[UNIX] mod_security Buffer Overflow (Service Side Include)
From: SecuriTeam (support_at_securiteam.com)
Date: 10/29/03
- Previous message: SecuriTeam: "[NEWS] Mac OS X Long argv[] Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 29 Oct 2003 14:58:06 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
mod_security Buffer Overflow (Service Side Include)
------------------------------------------------------------------------
SUMMARY
There is a exploitable malloc based buffer overflow in mod_security
(Apache 2 version). When appropriately exploited this can lead to (under
some circumstances - remote) code execution on a vulnerable system with
apache server user privileges.
DETAILS
Vulnerable systems:
* mod_security version 1.7RC1
* mod_security version 1.7.1
Immune systems:
* mod_security version 1.7.2
The bug exists in sec_filter_out() function in apache2/mod_security.c:
<snip>
if (ctx->bufused + len > ctx->buflen) {
char *newbuffer;
// todo: implement a smarter extension policy
unsigned long int newsize = ctx->buflen * 2;
sec_debug_log(r, 3, "sec_filter_out: expanding buffer to %i", newsize);
// allocate a larger buffer
newbuffer = apr_palloc(f->r->pool, newsize + 1);
memcpy(newbuffer, ctx->buffer, ctx->bufused);
// free(ctx->buffer);
ctx->buffer = newbuffer;
ctx->buflen = newsize;
ctx->input_ptr = ctx->buffer + ctx->bufused;
}
memcpy(ctx->input_ptr, data, len);
ctx->input_ptr += len;
ctx->bufused += len;
</snip>
As we can see, if ctx->buffer is too small, it's size is doubled,
regardless of the size of incoming data. If incoming data size is larger
than (ctx->buflen*2 - ctx->bufused) then the second memcpy may overwrite
further header(s) of the next chunks on the heap. The author assumed that
incoming data size is not larger than 8kB, because Apache internally
transports data in chunks that are 4kB/8kB long. However, this is not true
when data is sent by server side script.
This is a piece of mod_security debug log:
sec_filter_out: got 198301 bytes, bufused=0, buflen=16384
sec_filter_out: expanding buffer to 32768
The buffer is overflowed when server side script is generating large
output, for example when writing large file to the output:
<?php
Header('Content-Type: image/jpeg');
readfile('some_large_image.jpeg');
?>
When getting the 'some_large_image.jpeg' directly from server (not by the
above script, but by using GET method instead), the buffer overflow does
not occur.
Therefore, to perform an attack, the attacker has to have the possibility
to upload his/her own script to the server (very common on web hosting
servers) or to use some XSS bug found on the site.
The sec_filter_out() function is called when the mod_security.so module is
just loaded, no other directives in httpd.conf (from mod_security) are
needed.
Remedies:
Upgrade to 1.7.2, which fixes the vulnerability. If that is not possible,
turn output filtering off with "SecFilterScanOutput Off".
Vendor status:
October 24, 2003 - ivanr@webkreator.com notified, no response
October 25, 2003 - ivanr@webkreator.com notified, got response
October 28, 2003 - patched version of mod_security 1.7.2 released
October 28, 2003 - public disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:ad@adsystems.com.pl> Adam
Dyg.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Mac OS X Long argv[] Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
