10899141 2003-10-28 21:52 +0100 /99 rader/ Adam Dyga <adeon@o2.pl>
Importerad: 2003-10-29 01:16 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: adeon@o2.pl
Mottagare: Bugtraq (import) <29661>
Ärende: mod_security 1.7RC1 to 1.7.1 vulnerability
------------------------------------------------------------
From: Adam Dyga <adeon@o2.pl>
To: bugtraq@securityfocus.com
Message-ID: <200310282152.25424.adeon@o2.pl>
Program: mod_security (www.modsecurity.org)
Versions: 1.7RC1 to 1.7.1 (Apache 2 version)
Synopsis: malloc based buffer overflow
Author: Adam Dyga (adeon(at)o2.pl, ad(at)adsystems.com.pl)
URL: http://adsystems.com.pl/adg-mod_security171.txt
Discovered: October 24, 2003
Published: October 28, 2003
Issue:
There is a exploitable malloc based buffer overflow in
mod_security (apache 2 version). When appropriately
exploited this can lead to (under some circumstances -
remote) code execution on a vulnerable system with apache
server user privileges.
Details:
The bug exists in sec_filter_out() function in
apache2/mod_security.c :
<snip>
if (ctx->bufused + len > ctx->buflen) {
char *newbuffer;
// todo: implement a smarter extension policy
unsigned long int newsize = ctx->buflen * 2;
sec_debug_log(r, 3, "sec_filter_out: expanding buffer to
%i", newsize);
// allocate a larger buffer
newbuffer = apr_palloc(f->r->pool, newsize + 1);
memcpy(newbuffer, ctx->buffer, ctx->bufused);
// free(ctx->buffer);
ctx->buffer = newbuffer;
ctx->buflen = newsize;
ctx->input_ptr = ctx->buffer + ctx->bufused;
}
memcpy(ctx->input_ptr, data, len);
ctx->input_ptr += len;
ctx->bufused += len;
</snip>
As we can see, if ctx->buffer is too small, it's size is
doubled, regardless of the size of incoming data. If
incoming data size is larger than (ctx->buflen*2 -
ctx->bufused) then the second memcpy may overwrite further
header(s) of the next chunks on the heap. The author assumed,
that incoming data size is not larger than 8kB, because
Apache internally transports data in chunks that are 4kB/8kB
long. However, this is not true when data is sent by server
side script.
This is a piece of mod_security debug log:
sec_filter_out: got 198301 bytes, bufused=0, buflen=16384
sec_filter_out: expanding buffer to 32768
The buffer is overflowed when server side script is
generating large output, for example when writing large file
to the output:
<?php
Header('Content-Type: image/jpeg');
readfile('some_large_image.jpeg');
?>
When getting the 'some_large_image.jpeg' directly from server
(not by the above script, but by using GET method instead),
the buffer overflow doesn't occur.
So, to perform an attack, the attacker has to have the
possibility to upload his/her own script to the server (very
common on web hosting servers) or to use some XSS bug found
on the site.
The sec_filter_out() function is called when the
mod_security.so module is just loaded, no other directives in
httpd.conf (from mod_security) are needed.
Remedies:
Upgrade to 1.7.2, which fixes the vulnerability. If that is
not possible, turn output filtering off with
"SecFilterScanOutput Off".
Vendor status:
October 24, 2003 - ivanr@webkreator.com notified, no response
October 25, 2003 - ivanr@webkreator.com notified, got
response October 28, 2003 - patched version of mod_security
1.7.2 released October 28, 2003 - public disclosure
(10899141) /Adam Dyga <adeon@o2.pl>/------(Ombruten)