SECURITY: HTTP proxy responses with both Transfer-Encoding and Content-Length headers (CAN-2005-2088)

Automatically imported from Debian bug report #316173 http://bugs.debian.org/316173

apache2 (2.0.54-4ubuntu2) breezy; urgency=low

  * SECURITY UPDATE: Fix two vulnerabilities.
  * Add debian/patches/043_CAN-2005-1268.patch:
    - Fix off-by-one error in the SSL certification validation callback.
    - CAN-2005-1268
  * Add debian/patches/044_CAN-2005-2088.patch:
    - Proxy HTTP: If a response contains both Transfer-Encoding
      and a Content-Length, remove the Content-Length to eliminate
      an HTTP Request Smuggling vulnerability and don't reuse the
      connection, stopping some HTTP Request Spoofing attacks.
    - CAN-2005-2088

 -- Martin Pitt <email address hidden> Mon, 8 Aug 2005 09:27:56 +0200

Message-Id: <email address hidden>
Date: Wed, 29 Jun 2005 00:49:31 +0200
From: Moritz Muehlenhoff <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: apache2: Security issues in HTTP proxy responses with both Transfer-Encoding
 and Content-Length headers

Package: apache2
Severity: grave
Tags: security
Justification: user security hole

Latest 2.1.6-alpha fixes a security in the proxy HTTP code:

| The 2.1.6-alpha release addresses a security vulnerability present
| in all previous 2.x versions. This fault did not affect Apache 1.3.x
| (which did not proxy keepalives or chunked transfer encoding);

| Proxy HTTP: If a response contains both Transfer-Encoding
| and a Content-Length, remove the Content-Length to eliminate
| an HTTP Request Smuggling vulnerability and don't reuse the
| connection, stopping some HTTP Request Spoofing attacks.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Message-ID: <email address hidden>
Date: Wed, 29 Jun 2005 00:11:56 +0100
From: Steve Kemp <email address hidden>
To: Moritz Muehlenhoff <email address hidden>, <email address hidden>
Subject: Re: Bug#316173: apache2: Security issues in HTTP proxy responses with both
 Transfer-Encoding and Content-Length headers

On Wed, Jun 29, 2005 at 12:49:31AM +0200, Moritz Muehlenhoff wrote:
> Package: apache2
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Latest 2.1.6-alpha fixes a security in the proxy HTTP code:
>
> | The 2.1.6-alpha release addresses a security vulnerability present
> | in all previous 2.x versions. This fault did not affect Apache 1.3.x
> | (which did not proxy keepalives or chunked transfer encoding);
>
> | Proxy HTTP: If a response contains both Transfer-Encoding
> | and a Content-Length, remove the Content-Length to eliminate
> | an HTTP Request Smuggling vulnerability and don't reuse the
> | connection, stopping some HTTP Request Spoofing attacks.
>

  Can I be the first to say that I don't understand the nature of this
 issue?

  Is this also present in 2.0.54 which is the latest stable release?
 There's no mention of it in the changelog there..

Steve
--

Message-ID: <email address hidden>
Date: Wed, 29 Jun 2005 10:50:54 +1000 (EST)
From: "Adam Conrad" <adconrad@0c3.net>
To: "Steve Kemp" <email address hidden>
Cc: "Moritz Muehlenhoff" <email address hidden>,
 <email address hidden>
Subject: Re: Bug#316173: apache2: Security issues in HTTP proxy responses with both
 Transfer-Encoding and Content-Length headers

Steve Kemp wrote:
>
> Can I be the first to say that I don't understand the nature of this
> issue?

The description sounds reasonably straightforward, though I'd classify
this as a vulnerability of pretty low importance, from a "will people be
exploited by this" viewpoint.

> Is this also present in 2.0.54 which is the latest stable release?
> There's no mention of it in the changelog there..

It looks like it's in 2.0.54, and there's a backport in SVN for the 2.0.55
release, but the backport looks more like a massive feature backport, not
just a small security patch, so I may look at if there's a way to fix this
a bit less intrusively.

Actually, it's worth nothing that we muck with Content-Length at another
point, thanks to a Debian-specific patch, so we may accidentally not be
vulnerable to this anyway. I'll follow the code around a little later
today and see if that's the case.

