{"cve": [{"lastseen": "2021-02-02T05:35:11", "description": "The ExpandCert function in Apache-SSL before apache_1.3.41+ssl_1.59 does not properly handle (1) '/' and (2) '=' characters in a Distinguished Name (DN) in a client certificate, which might allow remote attackers to bypass authentication via a crafted DN that triggers overwriting of environment variables.", "edition": 4, "cvss3": {}, "published": "2008-04-04T00:44:00", "title": "CVE-2008-0555", "type": "cve", "cwe": ["CWE-287", "CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-0555"], "modified": "2018-10-15T22:01:00", "cpe": ["cpe:/a:apache-ssl:apache-ssl:1.3.34_1.57"], "id": "CVE-2008-0555", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0555", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache-ssl:apache-ssl:1.3.34_1.57:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:25", "bulletinFamily": "software", "cvelist": ["CVE-2008-0555"], "description": "Folks,\r\n\r\nFollowing information/research provided by Alexander Klink, a new \r\nrelease is out, fixing a low priority security issue as detailed below. \r\nThe release is on the primary Apache-SSL ftp server and should hit the \r\nmirrors over the next few hours, according to their schedules.\r\n\r\nSee http://www.apache-ssl.org for mirrors.\r\n\r\nAdvisory follows:\r\n\r\n============================================\r\n||| Security Advisory AKLINK-SA-2008-005 |||\r\n||| CVE-2008-0555 (CVE candidate) |||\r\n============================================\r\n\r\nApache-SSL memory disclosure\r\n============================\r\n\r\nDate released: 02.04.2008\r\nDate reported: 17.01.2008\r\n$Revision: 1.1 $\r\n\r\nby Alexander Klink\r\n Cynops GmbH\r\n a.klink@cynops.de\r\n https://www.cynops.de/advisories/CVE-2008-0555.txt\r\n (S/MIME signed: \r\nhttps://www.cynops.de/advisories/CVE-2008-0555-signed.txt)\r\n https://www.klink.name/security/aklink-sa-2008-005-apache-ssl.txt\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0555\r\n\r\nVendor: Adam & Ben Laurie\r\nProduct: Apache-SSL\r\nWebsite: http://www.apache-ssl.org\r\nVulnerability: memory disclosure, potential privilege escalation in web\r\n applications\r\nClass: remote\r\nStatus: patched\r\nSeverity: low\r\nReleases known to be affected: apache_1.3.34+ssl_1.57\r\nReleases known NOT to be affected: apache_1.3.41+ssl_1.59\r\n\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\nBackground:\r\n\r\nApache-SSL is a secure Webserver, based on Apache and SSLeay/OpenSSL.\r\n\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\nOverview:\r\n\r\nApache-SSL provides environment variables that are filled with\r\n(client) certificate data. If the subject of a client certificate\r\ncontains special characters, parts of these variables can be overwritten\r\nor be filled with other parts of memory.\r\n\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\nTechnical details:\r\n\r\nThe certificate DN as returned by the OpenSSL X509_NAME_online is\r\npassed into the following function:\r\n\r\nstatic void ExpandCert(pool *p,table *pEnv,char *szPrefix, char *szDN, \r\nchar *szCert)\r\n {\r\n char buf[HUGE_STRING_LEN];\r\n char *s,*t;\r\n /* Expand a X509_oneline entry into it's base components and register\r\n them as environment variables. Needed if you want to pass \r\ncertificate\r\n information to CGI's. The naming convention SHOULD be fairly \r\ncompatible\r\n with CGI's written for stronghold's certificate info - Q */\r\n /* FIXME - strtok() and strcspn() may cause problems on some \r\nsystems - Q */\r\n\r\n ap_table_setn(pEnv,szDN,ap_pstrdup(p,szCert));\r\n\r\n ap_cpystrn(buf,szCert,sizeof buf);\r\n for(s=strtok(buf,"/") ; s != NULL ; s=strtok(NULL,"/"))\r\n {\r\n int n=strcspn(s,"=");\r\n s[n]='\0';\r\n StrUpper(s);\r\n t=ap_pstrcat(p,szPrefix,s,NULL);\r\n ap_table_setn(pEnv,t,ap_pstrdup(p,s+n+1));\r\n }\r\n }\r\n\r\nThe function assumes that the relative distinguished name does not\r\ncontain a '/'. If a / is contained in for example the common name,\r\nstrcspn(s,"=") returns the size of s, so s+n+1 points beyond the\r\ncurrent token.\r\nFurthermore, environment variables can be overwritten by including '/'\r\nand '='. For example, to overwrite the OPENSSL_S_CLIENT_DN_OU variable,\r\none could use a certificate with a CN of "/OU=Fake OU".\r\nIf an application relies on this information to distinguish certificates\r\ninto different authorization classes, it can be fooled this way.\r\n\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\nCommunication:\r\n\r\n* 17.01.2008: Reported the bug to Ben Laurie\r\n* 17.01.2008: Ben replies and acknowledges the bug\r\n* 01.02.2008: Checking back with Ben on the status\r\n* 01.02.2008: Ben replies that he'll be looking into a patch over the \r\nweekend\r\n* 06.02.2008: Ben sends patch and asks for help with testing it\r\n* 07.02.2008: Reply with test results (still a small problem unrelated to\r\n the original issue)\r\n* 09.02.2008: Ben sends updated patch\r\n* 11.02.2008: Told Ben that patch works fine\r\n* 18.02.2008: Requested update\r\n* 18.02.2008: Ben replies that he'll deal with it in the next week or so\r\n* 27.02.2008: Requested update\r\n* 27.02.2008: Patch for Apache 1.3.41 is ready, but release is normally\r\n managed by Adam Laurie, who is on holiday till March, 11th\r\n* 28.02.2008: Agreed to wait for Adam to return\r\n* 12.03.2008: Ben informs Adam of the new release\r\n* 25.03.2008: Requested update\r\n* 25.03.2008: Ben replies, they are waiting for an updated advisory from me\r\n* 25.03.2008: Sent out updated advisory\r\n* 27.03.2008: Adam says sorry for the delays and that he will try to work\r\n on this while he is at "a conference in Amsterdam"\r\n* 01.04.2008: Coordination with Adam and Ben on a release\r\n\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\nSolution:\r\n\r\nUpgrade to apache_1.3.41+ssl_1.59.