SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Security)  >  Mod_ssl Vendors:  Modssl.org
'mod_ssl' Security Package for Apache Web Server Has Buffer Overflow That Can Be Triggered By Remote Users
Date:  Feb 26 2002
Impact:  Execution of arbitrary code via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): prior to 2.8.7
Description:  A vulnerability was reported in the 'mod_ssl' package for the Apache web server. A remote user may be able to overflow a buffer. The potential impact is not yet know.

It is reported that a remote user may be able to trigger a buffer overflow in the DBM and SHMHT session cache by using very large certificate chains. This is reportedly due to the unbounded nature of ASN.1 representations that could overflow a large but statically allocated buffer.

It is not yet clear if remote code execution is feasible.
Impact:  A remote user may be able to trigger a buffer overflow in mod_ssl. It is not yet clear if remote code execution is feasible.
Solution:  Upgrade to version 2.8.7, available at:

http://www.modssl.org/source/mod_ssl-2.8.7-1.3.23.tar.gz
Vendor URL:  www.modssl.org/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  Ed Moyle <emoyle@scsnet.csc.com>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 28 2002 (Trustix Issues Fix) 'mod_ssl' Security Package for Apache Web Server Has Buffer Overflow That Can Be Triggered By Remote Users   (tsl@trustix.com (Trustix Secure Linux Advisor))
The vendor has released a fix.
Mar 1 2002 (Engarde Issues Fix) 'mod_ssl' Security Package for Apache Web Server Has Buffer Overflow That Can Be Triggered By Remote Users   (engarde-announce-admins@linuxsecurity.com)
The vendor has released a fix.
Mar 4 2002 (Conectiva Issues Fix) 'mod_ssl' Security Package for Apache Web Server Has Buffer Overflow That Can Be Triggered By Remote Users   (secure@conectiva.com.br)
The vendor has released a fix.
Mar 8 2002 (Mandrake Issues Fix) 'mod_ssl' Security Package for Apache Web Server Has Buffer Overflow That Can Be Triggered By Remote Users   (Mandrake Linux Security Team <security@linux-mandrake.com>)
The vendor has released a fix.
Mar 8 2002 (Red Hat Issues Fix) 'mod_ssl' Security Package for Apache Web Server Has Buffer Overflow That Can Be Triggered By Remote Users   (bugzilla@redhat.com)
The vendor has released a fix.
Mar 11 2002 (Debian Issues Fix) 'mod_ssl' Security Package for Apache Web Server Has Buffer Overflow That Can Be Triggered By Remote Users   (joey@infodrom.org (Martin Schulze))
The vendor has released a fix.
Mar 15 2002 (Red Hat Issues Fix for Secure Web Server) Re: 'mod_ssl' Security Package for Apache Web Server Has Buffer Overflow That Can Be Triggered By Remote Users   (bugzilla@redhat.com)
The vendor has released a fix.
Mar 31 2002 (Caldera Issues Fix for OpenLinux) 'mod_ssl' Security Package for Apache Web Server Has Buffer Overflow That Can Be Triggered By Remote Users   (security@caldera.com)
The vendor has released a fix.
Mar 31 2002 (Compaq Issues Fix for Compaq Secure Web Server) 'mod_ssl' Security Package for Apache Web Server Has Buffer Overflow That Can Be Triggered By Remote Users   ("Boren, Rich (SSRT)" <Rich.Boren@COMPAQ.com>)
The vendor has released a fix for Compaq Secure Web Server.
Apr 2 2002 (HP Issues Fix for Virtual Vault) 'mod_ssl' Security Package for Apache Web Server Has Buffer Overflow That Can Be Triggered By Remote Users   (support_feedback@us-support.external.hp.com (IT Resource Center ))
The vendor has released a fix.


 Source Message Contents
Date:  Mon, 25 Feb 2002 11:28:58 -0500
From:  Ed Moyle <emoyle@scsnet.csc.com>
Subject:  second opinion regarding mod-ssl BO...

 

Howdy.

I am currently in the process of writing this up, and I'd like a second opinion on exploitability (mo
dssl team fixed w/ Sat's release):

(mod_ssl < 2.8.7) (www.modssl.org)

ssl_util_ssl.h:

> #define SSL_SESSION_MAX_DER 1024*10

ssl_scache_dbm.c:

> BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SS
> L_SESSION *sess) {

<snip>

> UCHAR ucaData[SSL_SESSION_MAX_DER];

<snip>

> ucp = ucaData;
> nData = i2d_SSL_SESSION(sess, &ucp);

relevant openssl docs (from http://www.openssl.org/docs/ssl/d2i_SSL_SESSION.html):

> When using i2d_SSL_SESSION(), the memory location pointed to by pp must be large enough to hold 
the
> binary representation of the session. There is no known limit on the size of the created ASN1 
> representation, so the necessary amount of space should be obtained by first calling
> i2d_SSL_SESSION() with pp=NULL, and obtain the size needed, then allocate the memory and call
> i2d_SSL_SESSION() again. 

I contend that the only way to exploit this is to generate a trusted client cert that has embedded sh
ell code in it (a difficult task
 at best).  Can anybody out there in the vast wide ether provide other opinions on exploitability sce
narios?

-E


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC