A security issue has been reported in mod_proxy. See http://www.guninski.com/modproxy1.html
The flaw affects Apache httpd 1.3.25 to 1.3.31 that have mod_proxy enabled and configured. Apache httpd 2.0 is unaffected. The security issue is a buffer overflow which can be triggered by getting mod_proxy to connect to a remote server which returns an invalid (negative) Content-Length. This results in a memcpy to the heap with a large length value, which will in most cases cause the Apache child to crash. This does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. Under some circumstances it may be possible to exploit this issue to cause arbitrary code execution. However an attacker would need to get an Apache installation that was configured as a proxy to connect to a malicious site. 1. On older OpenBSD/FreeBSD distributions it is easily exploitable because of the internal implementation of memcpy which rereads it's length from the stack. 2. On newer BSD distributions it may be exploitable because the implementation of memcpy will write three arbitrary bytes to an attacker controlled location. 3. It may be exploitable on any platform if the optional (and not default) define AP_ENABLE_EXCEPTION_HOOK is enabled. This is used for example by the experimental mod_whatkilledus module. In all other circumstances this issue looks to be unexploitable other than to crash the Apache child that is processing the proxy request. A patch to correct this issue is attached. Note that the reporter of this issue contacted [EMAIL PROTECTED] on June 8th but was unwilling to keep the issue private until the investigation was completed or a new Apache release was available. He published his advisory on June 10th. Mark -- Mark J Cox ........................................... www.awe.com/mark Apache Software Foundation ..... OpenSSL Group ..... Apache Week editor
Index: src/CHANGES =================================================================== RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1942 diff -u -p -u -r1.1942 CHANGES --- src/CHANGES 2 Jun 2004 22:49:03 -0000 1.1942 +++ src/CHANGES 9 Jun 2004 15:58:44 -0000 @@ -1,5 +1,9 @@ Changes with Apache 1.3.32 + *) SECURITY: CAN-2004-0492 (cve.mitre.org) + Reject responses from a remote server if sent an invalid (negative) + Content-Length. [Mark Cox] + *) Fix a bunch of cases where the return code of the regex compiler was not checked properly. This affects mod_usertrack and core. PR 28218. [André Malo] Index: src/modules/proxy/proxy_http.c =================================================================== RCS file: /home/cvs/apache-1.3/src/modules/proxy/proxy_http.c,v retrieving revision 1.106 diff -u -p -u -r1.106 proxy_http.c --- src/modules/proxy/proxy_http.c 29 Mar 2004 17:47:15 -0000 1.106 +++ src/modules/proxy/proxy_http.c 8 Jun 2004 14:23:05 -0000 @@ -485,6 +485,13 @@ int ap_proxy_http_handler(request_rec *r content_length = ap_table_get(resp_hdrs, "Content-Length"); if (content_length != NULL) { c->len = ap_strtol(content_length, NULL, 10); + + if (c->len < 0) { + ap_kill_timeout(r); + return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool, + "Invalid Content-Length from remote server", + NULL)); + } } }