SA04-002 - Apache config file env variable buffer overflow

2004-09-16T00:00:00
ID SECURITYVULNS:DOC:6815
Type securityvulns
Reporter Securityvulns
Modified 2004-09-16T00:00:00

Description

  • SITIC Vulnerability Advisory *
       Advisory Name: Apache config file env variable buffer overflow
    

    Advisory Reference: SA04-002 Date of initial release: 2004-09-15 Product: Apache 2.0.x Platform: Linux, BSD systems, Unix, Windows Effect: Code execution when processing .htaccess files Vulnerability Identifier: CAN-2004-0747

Overview:

Apache suffers from a buffer overflow when expanding environment variables in configuration files such as .htaccess and httpd.conf. In a setup typical of ISPs, for instance, users are allowed to configure their own public_html directories with .htaccess files, leading to possible privilege escalation.

Details:

The buffer overflow occurs when expanding ${ENVVAR} constructs in .htaccess or httpd.conf files. The function ap_resolve_env() in server/util.c copies data from environment variables to the character array tmp with strcat(3), leading to a buffer overflow.

HTTP requests that exploit this problem are not shown in the access log. The error log will show Segmentation faults, though.

Mitigating factors:

Exploitation requires manual installation of malicious .htaccess files by someone with normal user rights.

Affected versions:

o Apache 2.0.50 o many other 2.0.x versions

Recommendations:

o A fix for this issue is incorporated into Apache 2.0.51 o For Apache 2.0.*: The Apache Software Foundation has published a patch which is the official fix for this issue.

Patch information:

o The Apache 2.0.51 release is available from the following source: http://httpd.apache.org/ o For Apache 2.0.*, the patch is available from the following source: http://www.apache.org/dist/httpd/patches/apply_to_2.0.50/

Acknowledgments:

This vulnerability was discovered by Ulf Harnhammar for SITIC, Swedish IT Incident Centre.

Contact information:

Swedish IT Incident Centre, SITIC P O Box 5398, SE-102 49 Stockholm, Sweden Telephone: +46-8-678 5799 Email: sitic at pts dot se http://www.sitic.se

Revision history:

Initial release 2004-09-15

About SITIC:

The Swedish IT Incident Centre within the National Post and Telecom Agency has the task to support society in working with protection against IT incidents. SITIC facilitates exchange of information regarding IT incidents between organisations in society, and disseminates information about new problems which potentially may impede the functionality of IT systems. In addition, SITIC provides information and advice regarding proactive measures and compiles and publishes statistics.

Disclaimer:

The decision to follow or act on information or advice contained in this Vulnerability Advisory is the responsibility of each user or organisation. SITIC accepts no responsibility for any errors or omissions contained within this Vulnerability Advisory, nor for any consequences which may arise from following or acting on information or advice contained herein.