A remote attacker may be able to crash the Apache process or
execute arbitrary commands.
Apache is a widely used,
freely available web server developed by the
Apache Software Foundation.
Several third-party developers have developed modules that
can be added to Apache to add capabilities that are not part
of the basic web server package. One such module is
mod_ssl, which provides
strong cryptography for the Apache web server using
Apache-SSL also uses
OpenSSL to provide secure web services.
mod_ssl uuencode function buffer overflow
There is a buffer overflow condition in the
ssl_util_uuencode_binary function in mod_ssl,
which is used for encoding binary data. An attacker who is
able to force this function to be called could cause a
denial of service. It is unlikely that this vulnerability
could allow an attacker to execute commands on x86 platforms,
but it could be possible on other platforms. mod_ssl for Apache 2
through 2.0.49 and mod_ssl 2.8.17 and earlier for Apache 1
are affected by this vulnerability.
i2d_SSL_SESSION buffer overflow
The mod_ssl Apache module and Apache-SSL make calls to the
i2d_SSL_SESSION OpenSSL routine, which stores
data into a buffer. Both mod_ssl and Apache-SSL improperly declare the buffer
as a fixed-length character array, resulting in a buffer
overflow condition. However, this buffer overflow is difficult
to exploit. In order to exploit it, an attacker would need
to create a very large session. The only obvious way for
an attacker to attempt this would be to send a very large
client certificate. But the certificate must be provided by a certificate
authority which is trusted by the web server in order for
the affected code to run. Additionally, both certificate
authentication and dbm or shared memory session caching must
be enabled for this vulnerability to be exploitable.
Despite the difficulty in exploitation, it would be advisable
to remedy this problem, since other, more feasible, exploitation
methods could be discovered at any time. Versions of mod_ssl
prior to 2.8.7 and Apache-SSL prior to 1.47 are affected by this vulnerability.
mod_ssl Configuration File Parsing Vulnerability
mod_ssl prior to 2.8.10 contains
a one-byte buffer overflow in the processing of configuration
directives. Exploitation of this vulnerability would require
the attacker to create a long, specially-crafted directive in
the Apache configuration. Since Apache allows
per-directory configuration files (usually called
.htaccess), a local user could exploit this
vulnerability using a .htaccess file under
his or her own directory. The result would be a denial of
service or the ability to execute arbitrary commands with
the privileges of the web server.
The mod_ssl ssl_util_uuencode_binary function
was posted to [http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0856.html] Full Disclosure.
The vulnerability in mod_ssl and Apache-SSL was announced in
[http://www.ciac.org/ciac/bulletins/m-053.shtml] CIAC Bulletin M-053,
[http://online.securityfocus.com/archive/1/258646] Bugtraq archive 258646, and an
[http://www.apache-ssl.org/advisory-20020301.txt] Apache-SSL advisory.
The one-byte buffer overflow in mod_ssl was posted to
[http://online.securityfocus.com/archive/1/279074] Bugtraq archive 279074.
Low Attack Complexity, Partial Confidentiality Impact, Partial Integrity Impact, Complete Availability Impact