... Adam

Message-ID: <email address hidden>
Date: Wed, 29 Jun 2005 15:10:56 +0200
From: Moritz Muehlenhoff <email address hidden>
To: Steve Kemp <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#316173: apache2: Security issues in HTTP proxy responses with both
 Transfer-Encoding and Content-Length headers

Steve Kemp wrote:
> > | Proxy HTTP: If a response contains both Transfer-Encoding
> > | and a Content-Length, remove the Content-Length to eliminate
> > | an HTTP Request Smuggling vulnerability and don't reuse the
> > | connection, stopping some HTTP Request Spoofing attacks.
>
> Can I be the first to say that I don't understand the nature of this
> issue?

This seems to be an Apache specific variation of the HTTP Request Smuggling
attacks described in the original Watchfire paper:
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf

Apache rejects packets with multiple Content-Length headers, but it
seems as if it uses size information constructed from the Transfer-
Encoding headers instead, which make this attack possible?

Cheers,
        Moritz

Message-Id: <200507081725.32343.b@9bit.biz>
Date: Fri, 8 Jul 2005 17:25:31 +0200
From: Borut Mrak <b@9bit.biz>
To: <email address hidden>
Subject: Re: Bug#316173: apache2: Security issues in HTTP proxy responses with both
 Transfer-Encoding and Content-Length headers

I hope this will be of some help.
If it's OK, someone tag this bug with PATCH or whatever is appropriate:

sorry about the long URL:

http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/2.0.x/STATUS?rev=208744&view=diff&r1=208744&r2=208743&p1=httpd/httpd/branches/2.0.x/STATUS&p2=/httpd/httpd/branches/2.0.x/STATUS

and from there:

http://people.apache.org/~jorton/ap_tevscl.diff

Pasting in case that URL goes 404:

Index: server/protocol.c
===================================================================
--- server/protocol.c (revision 208743)
+++ server/protocol.c (working copy)
@@ -885,6 +885,15 @@
             apr_brigade_destroy(tmp_bb);
             return r;
         }
+
+ if (apr_table_get(r->headers_in, "Transfer-Encoding")
+ && apr_table_get(r->headers_in, "Content-Length")) {
+ /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+ * and Content-Length are received, the latter MUST be
+ * ignored"; so unset it here to prevent any confusion
+ * later. */
+ apr_table_unset(r->headers_in, "Content-Length");
+ }
     }
     else {
         if (r->header_only) {

It seems this is the vulnerability-specific part of the patch.

Message-ID: <email address hidden>
Date: Tue, 26 Jul 2005 20:02:44 +0200
From: Sven Mueller <email address hidden>
To: Borut Mrak <b@9bit.biz>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#316173: apache2: Security issues in HTTP proxy responses
 with both Transfer-Encoding and Content-Length headers

--------------050509020101040302010905
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Package apache2
Tags 316173 +patch
thanks

Borut Mrak wrote on 08/07/2005 17:25:
> I hope this will be of some help.

Me too ;-)

> If it's OK, someone tag this bug with PATCH or whatever is appropriate:
>
> sorry about the long URL:
>
> http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/2.0.x/STATUS?rev=208744&view=diff&r1=208744&r2=208743&p1=httpd/httpd/branches/2.0.x/STATUS&p2=/httpd/httpd/branches/2.0.x/STATUS
>
> and from there:
>
> http://people.apache.org/~jorton/ap_tevscl.diff
>
> Pasting in case that URL goes 404:
>
> Index: server/protocol.c
> ===================================================================
> --- server/protocol.c (revision 208743)
> +++ server/protocol.c (working copy)
[...]
> It seems this is the vulnerability-specific part of the patch.

