Bug 95709 (CVE-2005-2088)

Summary: VUL-0: CVE-2005-2088: apache2 request smuggling?
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-1268: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: HTTP-Request-Smuggling.pdf
httpd-2.0.52-CAN-2005-2088.patch
fix in 1.3 branch
patch from svn

Description Marcus Meissner 2005-07-08 11:43:13 UTC 
http://www.whitedust.net/speaks/825/Apache Request Smuggling Vulnerability/ 
reports: 
 
ThinkGeek T-Shirts will make you cool! 
Extract: 
  
All versions of Apache previous to 2.1.6 are vulnerable to a HTTP request 
smuggling attack which can allow malicious piggybacking of false HTTP requests 
hidden within valid content. This method of HTTP Request Smuggling was first 
discussed by Watchfire some time ago. The issue has been addressed by an 
update to version 2.1.6. 
Editorial Comment: 
  
The vulnerability involves a crafted request with a 'Transfer-Encoding: 
chunked' header and a 'Content-Length' can cause Apache to forward a modified 
request with the original 'Content-Length' header. The malicious request may 
then piggyback with the valid HTTP request possibly resulting in cache 
poisoning, cross-site scripting, session hijacking and other various kinds of 
attack. This vulnerability has resurfaced due to vendor confirmation, the 
original Watchfire Whitepaper on HTTP Request Smuggling is here.  
  
 addict3d reports that mostly all Apache 2.0.x versions, on the major 
platforms, are vulnerable to this attack. Apache has promptly released a 2.1.6 
version of their HTTP software to address this issue.
Comment 1 Marcus Meissner 2005-07-08 11:43:47 UTC 
Created attachment 41427 [details]
HTTP-Request-Smuggling.pdf

paperthingie
Comment 2 Marcus Meissner 2005-07-08 11:44:06 UTC 
is this for real, peter?
Comment 3 Peter Poeml 2005-07-08 12:54:01 UTC 
Yes. It is now CAN-2005-2088.

The original reference was
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf.

It was fixed already in the 2.1 development branch, and became public
with the release of the alpha package. A fix for 2.0 is already in CVS.
2.0.55 is expected to be released soon.

1.3 is not affected, as some people have claimed.
Comment 4 Peter Poeml 2005-07-08 13:24:07 UTC 
I have to correct myself, there is no fix yet in the 2.0.x branch.
Comment 5 Ludwig Nussel 2005-07-11 06:41:43 UTC 
Date: Fri, 8 Jul 2005 19:26:26 +0100                                                                                      
From: Joe Orton <jorton@redhat.com>                                                                                       
To: vendor-sec@lst.de                                                                                                     
Subject: Re: [vendor-sec] Apache vulnerabilities                                                                          
  
To confirm, the CAN-2005-1268 fix is:  
  
  *) SECURITY: CAN-2005-1268 (cve.mitre.org)  
     mod_ssl: Fix off-by-one overflow whilst printing CRL information  
     at "LogLevel debug" which could be triggered if configured  
     to use a "malicious" CRL.  PR 35081.  [Marc Stern <mstern csc.com>]  
  
patch via: http://svn.apache.org/viewcvs.cgi?rev=189562&view=rev  
  
The complete fix for CAN-2005-2088 used upstream is these two patches:  
  
  
http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/2.0.x/modules/proxy/proxy_http.c?rev=171205&r1=151405&r2=171205  
 http://people.apache.org/~jorton/ap_tevscl.diff  
  
the latter has not been approved for backport to the 2.0.x branch yet.  
  
The former is quite risky; there's a simpler alternative, attached the  
complete patch we're using.  
  
Neither CAN-2005-2088 nor CAN-2005-1268 affect Apache 1.3.  
  
joe
Comment 6 Ludwig Nussel 2005-07-11 06:42:14 UTC 
Created attachment 41538 [details]
httpd-2.0.52-CAN-2005-2088.patch
Comment 7 Marcus Meissner 2005-07-11 08:03:55 UTC 
swampid: 1767
Comment 8 Peter Poeml 2005-07-12 22:30:26 UTC 
apache.org had a DoS problem all day, viewcvs has been down and
subversion access flaky; but I found the patch on the commit list.

I submitted packages with fixes for both CAN-2005-2088+CAN-2005-1268 for
STABLE as well as:
/work/SRC/old-versions/8.2/all/apache2 -> /work/src/done/8.2
/work/SRC/old-versions/9.0/all/apache2 -> /work/src/done/9.0
/work/SRC/old-versions/9.1/BETA/all/apache2 -> /work/src/done/9.1
/work/SRC/old-versions/9.2/all/apache2 -> /work/src/done/9.2
/work/SRC/old-versions/9.3/all/apache2 -> /work/src/done/9.3

