[VulnWatch] iDEFENSE Security Advisory 05.30.03: Apache Portable Runtime Denial of Service and Arbitrary Code Execution Vulnerability

From: iDEFENSE Labs (labs_at_idefense.com)
Date: 05/30/03

  • Next message: Brett Moore: "[VulnWatch] Windows Media Services Remote Command Execution"
    To: vulnwatch@vulnwatch.org
    Date: Fri, 30 May 2003 16:54:20 -0400
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 05.30.03:
    http://www.idefense.com/advisory/05.30.03.txt
    Apache Portable Runtime Denial of Service and Arbitrary Code
    Execution Vulnerability
    May 30, 2003

    I. BACKGROUND

    The Apache Software Foundation's HTTP Server Project is an effort to
    develop and maintain an open-source web server for modern OS'
    including Unix and Microsoft Corp.'s Windows. More information is
    available at http://httpd.apache.org/ .

    The Apache Portable Runtime (APR) provides a free library of C data
    structures and routines, forming a system portability layer to as
    many OS' as possible. More information is available at
    http://apr.apache.org/ .

    mod_dav is an open-source Apache module that provides Distributed
    Authoring and Versioning (DAV) capabilities to the Apache HTTP
    Server. More information is available at
    http://www.webdav.org/mod_dav/ .

    II. DESCRIPTION

    Passing an overly long string to the apr_psprintf() APR library
    function that is used by the Apache HTTP Server could cause an
    application to reference memory that should have already been
    returned to the heap allocation pool. Arbitrary code execution
    remains a possibility but has not been substantiated at the time of
    publication of this report. Considering the strict conditions
    necessary for successful code execution, it would be feasible but
    difficult to develop an exploit capable of functioning outside of a
    lab environment.

    III. ANALYSIS

    The remote denial of service aspect of this vulnerability can be
    exploited if a remote attacker is able to pass large strings to the
    vulnerable function, as is the case in the mod_dav attack vector,
    where a specially crafted XML object request of approximately 12250
    bytes crashed HTTP Server running on a non-Windows OS; approximately
    20000 characters crashed it on a Windows OS.

    IV. DETECTION

    Applications that rely on older versions of APR are vulnerable. A
    list of such projects is available at
    http://apr.apache.org/projects.html#open_source . Both the Windows
    and Unix implementations of Apache HTTP Server 2.0.37 through 2.0.45
    inclusive are vulnerable.

    V. WORKAROUND

    The following patch should mitigate this vulnerability:

    - - --- srclib/apr/memory/unix/apr_pools.c 7 Mar 2003 12:12:43 -0000
      1.195
    +++ srclib/apr/memory/unix/apr_pools.c 8 May 2003 20:11:14 -0000
    @@ -976,7 +976,7 @@

             if (ps->got_a_new_node) {
                 active->next = ps->free;
    - - - ps->free = node;
    + ps->free = active;
             }

             ps->got_a_new_node = 1;

    VI. VENDOR FIX

    Apache HTTP Server 2.0.46, which contains updates for APR, can be
    downloaded at http://httpd.apache.org/download.cgi .

    VII. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    has assigned the identification number CAN-2003-0245 to this issue.

    VIII. DISCLOSURE TIMELINE

    03/19/2003 Issue disclosed to iDEFENSE
    04/08/2003 iDEFENSE Labs initial research complete
    04/09/2003 security@apache.org contacted
    04/09/2003 Response from Lars Eilebrecht and Bill Rowe of Apache
    04/11/2003 Response from Ian Holsman of Apache
    05/08/2003 Response from Mark Cox of Apache
    05/08/2003 Initial Research and patch Submitted to
                    iDEFENSE by Joe Orton of Apache
    05/09/2003 Apache patch verified by iDEFENSE Labs
    05/12/2003 vendor-sec list notified
    05/26/2003 iDEFENSE clients notified
    05/30/2003 Coordinated Public Disclosure

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listserv@idefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com .

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBPtfBkvrkky7kqW5PEQLpoACfZbcO/qJ0WbCRGj/oKXFFImvgpTYAn0UB
    OFmhMmVLLiDuaGPQtTcbGnJN
    =Icpc
    -----END PGP SIGNATURE-----


  • Next message: Brett Moore: "[VulnWatch] Windows Media Services Remote Command Execution"

    Relevant Pages