To me, this seems to be a similar patch, but unrelated to the proxy
issue this bug is about. In my opinion,
http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c?rev=219059&view=diff&r1=219059&r2=219058&p1=httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c&p2=/httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c
or http://people.apache.org/~trawick/20.te-cl.txt
looks more like it. That changeset (attached below) also contains an
entry in CHANGES which reads:
  *) proxy HTTP: If a response contains both Transfer-Encoding and a
     Content-Length, remove the Content-Length and don't reuse the
     connection, mitigating some HTTP Response Splitting attacks.
     [Jeff Trawick]
So in my opinion, this would be the real fix to this bug. But given that
the issue is so similar, I would suggest to also incorporate the fix to
server/protocol.c mentioned above.

cu,
sven

--------------050509020101040302010905
Content-Type: text/plain;
 name="apache219059-debian316173.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="apache219059-debian316173.patch"

--- /httpd/httpd/branches/2.0.x/CHANGES 2005/07/14 16:29:27 219058
+++ httpd/httpd/branches/2.0.x/CHANGES 2005/07/14 16:47:30 219059
@@ -1,5 +1,10 @@
 Changes with Apache 2.0.55

+ *) proxy HTTP: If a response contains both Transfer-Encoding and a
+ Content-Length, remove the Content-Length and don't reuse the
+ connection, mitigating some HTTP Response Splitting attacks.
+ [Jeff Trawick]
+
   *) Prevent hangs of child processes when writing to piped loggers at
      the time of graceful restart. PR 26467. [Jeff Trawick]
--- /httpd/httpd/branches/2.0.x/STATUS 2005/07/14 16:29:27 219058
+++ httpd/httpd/branches/2.0.x/STATUS 2005/07/14 16:47:30 219059
@@ -111,10 +111,6 @@

     * Various fixes to T-E and C-L processing from trunk

- + proxy HTTP - ignore C-L and disable keepalive to origin server
- ...

Message-ID: <email address hidden>
Date: Wed, 10 Aug 2005 17:03:55 +0200
From: Christian Hammers <email address hidden>
To: <email address hidden>
Subject: retitling

retitle 320048 SECURITY: buffer-overrun in apache2-ssl (CAN-2005-1268)
retitle 316173 SECURITY: HTTP proxy responses with both Transfer-Encoding and Content-Length headers (CAN-2005-2088)
severity 316173 critical
thanks

Added CAN-Numbers as seen in Ubuntu's USN-160-1 advisory for easier
reference.

bye,

-christian-

Message-ID: <email address hidden>
Date: Thu, 11 Aug 2005 20:01:16 +0200
From: Christian Hammers <email address hidden>
To: <email address hidden>
Subject: Apache 1.3 also vulnerable?

clone 316173 -1
clone 320048 -2
reassign -1 apache
reassign -2 apache
thanks

In the RedHat/Fedora security announcement, I saw today, their 1.3.27
also received an update so maybe that branch is also vulnerable.
More information may be found here:
 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157701

bye,

-christian-

Message-ID: <email address hidden>
Date: Fri, 12 Aug 2005 20:43:25 +0200
From: Sven Mueller <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, Eduard Bloch <email address hidden>
Subject: NMU prepared to fix these bugs (316173, 320048/320063)

--------------enig41A71612B5B6E3002BD73910
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit

Hi.

During my NM process, I prepared a NMU for the bugs mentioned in the
subject and CC'ed. I didn't upload it (or rather: ask for upload by a
sponsor) yet, but the packages I prepared are publicly available at
http://mail.incase.de/NMUs/

I will wait a week or so and then ask for upload by a sponsor since I
think these bugs really need to be fixed as soon as possible.

regards,
Sven

--------------enig41A71612B5B6E3002BD73910
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)

iD8DBQFC/O3Ng3izVowCbSERAuuIAKCq3vXW9EIstbzIzJhR0qWbrDFuQwCfS97B
iYK9u5aIZufZtuXDXHgSUPY=
=f1cf
-----END PGP SIGNATURE-----

--------------enig41A71612B5B6E3002BD73910--

Message-Id: <email address hidden>
Date: Thu, 08 Sep 2005 11:17:06 -0700
From: Adam Conrad <adconrad@0c3.net>
To: <email address hidden>
Subject: Bug#316173: fixed in apache2 2.0.54-5