\r\n\r\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\nCredits:\r\n\r\n- Alexander Klink, Cynops GmbH (discovery)\r\n\r\n\r\ncheers,\r\nAdam\r\n-- \r\nAdam Laurie Tel: +44 (0) 1304 814800\r\nThe Bunker Secure Hosting Ltd. Fax: +44 (0) 1304 814899\r\nAsh Radar Station\r\nMarshborough Road\r\nSandwich mailto:adam@algroup.co.uk\r\nKent\r\nCT13 0PL\r\nUNITED KINGDOM PGP key on keyservers", "edition": 1, "modified": "2008-04-02T00:00:00", "published": "2008-04-02T00:00:00", "id": "SECURITYVULNS:DOC:19553", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19553", "title": "ANNOUNCE: Apache-SSL security release - apache_1.3.41+ssl_1.59", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-03-01T01:24:18", "description": "According to its banner, the version of Apache-SSL running on the\nremote host is older than apache_1.3.41+ssl_1.59. Such versions fail\nto properly sanitize certificate data before using it to populate\nenvironment variables. By sending a client certificate with special\ncharacters for the subject, a remote attacker can overwrite certain\nenvironment variables used by the web server, resulting in memory\ndisclosure or potential privilege escalation in a web application.", "edition": 29, "cvss3": {"score": 7.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2008-04-03T00:00:00", "title": "Apache-SSL ExpandCert() Function Certificate Handling Arbitrary Environment Variables Manipulation", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0555"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:apache-ssl:apache-ssl"], "id": "APACHE_SSL_ENV_VAR_MANIPULATION.NASL", "href": "https://www.tenable.com/plugins/nessus/31738", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(31738);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\n\n script_cve_id(\"CVE-2008-0555\");\n script_bugtraq_id(28576);\n script_xref(name:\"Secunia\", value:\"29644\");\n\n script_name(english:\"Apache-SSL ExpandCert() Function Certificate Handling Arbitrary Environment Variables Manipulation\");\n script_summary(english:\"Checks version in Server response header\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is prone to a memory disclosure / privilege\nescalation attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Apache-SSL running on the\nremote host is older than apache_1.3.41+ssl_1.59. Such versions fail\nto properly sanitize certificate data before using it to populate\nenvironment variables. By sending a client certificate with special\ncharacters for the subject, a remote attacker can overwrite certain\nenvironment variables used by the web server, resulting in memory\ndisclosure or potential privilege escalation in a web application.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.cynops.de/advisories/CVE-2008-0555.txt\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.apache-ssl.org/advisory-cve-2008-0555.txt\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2008/Apr/19\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to apache_1.3.41+ssl_1.59 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 287);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2008/04/03\");\n \n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:apache-ssl:apache-ssl\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"apache_http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"installed_sw/Apache\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nget_install_count(app_name:\"Apache\", exit_if_zero:TRUE);\nport = get_http_port(default:80);\ninstall = get_single_install(app_name:\"Apache\", port:port, exit_if_unknown_ver:TRUE);\n\n# Don't bother unless the service uses SSL.\nencaps = get_kb_item(\"Transports/TCP/\"+port);\nif (\n isnull(encaps) || \n encaps < ENCAPS_SSLv2 || encaps > ENCAPS_TLSv1\n) audit(AUDIT_LISTEN_NOT_VULN, \"Apache\", port, install[\"version\"]);\n\n\n# Check the version in the banner.\nbanner = get_kb_item_or_exit('www/apache/'+port+'/source', exit_code:1);\nserver = strstr(banner, \"Server:\");\nserver = server - strstr(server, '\\r\\n');\nif (\" Ben-SSL/\" >< server)\n{\n ver = NULL;\n\n pat = \"^Server:.*Apache(-AdvancedExtranetServer)?/.* Ben-SSL/([0-9]+\\.[0-9]+)\";\n item = pregmatch(pattern:pat, string:server);\n if (!isnull(item)) ver = item[2];\n\n if (!isnull(ver) && ver =~ \"^1\\.([0-9]($|[^0-9])|([0-4][0-9]|5[0-8])($|[^0-9]))\")\n {\n if (report_verbosity)\n {\n report = string(\n \"\\n\",\n \"The remote Apache-SSL server uses the following Server response\\n\",\n \"header :\\n\",\n \"\\n\",\n \" \", server, \"\\n\"\n );\n security_hole(port:port, extra:report);\n exit(0);\n }\n else\n {\n security_hole(port);\n exit(0);\n }\n }\n}\n\naudit(AUDIT_LISTEN_NOT_VULN, \"Apache\", port, install[\"version\"]);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
