8652849 2002-06-24 22:46 +0159 /149 rader/ Jedi/Sector One <j@pureftpd.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-06-27 06:14 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22840>
Ärende: Apache mod_ssl off-by-one vulnerability
------------------------------------------------------------
From: Jedi/Sector One <j@pureftpd.org>
To: bugtraq@securityfocus.com
Message-ID: <20020624204709.GA21212@c9x.org>
Product: mod_ssl - http://www.modssl.org/
Date: 06/24/2002
Summary: Off-by-one in mod_ssl 2.4.9 and earlier
By: Frank Denis - j@pureftpd.org
---------------------------------------------------------------------
DESCRIPTION
---------------------------------------------------------------------
This module provides strong cryptography for the Apache 1.3 webserver
via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security
(TLS v1) protocols by the help of the Open Source SSL/TLS toolkit
OpenSSL, which is based on SSLeay from Eric A. Young and Tim
J. Hudson.
The mod_ssl package was created in April 1998 by Ralf S. Engelschall
and was originally derived from software developed by Ben Laurie for
use in the Apache-SSL HTTP server project. The mod_ssl package is
licensed under a BSD-style license, which basically means that you
are free to get and use it for commercial and non-commercial purposes.
---------------------------------------------------------------------
VULNERABILITY
---------------------------------------------------------------------
The Apache web server provides an extended API (EAPI) to easily
extended the server with third-party modules, through various hooks
called as needed. One of these hooks, rewrite_command, is called
right after a configuration directive line was read and before it is
processed.
mod_ssl registers such a rewrite_command hook when backward
compatibility is enabled. The ssl_compat_directive() is called for
every line read in a configuration file.
However, this function contains an off-by-one error in this code
snippet :
...
char *cp;
char caCmd[1024];
char *cpArgs;
...
cp = (char *)oline;
for (i = 0; *cp != ' ' && *cp != '\t' && *cp != NUL && i < 1024; )
^^^^^^^^
caCmd[i++] = *cp++;
caCmd[i] = NUL;
cpArgs = cp;
...
oline is a pointer to a line being parsed, and whoose content can be
arbitrary long, and controlled by untrusted users through ".htaccess"
files.
---------------------------------------------------------------------
IMPACT
---------------------------------------------------------------------
Apart from global configuration files, Apache allows per-directory
configuration files. Therefore, the bug can be triggered by any
regular user through specially crafted ".htaccess" files.
The stack can be smashed. Alexander Yurchenko <grange@rt.mipt.ru>
wrote a proof of concept exploit for OpenBSD to demonstrate that
arbitrary code could be executed through ".htaccess" files.
As noticed by Michal Zalewski <lcamtuf@coredump.cx>, you can cause an
overflow in every child running to force all of them do what you
want. This is way more dangerous than children forked for CGI
execution.
Possible implications include denial of service (by sending STOP
signals to every child), adding fake entries to every log file (not
only those from the virtualhost the .htaccess lies in), running
arbitrary commands as the web server user regardless of ExecCGI and
suexec settings and spoofing replies.
---------------------------------------------------------------------
VULNERABLE SYSTEMS
---------------------------------------------------------------------
Any system running the Apache web server with mod_ssl compiled in,
and the "AllowOverride" directive not set to "None" for virtual hosts
may be vulnerable if virtual hosts are managed by untrusted users.
Systems may be vulnerable even if no virtual host actually use SSL
features, as long as mod_ssl is compiled in.
Apache 2.0 doesn't seem to ship this part of the mod_ssl source code
and it is therefore not vulnerable.
mod_ssl compiled without backward compatibility is not
vulnerable. However, this feature is enabled by default.
---------------------------------------------------------------------
WORKAROUND
---------------------------------------------------------------------
Disallow per-directory configuration files by only having
"AllowOverride None" directives in your httpd.conf file, and restart
the web server.
---------------------------------------------------------------------
FIXES
---------------------------------------------------------------------
The mod_ssl development team was very reactive and a new version has
just been released. mod_ssl 2.8.10 addresses the vulnerability and it
is freely available from http://www.modssl.org/ . Upgrading from an
earlier release is painless.
The bug has also been fixed in OpenBSD-current, thanks to fgsch.
The following oneliner patch also addresses the problem :
--- pkg.sslmod/ssl_engine_compat.c.orig Sat Feb 23 19:45:23 2002
+++ pkg.sslmod/ssl_engine_compat.c Mon Jun 24 20:43:17 2002
@@ -309,7 +309,7 @@
* Extract directive name
*/
cp = (char *)oline;
- for (i = 0; *cp != ' ' && *cp != '\t' && *cp != NUL && i < 1024; )
+ for (i = 0; *cp != ' ' && *cp != '\t' && *cp != NUL && i < sizeof(caCmd) - 1; )
caCmd[i++] = *cp++;
caCmd[i] = NUL;
cpArgs = cp;
Best regards,
-Frank.
