You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/09/03 13:27:02 UTC

DO NOT REPLY [Bug 31036] New: - Apache mod_rewrite DBM file zero byte overflow

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31036>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=31036

Apache mod_rewrite DBM file zero byte overflow

           Summary: Apache mod_rewrite DBM file zero byte overflow
           Product: Apache httpd-2.0
           Version: 2.0.50
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_rewrite
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: sitic@pts.se


(Initially reported as SITIC Vulnerability Advisory SA04-003, redefined as bug 
after discussion with ASF security team)

Apache's mod_rewrite module can be made to write one zero byte in an arbitrary
memory position outside of a char array, causing DoS or possibly buffer
overflows.

The function lookup_map_dbmfile() in modules/mappers/mod_rewrite.c copies data
from a DBM file to the char array buf in a _secure_ manner, but it
zero-terminates the array afterwards in an _insecure_ manner. If the key that
is looked up has an n bytes long value, a zero byte will be written in the
memory position n bytes from the start of the char array buf, causing a crash.

HTTP requests that exploit this problem are not shown in the access log. The
error log will show Segmentation faults, though.

Mitigating factors:

Exploitation requires someone manually configuring the system to use a DBM
file and then someone (else) storing malicious data in that DBM file.

This bug was discovered by Ulf Harnhammar for SITIC, Swedish IT 
Incident Centre.

The included patch "issue3.patch" is our attempt at correcting this issue:

--- modules/mappers/mod_rewrite.c	2004-06-11 23:05:22.000000000 +0200
+++ modules/mappers/mod_rewrite.c.ulf	2004-07-22 13:58:17.000000000 +0200
@@ -3160,6 +3160,7 @@
     char *value = NULL;
     char buf[MAX_STRING_LEN];
     apr_status_t rv;
+    unsigned int copylen;
 
     dbmkey.dptr  = key;
     dbmkey.dsize = strlen(key);
@@ -3168,10 +3169,10 @@
                               r->pool)) == APR_SUCCESS) {
         rv = apr_dbm_fetch(dbmfp, dbmkey, &dbmval);
         if (rv == APR_SUCCESS && dbmval.dptr) {
-            memcpy(buf, dbmval.dptr,
-                   dbmval.dsize < sizeof(buf)-1 ?
-                   dbmval.dsize : sizeof(buf)-1  );
-            buf[dbmval.dsize] = '\0';
+            copylen = dbmval.dsize < sizeof(buf)-1 ?
+                      dbmval.dsize : sizeof(buf)-1;
+            memcpy(buf, dbmval.dptr, copylen);
+            buf[copylen] = '\0';
             value = apr_pstrdup(r->pool, buf);
         }
         apr_dbm_close(dbmfp);

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org