A security issue has been reported in mod_proxy. See
http://www.guninski.com/modproxy1.html
The flaw affects Apache httpd 1.3.25 to 1.3.31 that have mod_proxy enabled
and configured. Apache httpd 2.0 is unaffected.
The security issue is a buffer overflow which can be triggered by getting
mod_proxy to connect to a remote server which returns an invalid
(negative) Content-Length. This results in a memcpy to the heap with a
large length value, which will in most cases cause the Apache child to
crash. This does not represent a significant Denial of Service attack as
requests will continue to be handled by other Apache child processes.
Under some circumstances it may be possible to exploit this issue to cause
arbitrary code execution. However an attacker would need to get an
Apache installation that was configured as a proxy to connect to
a malicious site.
1. On older OpenBSD/FreeBSD distributions it is easily exploitable because
of the internal implementation of memcpy which rereads it's length from
the stack.
2. On newer BSD distributions it may be exploitable because the
implementation of memcpy will write three arbitrary bytes to an attacker
controlled location.
3. It may be exploitable on any platform if the optional (and not default)
define AP_ENABLE_EXCEPTION_HOOK is enabled. This is used for example by
the experimental mod_whatkilledus module.
In all other circumstances this issue looks to be unexploitable other than
to crash the Apache child that is processing the proxy request.
A patch to correct this issue is attached.
Note that the reporter of this issue contacted [EMAIL PROTECTED] on June
8th but was unwilling to keep the issue private until the investigation
was completed or a new Apache release was available. He published his
advisory on June 10th.
Mark
--
Mark J Cox ........................................... www.awe.com/mark
Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor
Index: src/CHANGES
===================================================================
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1942
diff -u -p -u -r1.1942 CHANGES
--- src/CHANGES 2 Jun 2004 22:49:03 -0000 1.1942
+++ src/CHANGES 9 Jun 2004 15:58:44 -0000
@@ -1,5 +1,9 @@
Changes with Apache 1.3.32
+ *) SECURITY: CAN-2004-0492 (cve.mitre.org)
+ Reject responses from a remote server if sent an invalid (negative)
+ Content-Length. [Mark Cox]
+
*) Fix a bunch of cases where the return code of the regex compiler
was not checked properly. This affects mod_usertrack and
core. PR 28218. [André Malo]
Index: src/modules/proxy/proxy_http.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/modules/proxy/proxy_http.c,v
retrieving revision 1.106
diff -u -p -u -r1.106 proxy_http.c
--- src/modules/proxy/proxy_http.c 29 Mar 2004 17:47:15 -0000 1.106
+++ src/modules/proxy/proxy_http.c 8 Jun 2004 14:23:05 -0000
@@ -485,6 +485,13 @@ int ap_proxy_http_handler(request_rec *r
content_length = ap_table_get(resp_hdrs, "Content-Length");
if (content_length != NULL) {
c->len = ap_strtol(content_length, NULL, 10);
+
+ if (c->len < 0) {
+ ap_kill_timeout(r);
+ return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool,
+ "Invalid Content-Length from remote server",
+ NULL));
+ }
}
}
