You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/09/03 13:27:02 UTC
DO NOT REPLY [Bug 31036] New: -
Apache mod_rewrite DBM file zero byte overflow
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31036>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=31036
Apache mod_rewrite DBM file zero byte overflow
Summary: Apache mod_rewrite DBM file zero byte overflow
Product: Apache httpd-2.0
Version: 2.0.50
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: Other
Component: mod_rewrite
AssignedTo: bugs@httpd.apache.org
ReportedBy: sitic@pts.se
(Initially reported as SITIC Vulnerability Advisory SA04-003, redefined as bug
after discussion with ASF security team)
Apache's mod_rewrite module can be made to write one zero byte in an arbitrary
memory position outside of a char array, causing DoS or possibly buffer
overflows.
The function lookup_map_dbmfile() in modules/mappers/mod_rewrite.c copies data
from a DBM file to the char array buf in a _secure_ manner, but it
zero-terminates the array afterwards in an _insecure_ manner. If the key that
is looked up has an n bytes long value, a zero byte will be written in the
memory position n bytes from the start of the char array buf, causing a crash.
HTTP requests that exploit this problem are not shown in the access log. The
error log will show Segmentation faults, though.
Mitigating factors:
Exploitation requires someone manually configuring the system to use a DBM
file and then someone (else) storing malicious data in that DBM file.
This bug was discovered by Ulf Harnhammar for SITIC, Swedish IT
Incident Centre.
The included patch "issue3.patch" is our attempt at correcting this issue:
--- modules/mappers/mod_rewrite.c 2004-06-11 23:05:22.000000000 +0200
+++ modules/mappers/mod_rewrite.c.ulf 2004-07-22 13:58:17.000000000 +0200
@@ -3160,6 +3160,7 @@
char *value = NULL;
char buf[MAX_STRING_LEN];
apr_status_t rv;
+ unsigned int copylen;
dbmkey.dptr = key;
dbmkey.dsize = strlen(key);
@@ -3168,10 +3169,10 @@
r->pool)) == APR_SUCCESS) {
rv = apr_dbm_fetch(dbmfp, dbmkey, &dbmval);
if (rv == APR_SUCCESS && dbmval.dptr) {
- memcpy(buf, dbmval.dptr,
- dbmval.dsize < sizeof(buf)-1 ?
- dbmval.dsize : sizeof(buf)-1 );
- buf[dbmval.dsize] = '\0';
+ copylen = dbmval.dsize < sizeof(buf)-1 ?
+ dbmval.dsize : sizeof(buf)-1;
+ memcpy(buf, dbmval.dptr, copylen);
+ buf[copylen] = '\0';
value = apr_pstrdup(r->pool, buf);
}
apr_dbm_close(dbmfp);
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org