Mod_SSL Off-By-One HTAccess本地缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106816 漏洞类型 边界条件错误
发布时间 2002-06-22 更新时间 2006-11-07
CVE编号 CVE-2002-0653 CNNVD-ID CNNVD-200207-065
漏洞平台 Multiple CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/21575
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200207-065
|漏洞详情
mod_ssl模块为Apache1.3WEB服务程序可以通过SecureSocketsLayer(SSLv2/v3)和TransportLayerSecurity(TLSv1)协议提供强壮加密的功能。mod_ssl在处理.htaccess配置文件中的变量时没有正确检查边界长度,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击。ApacheWEB服务程序提供扩展的API通过各种HOOKS调用来方便的为第三放模块接口,其中之一的HOOK是rewrite_command调用,如果WEB服务程序允许非特权用户为自己的WEB建立访问控制机制,就需要在.htaccess文件中设置"AllowOverride"选项激活,如果存在此选项,rewrite_command调用处理前会读取.htaccess配置文件中的内容,但rewrite_commandhook中的ssl_compat_directive()调用在读取.htaccess文件中的DATE_LOCALE变量时存在off-by-one错误,问题代码如下:...char*cp;charcaCmd[1024];char*cpArgs;...cp=(char*)oline;for(i=0;*cp!=''&&*cp!='\t'&&*cp!=NUL&&i<1024;)^^^^^^^^caCmd[i++]=*cp++;caCmd[i]=NUL;cpArgs=cp;...如果攻击者可以在.htaccess文件中设置包含10000字节的DATE_LOCALE变量,就可以导致WEB服务进程处理请求时产生缓冲区溢出,精心构建变量数据可能使之以WEB进程的权限执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/5084/info

An off-by-one issue exists in mod_ssl that affects Apache when handling certain types of long entries in an .htaccess file. Though this capability within the web server is not enabled by default, it is popular as it allows non-privileged users to create web access control schemes for hosted sites, and is enabled through the "AllowOverride" configuration variable in Apache. A .htaccess file with 10000 or more bytes set into the variable DATE_LOCALE will result in a buffer overflow within the web server process handling the request.

In a regular .htaccess file:

SetEnv DATE_LOCALE "X"

where the character X represents a string of 12288 bytes.
|参考资料

来源:BID
名称:5084
链接:http://www.securityfocus.com/bid/5084
来源:REDHAT
名称:RHSA-2003:106
链接:http://www.redhat.com/support/errata/RHSA-2003-106.html
来源:REDHAT
名称:RHSA-2002:146
链接:http://www.redhat.com/support/errata/RHSA-2002-146.html
来源:REDHAT
名称:RHSA-2002:136
链接:http://www.redhat.com/support/errata/RHSA-2002-136.html
来源:REDHAT
名称:RHSA-2002:135
链接:http://www.redhat.com/support/errata/RHSA-2002-135.html
来源:REDHAT
名称:RHSA-2002:134
链接:http://www.redhat.com/support/errata/RHSA-2002-134.html
来源:SUSE
名称:SuSE-SA:2002:028
链接:http://www.novell.com/linux/security/advisories/2002_028_mod_ssl.html
来源:MANDRAKE
名称:MDKSA-2002:048
链接:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-048.php
来源:XF
名称:apache-modssl-htaccess-bo(9415)
链接:http://www.iss.net/security_center/static/9415.php
来源:DEBIAN
名称:DSA-135
链接:http://www.debian.org/security/2002/dsa-135
来源:REDHAT
名称:RHSA-2002:164
链接:http://rhn.redhat.com/errata/RHSA-2002-164.html
来源:VULN-DEV
名称:20020622AnotherflawinApache?
链接:http://marc.theaimsgroup.