Source: apache2
Source-Version: 2.0.54-5

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-common_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-common_2.0.54-5_i386.deb
apache2-doc_2.0.54-5_all.deb
  to pool/main/a/apache2/apache2-doc_2.0.54-5_all.deb
apache2-mpm-perchild_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5_i386.deb
apache2-mpm-prefork_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5_i386.deb
apache2-mpm-threadpool_2.0.54-5_all.deb
  to pool/main/a/apache2/apache2-mpm-threadpool_2.0.54-5_all.deb
apache2-mpm-worker_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.0.54-5_i386.deb
apache2-prefork-dev_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.0.54-5_i386.deb
apache2-threaded-dev_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.0.54-5_i386.deb
apache2-utils_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-utils_2.0.54-5_i386.deb
apache2_2.0.54-5.diff.gz
  to pool/main/a/apache2/apache2_2.0.54-5.diff.gz
apache2_2.0.54-5.dsc
  to pool/main/a/apache2/apache2_2.0.54-5.dsc
apache2_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2_2.0.54-5_i386.deb
libapr0-dev_2.0.54-5_i386.deb
  to pool/main/a/apache2/libapr0-dev_2.0.54-5_i386.deb
libapr0_2.0.54-5_i386.deb
  to pool/main/a/apache2/libapr0_2.0.54-5_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 2 Sep 2005 22:26:28 +1000
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-mpm-threadpool apache2-mpm-worker libapr0 apache2-threaded-dev apache2-common apache2-mpm-perchild
Architecture: source all i386
Version: 2.0.54-5
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
 apache2 - next generation, scalable, extendable web server
 apache2-common - next generation, scalable, extendable web server
 apache2-doc - documentation for apache2
 apache2-mpm-perchild - experimental high speed perchild threaded model for Apache2
 apache2-mpm-prefork - traditional model for Apache2
 apache2-mpm-threadpool - experimental high speed model for Apache2 (transitional package)
 apache2-mpm-worker - high speed threaded mod...

Message-Id: <email address hidden>
Date: Sat, 17 Dec 2005 00:05:09 -0800
From: Adam Conrad <adconrad@0c3.net>
To: <email address hidden>
Subject: Bug#316173: fixed in apache2 2.0.54-5

Source: apache2
Source-Version: 2.0.54-5

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-common_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-common_2.0.54-5_i386.deb
apache2-doc_2.0.54-5_all.deb
  to pool/main/a/apache2/apache2-doc_2.0.54-5_all.deb
apache2-mpm-perchild_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-mpm-perchild_2.0.54-5_i386.deb
apache2-mpm-prefork_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.0.54-5_i386.deb
apache2-mpm-threadpool_2.0.54-5_all.deb
  to pool/main/a/apache2/apache2-mpm-threadpool_2.0.54-5_all.deb
apache2-mpm-worker_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.0.54-5_i386.deb
apache2-prefork-dev_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.0.54-5_i386.deb
apache2-threaded-dev_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.0.54-5_i386.deb
apache2-utils_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2-utils_2.0.54-5_i386.deb
apache2_2.0.54-5.diff.gz
  to pool/main/a/apache2/apache2_2.0.54-5.diff.gz
apache2_2.0.54-5.dsc
  to pool/main/a/apache2/apache2_2.0.54-5.dsc
apache2_2.0.54-5_i386.deb
  to pool/main/a/apache2/apache2_2.0.54-5_i386.deb
libapr0-dev_2.0.54-5_i386.deb
  to pool/main/a/apache2/libapr0-dev_2.0.54-5_i386.deb
libapr0_2.0.54-5_i386.deb
  to pool/main/a/apache2/libapr0_2.0.54-5_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 2 Sep 2005 22:26:28 +1000
Source: apache2
Binary: apache2-utils apache2 apache2-prefork-dev apache2-mpm-prefork apache2-doc libapr0-dev apache2-mpm-threadpool apache2-mpm-worker libapr0 apache2-threaded-dev apache2-common apache2-mpm-perchild
Architecture: source all i386
Version: 2.0.54-5
Distribution: stable-security
Urgency: high
Maintainer: Debian Apache Maintainers <email address hidden>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
 apache2 - next generation, scalable, extendable web server
 apache2-common - next generation, scalable, extendable web server
 apache2-doc - documentation for apache2
 apache2-mpm-perchild - experimental high speed perchild threaded model for Apache2
 apache2-mpm-prefork - traditional model for Apache2
 apache2-mpm-threadpool - experimental high speed model for Apache2 (transitional package)
 apache2-mpm-worker - high speed threaded mod...