[1375] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Apache 1.1.1 overflow

daemon@ATHENA.MIT.EDU (David Sacerdote)
Wed Jan 15 13:11:48 1997

Resent-From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
Resent-To: linux-security@redhat.com
Reply-To: David Sacerdote <davids@secnet.com>
From: David Sacerdote <davids@secnet.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Date: 	Sun, 12 Jan 1997 19:48:15 -0700

[Mod: header changed -- alex]

                        ######    ##   ##    ######
                        ##        ###  ##      ##
                        ######    ## # ##      ##
                            ##    ##  ###      ##
                        ###### .  ##   ## .  ######.

                            Secure Networks Inc.

                             Security Advisory
                             January 12, 1997

                    Vulnerabilities in the Apache httpd

There is a serious vulnerability in the cookies module of the Apache httpd,
version 1.1.1 and earlier, which makes it possible for remote individuals
to obtain access to systems running the Apache httpd.  Only sites which
enabled mod_cookies, a nondefault option, are vulnerable.

Technical Details
~~~~~~~~~~~~~~~~~
The function make_cookie, in mod_cookies.c uses a 100 byte buffer,
new_cookie to store information used to track web site users.  The
hostname, which with even the most cautious of resolver libraries, can be
up to 255 characters long, is stuffed into this buffer, along with the
string "apache=" and a number.  The offending code reads:

void make_cookie(request_rec *r)
{
    struct timeval tv;
    char new_cookie[100];       /* blurgh */
    char *dot;
    const char *rname = pstrdup(r->pool,
                                get_remote_host(r->connection, r->per_dir_config,
                                                REMOTE_NAME));
struct timezone tz = { 0 , 0 };
    if ((dot = strchr(rname,'.'))) *dot='\0';   /* First bit of hostname */
    gettimeofday(&tv, &tz);
    sprintf(new_cookie,"%s%s%d%ld%d; path=/",
        COOKIE_NAME, rname,
        (int)getpid(),
        (long)tv.tv_sec, (int)tv.tv_usec/1000 );
    table_set(r->headers_out,"Set-Cookie",new_cookie);
    return;
}

Note that although the get_remote_host() function converts all uppercase
letters to lowercase letters, there is at least one way in which a
determined attacker can still exploit the overflow.


Impact
~~~~~~
Remote individuals can obtain access to the web server.  If the httpd
services requests as user root, attackers can obtain root access.  If the
httpd is run in a chroot() environment, the attacker will be restricted to
the chrooted environment.  We strongly advise adminstrators to run their
web servers as an unpriviliged user in an chrooted environment whenever
possible.


Vulnerable Systems
~~~~~~~~~~~~~~~~~~
Any system running the Apache httpd 1.1.1 or earlier, with the compile-time
option mod_cookies enabled is vulnerable.  To tell which web server
software you are using, telnet to port 80 of the web server, and issue the
command:
GET / HTTP/1.0
to the web server, followed by two carriage returns.  You should see
something which looks like:

$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 200 OK
Date: Tue, 07 Jan 1997 18:59:31 GMT
Server: Apache/1.1.1
Content-type: text/html
Set-Cookie: Apache=localhost9185266357164; path=/


home help back first fref pref prev next nref lref last post