100389 – net-www/mod_ssl: Buffer Overflow in Processing CRLs

Bug 100389 - net-www/mod_ssl: Buffer Overflow in Processing CRLs

Summary: net-www/mod_ssl: Buffer Overflow in Processing CRLs

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://securitytracker.com/alerts/200...
Whiteboard:	C2 [ebuild?] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2005-07-26 11:54 UTC by Jean-François Brunette (RETIRED)
Modified:	2005-08-05 06:59 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-07-26 11:54:33 UTC

CVE Reference:  CAN-2005-1268   (Links to External Site)
Date:  Jul 26 2005
Impact:  Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Description:  A vulnerability was reported in Apache mod_ssl in the processing
of certificate revocation lists (CRLs). A remote user may be able to cause
arbitrary code to be executed.

A remote user can create a specially crafted CRL that, when processed by the
Apache mod_ssl callback function, will trigger an off-by-one buffer overflow.
Arbitrary code may be executed.

The vulnerability can be triggered when printing CRL information at the 'debug'
LogLevel.

Marc Stern from CSC is credited with discovering this vulnerability.
Impact:  A remote user may be able to cause Apache to execute arbitrary code in
certain situations.
Solution:  The vendor has issued a source code fix, available via SVN.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-26 12:13:11 UTC

Apache please advise

Comment 2 Jean-François Brunette (RETIRED) gentoo-dev

2005-07-26 12:18:41 UTC

Advisory talks about SVN, it's here:
http://svn.apache.org/viewcvs.cgi?rev=179781&view=rev

--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c	2005/04/19 20:02:09	161958
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c	2005/06/03 12:54:53	179781
@@ -1408,7 +1408,7 @@
             BIO_printf(bio, ", nextUpdate: ");
             ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl));
 
-            n = BIO_read(bio, buff, sizeof(buff));
+            n = BIO_read(bio, buff, sizeof(buff) - 1);
             buff[n] = '\0';
 
             BIO_free(bio);

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-07-27 06:40:48 UTC

This one is very lame. Not sure we should consider it a vulnerability.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-31 13:02:03 UTC

Apache do you agree?

Comment 5 Thierry Carrez (RETIRED) gentoo-dev

2005-08-05 06:18:55 UTC

===========================================================
Ubuntu Security Notice USN-160-1	    August 04, 2005
apache2 vulnerabilities
[...]
Marc Stern discovered a buffer overflow in the SSL module's
certificate revocation list (CRL) handler. If Apache is configured to
use a malicious CRL, this could possibly lead to a server crash or
arbitrary code execution with the privileges of the Apache web server.
(CAN-2005-1268)
===========================================================

I am still to be convinced.

Comment 6 Tavis Ormandy (RETIRED) gentoo-dev

2005-08-05 06:59:55 UTC

Examining the patch provided suggests that despite the description this is 
definitely not exploitable to execute arbitrary code, simply cause a denial of 
service. As the server must be in debug mode and configured to accept a 
malicious CRL we consider this highly unlikely to ever affect any users. 

Closing this security bug, the fix will filter down from upstream.

If anyone disagrees, please REOPEN.