Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4623
HistoryMay 31, 2003 - 12:00 a.m.

Apache Portable Runtime Denial of Service and Arbitrary Code Execution Vulnerability

2003-05-3100:00:00
vulners.com
25
JSON

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

iDEFENSE Security Advisory 05.30.03:

http://www.idefense.com/advisory/05.30.03.txt

Apache Portable Runtime Denial of Service and Arbitrary Code

Execution Vulnerability

May 30, 2003

I. BACKGROUND

The Apache Software Foundation's HTTP Server Project is an effort to

develop and maintain an open-source web server for modern OS'

including Unix and Microsoft Corp.'s Windows. More information is

available at http://httpd.apache.org/ .

The Apache Portable Runtime (APR) provides a free library of C data

structures and routines, forming a system portability layer to as

many OS' as possible. More information is available at

http://apr.apache.org/ .

mod_dav is an open-source Apache module that provides Distributed

Authoring and Versioning (DAV) capabilities to the Apache HTTP

Server. More information is available at

http://www.webdav.org/mod_dav/ .

II. DESCRIPTION

Passing an overly long string to the apr_psprintf() APR library

function that is used by the Apache HTTP Server could cause an

application to reference memory that should have already been

returned to the heap allocation pool. Arbitrary code execution

remains a possibility but has not been substantiated at the time of

publication of this report. Considering the strict conditions

necessary for successful code execution, it would be feasible but

difficult to develop an exploit capable of functioning outside of a

lab environment.

III. ANALYSIS

The remote denial of service aspect of this vulnerability can be

exploited if a remote attacker is able to pass large strings to the

vulnerable function, as is the case in the mod_dav attack vector,

where a specially crafted XML object request of approximately 12250

bytes crashed HTTP Server running on a non-Windows OS; approximately

20000 characters crashed it on a Windows OS.

IV. DETECTION

Applications that rely on older versions of APR are vulnerable. A

list of such projects is available at

http://apr.apache.org/projects.html#open_source . Both the Windows

and Unix implementations of Apache HTTP Server 2.0.37 through 2.0.45

inclusive are vulnerable.

V. WORKAROUND

The following patch should mitigate this vulnerability:

    • — srclib/apr/memory/unix/apr_pools.c 7 Mar 2003 12:12:43 -0000

    1.195

+++ srclib/apr/memory/unix/apr_pools.c 8 May 2003 20:11:14 -0000

@@ -976,7 +976,7 @@

     if (ps->got_a_new_node) {

         active->next = ps->free;

      •        ps->free = node;

  •        ps->free = active;

   }



   ps->got_a_new_node = 1;

VI. VENDOR FIX

Apache HTTP Server 2.0.46, which contains updates for APR, can be

downloaded at http://httpd.apache.org/download.cgi .

VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project

has assigned the identification number CAN-2003-0245 to this issue.

VIII. DISCLOSURE TIMELINE

03/19/2003 Issue disclosed to iDEFENSE

04/08/2003 iDEFENSE Labs initial research complete

04/09/2003 [email protected] contacted

04/09/2003 Response from Lars Eilebrecht and Bill Rowe of Apache

04/11/2003 Response from Ian Holsman of Apache

05/08/2003 Response from Mark Cox of Apache

05/08/2003 Initial Research and patch Submitted to

            iDEFENSE by Joe Orton of Apache

05/09/2003 Apache patch verified by iDEFENSE Labs

05/12/2003 vendor-sec list notified

05/26/2003 iDEFENSE clients notified

05/30/2003 Coordinated Public Disclosure

Get paid for security research

http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:

send email to [email protected], subject line: "subscribe"

About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively

monitors sources throughout the world — from technical

vulnerabilities and hacker profiling to the global spread of viruses

and other malicious code. Our security intelligence services provide

decision-makers, frontline security professionals and network

administrators with timely access to actionable intelligence

and decision support on cyber-related threats. For more information,

visit http://www.idefense.com .

-----BEGIN PGP SIGNATURE-----

Version: PGP 8.0

iQA/AwUBPtfBkvrkky7kqW5PEQLpoACfZbcO/qJ0WbCRGj/oKXFFImvgpTYAn0UB

OFmhMmVLLiDuaGPQtTcbGnJN

=Icpc

-----END PGP SIGNATURE-----

Related

cve 1
httpd 1
debiancve 1
nessus 2
securityvulns 1
cert 2
cve
cve
CVE-2003-0245
2003-06-09 04:00:00
httpd
httpd
Apache Httpd < 2.0.46 : APR remote crash
2003-04-09 00:00:00
debiancve
debiancve
CVE-2003-0245
2003-06-09 04:00:00
nessus
nessus
Apache 2.0.x < 2.0.46 Multiple DoS
2003-05-29 00:00:00
Mandrake Linux Security Advisory : apache2 (MDKSA-2003:063-1)
2004-07-31 00:00:00
securityvulns
securityvulns
[SECURITY] [ANNOUNCE] Apache 2.0.46 released
2003-05-29 00:00:00
cert
cert
Apache HTTPD contains denial of service vulnerability in basic authentication module
2003-06-24 00:00:00
Apache Portable Runtime contains heap buffer overflow in apr_psprintf()
2003-06-24 00:00:00
JSON
Related for SECURITYVULNS:DOC:4623
cve1httpd1debiancve1nessus2securityvulns1cert2