mod_ssl Format String Error in 'ssl_engine_ext' May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1010717
|
|
SecurityTracker URL: http://securitytracker.com/id?1010717
|
|
CVE Reference: CAN-2004-0700
(Links to External Site)
|
|
OSVDB Reference: 7929
(Links to External Site)
|
Updated: Jul 23 2004
|
Original Entry Date: Jul 16 2004
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 2.8.19-1.3.31
|
Description: A format string vulnerability was reported in mod_ssl. In certain cases where Apache mod_proxy is also used, a remote user may be able to cause arbitrary code to be executed on the target user's system.
Ralf S. Engelschall reported that if Apache is used as a proxy and an HTTPS URL such as 'https://foo%s.example.com/' is supplied
and a hostname 'foo%s' exists in the 'example.com' zone, the flaw can reportedly be triggered.
The flaw reportedly resides in
an error message call in 'ssl_engine_ext.c'.
The report credits Virulent <virulent@siyahsapka.org> with reporting a similar bug
(that was reportedly not exploitable) and triggering a review of the code.
|
Impact: A remote user may be able to cause arbitrary code to be executed on the target system in certain cases.
|
Solution: The vendor has released a fixed version (2.8.19-1.3.31), available at:
http://www.modssl.org/source/mod_ssl-2.8.19-1.3.31.tar.gz
|
Vendor URL: www.modssl.org/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 16 Jul 2004 09:59:24 -0400
Subject: mod_ssl format string
|
Ralf S. Engelschall reported a format string vulnerability in mod_ssl.
If Apache is used as a proxy and an HTTPS URL such as 'https://foo%s.example.com/' is
supplied and a hostname 'foo%s' exists in the 'example.com' zone, the flaw can reportedly
be triggered.
The report credits Virulent <virulent@siyahsapka.org> with reporting a similar bug (that
was reportedly not exploitable) and triggering a review of the code.
Index: ssl_engine_ext.c
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_ext.c,v
retrieving revision 1.50
diff -u -d -r1.50 ssl_engine_ext.c
--- ssl_engine_ext.c 11 May 2004 18:44:15 -0000 1.50
+++ ssl_engine_ext.c 16 Jul 2004 07:57:33 -0000
@@ -524,7 +524,7 @@
#endif
errmsg = ap_psprintf(r->pool, "SSL proxy connect failed (%s): peer %s: %s",
cpVHostID, peer, ERR_reason_error_string(ERR_get_error()));
- ssl_log(r->server, SSL_LOG_ERROR, errmsg);
+ ssl_log(r->server, SSL_LOG_ERROR, "%s", errmsg);
SSL_free(ssl);
ap_ctx_set(fb->ctx, "ssl", NULL);
return errmsg;
|
|