(Of the two apache2 packages in 9.1/SLES and 9.1/BETA, the latter is the
newer one, since the SP2 merge has not taken place. Hence it is taken
from there.)
Comment 9 Peter Poeml 2005-07-13 15:17:39 UTC 
assigning to security-team for further processing.
Comment 10 Ludwig Nussel 2005-07-18 14:53:28 UTC 
The following subpackages where updated in 8.2-9.1 previously: 
8.2: 
apache2,apache2-prefork,apache2-worker,apache2-leader,apache2-devel,apache2-doc,apache2-example-pages,libapr0 
9.0: 
apache2,apache2-prefork,apache2-worker,apache2-leader,apache2-metuxmpm,apache2-devel,apache2-doc,apache2-example-pages,libapr0 
9.1: 
apache2,apache2-prefork,apache2-worker,apache2-devel,apache2-doc,apache2-example-pages,libapr0 
sles9: 
apache2,apache2-devel,apache2-doc,apache2-example-pages,apache2-prefork,apache2-worker,libapr0 
 
Which ones are needed for the current update in 9.2 and 9.3? only apache2 
itself?
Comment 11 Peter Poeml 2005-07-18 14:58:27 UTC 
For CAN-2005-2088: apache2-prefork, apache2-worker, apache2-leader, apache2-metuxmpm
For CAN-2005-1268: the apache2 package.
Comment 12 Peter Poeml 2005-07-18 15:57:06 UTC 
in the past, I have added all subpackages to the patchinfos. Problem is
that the list differes between release. I always used the skeletons
here: ~poeml/tmp/patchinfos-apache2
Comment 13 Ludwig Nussel 2005-07-19 07:03:51 UTC 
There is no need to include unaffected subpackages, saves bandwidth. So for  
9.2 and 9.3 it's apache2,apache2-prefork,apache2-worker
Comment 14 Ludwig Nussel 2005-07-27 07:32:13 UTC 
updates released
Comment 15 Ludwig Nussel 2005-08-04 07:56:15 UTC 
Mandrake has issued an update for CAN-2005-2088 for apache 1.3!
Comment 16 Peter Poeml 2005-08-04 09:18:31 UTC 
Looking
Comment 17 Peter Poeml 2005-08-04 09:19:30 UTC 
Created attachment 44777 [details]
fix in 1.3 branch
Comment 18 Peter Poeml 2005-08-04 09:20:43 UTC 
Date: Tue, 19 Jul 2005 16:36:13 -0500
To: dev@httpd.apache.org
From: "William A. Rowe, Jr." <wrowe@rowe-clan.net>
Subject: Re: [patch 1.3] The http_protocol.c C-L + T-E patch
Cc: dev@httpd.apache.org
X-Spam-Status: No, hits=0.0 tagged_above=-20.0 required=5.0 tests=BAYES_50

At 04:11 PM 7/19/2005, Joe Orton wrote:
>On Tue, Jul 19, 2005 at 02:59:14PM -0500, William Rowe wrote:
>> Paul?  Joe?  Jeff?  Someone?
>>
>> This is the only showstopper to a 1.3.34 candidate today,
>> since 1.3.x/src/modules/proxy/mod_proxy.c rejects T-E
>> for proxy request bodies.
>
>Since the 1.3 proxy already rejects such requests what does this patch
>actually fix?

Hmmm...

  mod_isapi?
  mod_php?
  mod_cgi?
  mod_jk?

shall I keep digging?

Bill
Comment 19 Peter Poeml 2005-08-04 10:50:43 UTC 
Created attachment 44785 [details]
patch from svn
Comment 20 Peter Poeml 2005-08-04 10:54:12 UTC 
Note to self: 62859 (buffer overflow htpasswd.c) ought to be fixed
together with this one
Comment 21 Peter Poeml 2005-08-10 12:02:00 UTC 
I submitted these fixed packages:

/work/SRC/old-versions/8.1/UL/all/apache -> /work/src/done/SLES8
/work/SRC/old-versions/9.0/all/apache -> /work/src/done/9.0
/work/SRC/old-versions/9.1/SLES/all/apache -> /work/src/done/9.1

Changelog:

- security fix [CAN-2005-2088 (cve.mitre.org)]: core: If a request
  contains both Transfer-Encoding and a Content-Length, remove the
  Content-Length, stopping some HTTP Request smuggling attacks. [#95709]
- htpasswd security fixes (patches from openbsd): - use strncpy and
  friends [#62859] - use mkstemp instead of tempnam


The 9.1/sles9 package contains an additional fix -- see bug 83771:

- move the start of the %build section before running the mod_ssl
  configure script, so the variable ENABLE_MOD_SSL is set in the
  same environment where it is used. This adds engine support to
  mod_ssl again, by compiling with experimental engine support by
  configuring apache with --enable-rule=SSL_EXPERIMENTAL. [#83771]

Sorry about the inconvenience this addition causes for assembling the
patchinfo files.

Reassigning to security team for further processing.
Comment 22 Marcus Meissner 2005-08-15 15:54:55 UTC 
released apache1 updates now.
Comment 23 Marcus Meissner 2005-08-15 16:09:55 UTC 
will write advisory tomorrow
Comment 24 Marcus Meissner 2005-08-16 12:18:51 UTC 
adv released
Comment 25 Thomas Biege 2009-10-13 21:31:39 UTC 
CVE-2005-1268: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)