Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 55441 - net-www/apache: DoS in apache httpd 2.0.49
Summary: net-www/apache: DoS in apache httpd 2.0.49
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL: http://www.guninski.com/httpd1.html
Whiteboard: A3 [glsa] jaervosz
Keywords:
: 55618 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-06-28 09:48 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2011-10-30 22:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-06-28 09:48:05 UTC
Possible vulnerability in apache 2.0.49 posted to FD:


Description:

There is denial of service in apache httpd 2.0.49. It is possible to
consume arbitrary amount of memory.
On 64 bit systems with more than 4GB virtual memory this may lead to heap
based buffer overflow whose exploitation is unclear at the moment. 

Details:
The problem is in server/protocol.c ap_get_mime_headers_core:
------
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-06-28 09:48:05 UTC
Possible vulnerability in apache 2.0.49 posted to FD:


Description:

There is denial of service in apache httpd 2.0.49. It is possible to
consume arbitrary amount of memory.
On 64 bit systems with more than 4GB virtual memory this may lead to heap
based buffer overflow whose exploitation is unclear at the moment. 

Details:
The problem is in server/protocol.c ap_get_mime_headers_core:
------
      if (last_field != NULL) {
            if ((len > 0) && ((*field == '\t') || *field == ' ')) {
...
fold_buf = (char *)apr_palloc(r->pool, alloc_len);
-----
If header lines starts with TAB or SPACE, apache allocates memory for it.

This allows making arbitrary long header lines.

The following applies to 64 bit systems with a lot of virtual memory if
sizeof(long)==8 and sizeof(int)==4.

This code can be hit on line 743: 
ap_escape_html(r->pool, last_field),
last_field can be arbitrary long.
Looking into ap_escape_html shows:
----
int i, j;

for (i = 0, j = 0; s[i] != '\0'; i++)
        if (s[i] == '<' || s[i] == '>')
            j += 3;
        else if (s[i] == '&')
            j += 4;

    if (j == 0)
        return apr_pstrmemdup(p, s, i);

    x = apr_palloc(p, i + j + 1);

----
(i+j+1) can be made almost arbitraty because of int signedness.
On linux x86_64 it was confirmed that sending about 820MB of data overflows
(i+j+1) which leads to a crash in memcpy, but with good heap layout more
can be done.

Probably only (i) can wrap, but because of the way in which apache leaks
memory this is not tested yet.
Comment 2 Kurt Lieber (RETIRED) gentoo-dev 2004-06-28 09:52:15 UTC
zul: as I mentioned on IRC -- this is unconfirmed save for the original link.
Comment 3 Chuck Short (RETIRED) gentoo-dev 2004-06-28 15:00:15 UTC
It hasnt made into apache cvs yet. I will add it when it does..version bump yadda yadda
Comment 4 Chuck Short (RETIRED) gentoo-dev 2004-06-28 20:19:39 UTC
Patch has been added to apache-cvs. Im making sure that the patch applies cleanly and nothing goes wrong. A version bump should be available shortly.

chuck
Comment 5 Chuck Short (RETIRED) gentoo-dev 2004-06-28 20:37:08 UTC
Ebuild with patch has been added. Please have other arches test it.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-06-29 00:32:46 UTC
All Arches : please test and mark stable
Comment 7 Jeremy Huddleston (RETIRED) gentoo-dev 2004-06-29 00:55:21 UTC
MANUAL_VERSION="2.0.49-r3" in the -r4 ebuild is incorrect... I'm changing it to ${PVR}

stable amd64
Comment 8 Ciaran McCreesh 2004-06-29 01:19:27 UTC
Won't build on ~mips, can't keyword it for now.

config.status: creating support/logresolve.pl
config.status: creating support/phf_abuse_log.cgi
config.status: creating support/split-logfile
config.status: creating build/rules.mk
config.status: creating include/ap_config_auto.h
config.status: error: cannot find input file: include/ap_config_auto.h.in

Portage 2.0.51_pre10 (default-mips-1.4, gcc-3.4.0, glibc-2.3.4.20040605-r1, 2.4.
23-mipscvs-20031128)
=================================================================
System uname: 2.4.23-mipscvs-20031128 mips R5000 V1.0  FPU V1.0
Gentoo Base System version 1.4.16
Autoconf: sys-devel/autoconf-2.59-r4
Automake: sys-devel/automake-1.8.5-r1
Binutils: sys-devel/binutils-2.14.90.0.8-r1
ACCEPT_KEYWORDS="mips ~mips"     
AUTOCLEAN="yes"                  
CFLAGS="-O2 -mips4 -march=r5000 -mabi=32 -pipe"
CHOST="mips-unknown-linux-gnu"   
COMPILER="gcc3"                  
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -mips4 -march=r5000 -mabi=32 -pipe"
DISTDIR="/usr/portage/distfiles" 
FEATURES="buildpkg ccache"       
GENTOO_MIRRORS="http://evildrop/ http://www.mirror.ac.uk/sites/www.ibiblio.org/gentoo http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo"                       
MAKEOPTS="-j2"                   
PKGDIR="/usr/portage/packages"   
PORTAGE_TMPDIR="/var/tmp"        
PORTDIR="/usr/portage"           
PORTDIR_OVERLAY=""               
SYNC="rsync://evildrop.home/gentoo-portage"
USE="berkdb gdbm gpm libwww mips ncurses opengl pam perl python readline ruby sdl slang ssl tcpd vim"
Comment 9 Ciaran McCreesh 2004-06-29 01:23:11 UTC
stable on sparc
Comment 10 Ciaran McCreesh 2004-06-29 04:20:07 UTC
Looks like the problem I had on mips was caused by ccache. Builds fine with ccache disabled, so stable on mips.
Comment 11 Ian Leitch (RETIRED) gentoo-dev 2004-06-29 07:55:19 UTC
Stable on x86.
Comment 12 Dan Margolis (RETIRED) gentoo-dev 2004-06-29 14:15:48 UTC
*** Bug 55618 has been marked as a duplicate of this bug. ***
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-06-29 14:35:16 UTC
GLSA drafted: security please review.
Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev 2004-07-02 13:08:44 UTC
Stable on hppa.
Comment 15 Bryan Østergaard (RETIRED) gentoo-dev 2004-07-02 15:19:49 UTC
Stable on alpha.
Comment 16 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2004-07-04 10:48:21 UTC
Stable on ppc.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2004-07-04 12:46:38 UTC
GLSA 200407-03
Comment 18 SpanKY gentoo-dev 2004-07-05 07:55:32 UTC
stable on arm
Comment 19 Aron Griffis (RETIRED) gentoo-dev 2004-07-07 11:45:27 UTC
stable on ia64