[VulnWatch] Apache mod_access_referer denial of service issue

From: zillion (zillion@safemode.org)
Date: 04/16/03

  • Next message: Gregory Le Bras | Security Corporation: "[VulnWatch] [SCSA-017] Directory Traversal Vulnerability in EZ Server"
    Date: Wed, 16 Apr 2003 23:14:33 +0200
    From: zillion <zillion@safemode.org>
    To: vulnwatch@vulnwatch.org
    
    
    

    ==================================================================
          Safemode.org security advisory: mod_access_referer
    ==================================================================

    Subject:
    ========

    Apache module mod_access_referer 1.0.2 contains a NULL pointer
    dereference vulnerability.

    Problem description:
    ====================

    In the find_allowdeny() function, the Apache uri_components structure
    named "uptr" is initialized by the Apache ap_parse_uri_components
    function. This struct contains a pointer named "hostname" that is
    given to the is_ip() function in order to determine whether the
    value given as referer header field is an IP address or domain name.

    The relevant code snippets are:

             --- -snip snip- ---

             ap_parse_uri_components (r->pool,
                                           ap_table_get
                                           (r->headers_in,
                                           "Referer"),
                                            &uptr);

             if (!is_ip (uptr.hostname)) {

             --- -snip snip- ---

    static int
    is_ip (const char *host)
    {
            /* this just tests if it matches [\d.]* */
            /* XX is a better test needed? */
            while ((*host == '.') || ap_isdigit (*host))
                    host++;
                    
            return (*host == '\0');
    }

             --- -snip snip- ---

    When the server is send an incorrect referer header field, the
    ap_parse_uri_components will not initialize the uptr.hostname
    pointer. This has the result that is_ip() can be forced to read
    from a NULL pointer with a segmentation fault as result. An example
    referer header field to trigger the issue:

    Referer: ://its-missing-http.com

    Abuse of this NULL pointer dereference vulnerability can possibly
    be used in denial of service attacks against affected systems.

    How to counter the issue:
    =========================

    New, unofficial, fixed RPM files can be found here:
    ftp://ftp.pld.org.pl/dists/ra/test/

    A simple patch is available here:
    http://sourceforge.net/projects/accessreferer/

    --
    Greets to 0dd, SNO and all @defaced.be
    
    



  • Next message: Gregory Le Bras | Security Corporation: "[VulnWatch] [SCSA-017] Directory Traversal Vulnerability in EZ Server"