--
__ /*- Frank DENIS (Jedi/Sector One) <j@42-Networks.Com> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/
(8652849) /Jedi/Sector One <j@pureftpd.org>/(Ombruten)
Kommentar i text 8657929 av H D Moore <sflist@digitaloffense.net>
8657929 2002-06-26 21:46 -0500 /21 rader/ H D Moore <sflist@digitaloffense.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-06-28 01:20 av Brevbäraren
Extern mottagare: Jedi/Sector One <j@pureftpd.org>
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22860>
Kommentar till text 8652849 av Jedi/Sector One <j@pureftpd.org>
Ärende: Re: Apache mod_ssl off-by-one vulnerability
------------------------------------------------------------
From: H D Moore <sflist@digitaloffense.net>
To: Jedi/Sector One <j@pureftpd.org>, bugtraq@securityfocus.com
Message-ID: <200206262146.12892.sflist@digitaloffense.net>
Just to confirm, the bug exists in 2.8.9 and earlier? The first part
of the advisory mentions 2.4.9, so a casual reader may assume they
are unaffected if they don't read all the way to the bottom...
On Monday 24 June 2002 15:47, Jedi/Sector One wrote:
> Product: mod_ssl - http://www.modssl.org/
> Date: 06/24/2002
> Summary: Off-by-one in mod_ssl 2.4.9 and earlier
[ snip ]
> The mod_ssl development team was very reactive and a new version has just
> been released. mod_ssl 2.8.10 addresses the vulnerability and it is
> freely available from http://www.modssl.org/ . Upgrading from an earlier
> release is painless.
(8657929) /H D Moore <sflist@digitaloffense.net>/(Ombruten)
8663134 2002-06-27 16:32 -0500 /55 rader/ <Ken.Williams@ey.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-06-29 06:24 av Brevbäraren
Extern mottagare: H D Moore <sflist@digitaloffense.net>
Extern mottagare: Jedi/Sector One <j@pureftpd.org>
Extern mottagare: rse@engelschall.com
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22891>
Ärende: Re: Apache mod_ssl off-by-one vulnerability
------------------------------------------------------------
From: Ken.Williams@ey.com
To: H D Moore <sflist@digitaloffense.net>,
Jedi/Sector One <j@pureftpd.org>, rse@engelschall.com,
bugtraq@securityfocus.com
Message-ID: <OF178B4BAF.29ACDF01-ON86256BE5.0075BEC5@ey.com>
hi,
i downloaded mod_ssl-2.8.9-1.3.26 from the modssl.org archive and
verified that it does have the off-by-one error, so it appears that
there was a mistake in the vulnerability advisory.
line 3 of the advisory should read:
Summary: Off-by-one in mod_ssl 2.8.9 and earlier
correct me if i'm wrong.
Regards,
kw
Ken Williams ; CISSP ; Technical Lead ; ken.williams@ey.com
eSecurityOnline - an eSecurity Venture of Ernst & Young
ken.williams@ey.com ; www.esecurityonline.com ; 1-877-eSecurity
>Subject: Re: Apache mod_ssl off-by-one vulnerability
>From: H D Moore <sflist@digitaloffense.net>
>Date: 2002-06-27 2:46:12
>
>Just to confirm, the bug exists in 2.8.9 and earlier? The first part of
the
>advisory mentions 2.4.9, so a casual reader may assume they are unaffected
if
>they don't read all the way to the bottom...
>
>On Monday 24 June 2002 15:47, Jedi/Sector One wrote:
>> Product: mod_ssl - http://www.modssl.org/
>> Date: 06/24/2002
>> Summary: Off-by-one in mod_ssl 2.4.9 and earlier
>
> [ snip ]
>
>> The mod_ssl development team was very reactive and a new version has
just
>> been released. mod_ssl 2.8.10 addresses the vulnerability and it is
>> freely available from http://www.modssl.org/ . Upgrading from an earlier
>> release is painless.
________________________________________________________________________
The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this
message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient,
you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
replying to the message and deleting it from your computer. Thank
you. Ernst & Young LLP
(8663134) /<Ken.Williams@ey.com>/---------(Ombruten)
8664752 2002-06-29 08:55 +0200 /20 rader/ Jedi/Sector One <j@pureftpd.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-06-29 19:17 av Brevbäraren
Extern mottagare: Ken.Williams@ey.com
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <22899>
Kommentar till text 8663134 av <Ken.Williams@ey.com>
Ärende: Re: Apache mod_ssl off-by-one vulnerability
------------------------------------------------------------
From: Jedi/Sector One <j@pureftpd.org>
To: Ken.Williams@ey.com
Cc: bugtraq@securityfocus.com
Message-ID: <20020629065559.GA22344@c9x.org>
On Thu, Jun 27, 2002 at 04:32:32PM -0500, Ken.Williams@ey.com wrote:
> i downloaded mod_ssl-2.8.9-1.3.26 from the modssl.org archive and verified
> that it does have the off-by-one error, so it appears that there was a mistake
> in the vulnerability advisory.
Yes, there was a typo.
All versions < 2.8.10 are affected.
--
__ /*- Frank DENIS (Jedi/Sector One) <j@42-Networks.Com> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/
(8664752) /Jedi/Sector One <j@pureftpd.org>/--------
Kommentar i text 8665539 av John Thornton <news@hackersdigest.com>