504287 : Buffer Overflow In Mod_ssl 2.7.1

Risk 4 : Web Services

A remote attacker may be able to crash the Apache process or execute arbitrary commands.

Apache is a widely used, freely available web server developed by the Apache Software Foundation.

Several third-party developers have developed modules that can be added to Apache to add capabilities that are not part of the basic web server package. One such module is mod_ssl, which provides strong cryptography for the Apache web server using OpenSSL. Apache-SSL also uses OpenSSL to provide secure web services.

mod_ssl uuencode function buffer overflow

05/27/04 CVE 2004-0488 There is a buffer overflow condition in the ssl_util_uuencode_binary function in mod_ssl, which is used for encoding binary data. An attacker who is able to force this function to be called could cause a denial of service. It is unlikely that this vulnerability could allow an attacker to execute commands on x86 platforms, but it could be possible on other platforms. mod_ssl for Apache 2 through 2.0.49 and mod_ssl 2.8.17 and earlier for Apache 1 are affected by this vulnerability.

i2d_SSL_SESSION buffer overflow

03/04/02 CVE 2002-0082 The mod_ssl Apache module and Apache-SSL make calls to the i2d_SSL_SESSION OpenSSL routine, which stores data into a buffer. Both mod_ssl and Apache-SSL improperly declare the buffer as a fixed-length character array, resulting in a buffer overflow condition. However, this buffer overflow is difficult to exploit. In order to exploit it, an attacker would need to create a very large session. The only obvious way for an attacker to attempt this would be to send a very large client certificate. But the certificate must be provided by a certificate authority which is trusted by the web server in order for the affected code to run. Additionally, both certificate authentication and dbm or shared memory session caching must be enabled for this vulnerability to be exploitable.

Despite the difficulty in exploitation, it would be advisable to remedy this problem, since other, more feasible, exploitation methods could be discovered at any time. Versions of mod_ssl prior to 2.8.7 and Apache-SSL prior to 1.47 are affected by this vulnerability.

mod_ssl Configuration File Parsing Vulnerability

07/09/02 CVE 2002-0653 mod_ssl prior to 2.8.10 contains a one-byte buffer overflow in the processing of configuration directives. Exploitation of this vulnerability would require the attacker to create a long, specially-crafted directive in the Apache configuration. Since Apache allows per-directory configuration files (usually called .htaccess), a local user could exploit this vulnerability using a .htaccess file under his or her own directory. The result would be a denial of service or the ability to execute arbitrary commands with the privileges of the web server.

The mod_ssl ssl_util_uuencode_binary function was posted to [http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0856.html] Full Disclosure.

The vulnerability in mod_ssl and Apache-SSL was announced in [http://www.ciac.org/ciac/bulletins/m-053.shtml] CIAC Bulletin M-053, [http://online.securityfocus.com/archive/1/258646] Bugtraq archive 258646, and an [http://www.apache-ssl.org/advisory-20020301.txt] Apache-SSL advisory.

The one-byte buffer overflow in mod_ssl was posted to [http://online.securityfocus.com/archive/1/279074] Bugtraq archive 279074.

Solution:

Rebuild Apache 1 with [http://www.modssl.org] mod_ssl 2.8.19 or higher, or upgrade to [http://httpd.apache.org/download.cgi] Apache 2.2.9 or higher when available. Alternatively, Apache 2.0.50 can be used with the [http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.124&r2=1.125] ssl_engine_io.c patch if proxying to SSL servers is not enabled and there are not any SSLCipherSuite directives in directory or location context.

Installing an updated package from your operating system vendor is another way to fix these vulnerabilities.

Apache-SSL users should [http://www.apache-ssl.org] upgrade to version 1.53 or higher.

References:
CVSS Information:
Low Attack Complexity, Partial Confidentiality Impact, Partial Integrity Impact, Complete Availability Impact
Credit:
Saint Coorporation : 2010-03-25
New Search
Keywords
Risk Factor
Start Date
End Date
Browse