

    Passing an overly long string to the apr_psprintf() APR library function
    that is used by the Apache HTTP Server could cause an application to
    reference memory that should have already been returned to the heap
    allocation pool. Arbitrary code execution remains a possibility but has
    not been substantiated at the time of publication of this report.
    Considering the strict conditions necessary for successful code execution,
    it would be feasible but difficult to develop an exploit capable of
    functioning outside of a lab environment.


    Vulnerable systems:
    Applications that rely on older versions of APR are vulnerable. A list of
    such projects is available at
    http://apr.apache.org/projects.html#open_source. Both the Windows and Unix
    implementations of Apache HTTP Server 2.0.37 through 2.0.45 inclusive are

    The remote denial of service aspect of this vulnerability can be exploited
    if a remote attacker is able to pass large strings to the vulnerable
    function, as is the case in the mod_dav attack vector, where a specially
    crafted XML object request of approximately 12250 bytes crashed HTTP
    Server running on a non-Windows OS; approximately 20000 characters crashed
    it on a Windows OS.

    The following patch should mitigate this vulnerability:

    - - --- srclib/apr/memory/unix/apr_pools.c 7 Mar 2003 12:12:43 -0000
    +++ srclib/apr/memory/unix/apr_pools.c 8 May 2003 20:11:14 -0000
    @@ -976,7 +976,7 @@

             if (ps->got_a_new_node) {
                 active->next = ps->free;
    - - - ps->free = node;
    + ps->free = active;

             ps->got_a_new_node = 1;

    Vendor response:
    Apache HTTP Server 2.0.46, which contains updates for APR, can be
    downloaded at <http://httpd.apache.org/download.cgi>

    Disclosure timeline:
    03/19/2003 Issue disclosed to iDEFENSE
    04/08/2003 iDEFENSE Labs initial research complete
    04/09/2003 security@apache.org contacted
    04/09/2003 Response from Lars Eilebrecht and Bill Rowe of Apache
    04/11/2003 Response from Ian Holsman of Apache
    05/08/2003 Response from Mark Cox of Apache
    05/08/2003 Initial Research and patch Submitted to iDEFENSE by Joe
    Orton of Apache
    05/09/2003 Apache patch verified by iDEFENSE Labs
    05/12/2003 vendor-sec list notified
    05/26/2003 iDEFENSE clients notified
    05/30/2003 Coordinated Public Disclosure


    The original advisory can be downloaded from:

    The information has been provided by <mailto:labs@idefense.com> iDEFENSE


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Additional Details of Apache 2.x Security Flaw (Attack Vectors)"

    Relevant Pages