Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 51368 - net-www/apache, net-www/mod_ssl: possible buffer overflow
Summary: net-www/apache, net-www/mod_ssl: possible buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
: 52802 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-05-18 02:03 UTC by Tobias Weisserth
Modified: 2011-10-30 22:37 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Weisserth 2004-05-18 02:03:39 UTC
Georgi Guninski reported a possible problem with mod_ssl on full-disclosure:

This email is copyrighted confidential information.
It cannot be used in vulnerability databases, especially in CAN,
securityfocus, to name a few.

hi,

there is a potential problem in mod_ssl.

in ssl_util.c there is:
-------------------------------------
void ssl_util_uuencode_binary(
    unsigned char *szTo, const unsigned char *szFrom, int nLength, BOOL bPad)
{
    const unsigned char *s;
    int nPad = 0;

    for (s = szFrom; nLength > 0; s += 3) {
        *szTo++ = ssl_util_uuencode_six2pr[s[0] >> 2];
/*PROPOSED PATCH: add "if (--nLegth ==0 ) ..." */
        *szTo++ = ssl_util_uuencode_six2pr[(s[0] << 4 | s[1] >> 4) & 0x3f];
        if (--nLength == 0) {
            nPad = 2;
            break;
        }
        *szTo++ = ssl_util_uuencode_six2pr[(s[1] << 2 | s[2] >> 6) & 0x3f];
        if (--nLength == 0) {
            nPad = 1;
            break;
        }
        *szTo++ = ssl_util_uuencode_six2pr[s[2] & 0x3f];
        --nLength;
    }
    while(bPad && nPad--)
        *szTo++ = NUL;
    *szTo = NUL;
    return;
}
-------------------------

obviously this allows writing about 4*nLegth/3 chars (not counting padding).

there may be problem if this code is hit in ssl_engine_kernel:

int ssl_hook_Auth(request_rec *r)
{
    SSLSrvConfigRec *sc = mySrvConfig(r->server);
    SSLDirConfigRec *dc = myDirConfig(r);
    char b1[MAX_STRING_LEN], b2[MAX_STRING_LEN];
    char *clientdn;

.....
ap_snprintf(b1, sizeof(b1), "%s:password", clientdn);
ssl_util_uuencode(b2, b1, FALSE);
ap_snprintf(b1, sizeof(b1), "Basic %s", b2);
.....

i doubt this is exploitable on x86, but i am too lame to emulate it if 
stack grows in the other direction.

-- 
georgi

Reproducible: Didn't try
Steps to Reproduce:




I guess this is not a critical bug. I entered it so that people are aware there
_might_ be a problem. I'm watching fd and bugtraq for follow up emails and POC.
As soon as there's more information we can re-rate the bug.

regards,
Tobias
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-05-26 11:23:41 UTC
After some research :
http://marc.theaimsgroup.com/?l=apache-modssl&m=108549001500319&w=2

This appears to be CAN-2004-0488. Note : "It can only be triggered if mod_ssl is
configured to use FakeBasicAuth and will trust a CA which issues a
client cert with a >6K long subject DN."

Fix for apache 2.0.x is :
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.105&r2=1.106

Fix for mod_ssl 2.8 (apache 1.3.x) is not available yet.

zul : we can patch or wait. Your call...
Comment 2 Chuck Short (RETIRED) gentoo-dev 2004-05-26 11:45:59 UTC
I would wait for the apache 1.3.x version so we can do them both at the same time.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-05-27 02:05:07 UTC
OK, so we are waiting for upstream fix in mod_ssl.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-05-28 01:57:48 UTC
mod_ssl 2.8.18 is out :
http://marc.theaimsgroup.com/?l=apache-modssl&m=108566416009373&w=2

Waiting for an apache-2.0.49-r3 and mod_ssl-2.8.18 ?
Comment 5 Chuck Short (RETIRED) gentoo-dev 2004-05-29 09:40:30 UTC
Ive added the patch to 2.0.49 and above. Ill will be commiting a 2.0.49-r3 tongiht.
Comment 6 Chuck Short (RETIRED) gentoo-dev 2004-05-29 09:41:13 UTC
1.3.31-r1 and mod_ssl 2.8.18 is in as well.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-06-01 08:30:12 UTC
Arches, please mark stable :

apache-1.3.31-r1 = "x86 ppc sparc mips alpha hppa amd64 ia64"
apache-2.0.49-r3 = "x86 ppc sparc mips alpha hppa amd64 ia64 s390"
mod_ssl-2.8.18 = "x86 ppc sparc mips alpha hppa"

Thanks !
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2004-06-01 16:28:01 UTC
Stable on alpha.
Comment 9 Joshua Kinard gentoo-dev 2004-06-01 17:08:18 UTC
Stable on mips & sparc
Comment 10 Danny van Dyk (RETIRED) gentoo-dev 2004-06-02 07:55:51 UTC
Marked stable on amd64.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-06-02 12:08:52 UTC
*** Bug 52802 has been marked as a duplicate of this bug. ***
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-06-05 03:13:51 UTC
GLSA is ready
ppc, hppa : please mark apache-1.3.31-r1 apache-2.0.49-r3 and mod_ssl-2.8.18 stable
ia64 : please mark apache-1.3.31-r1 and apache-2.0.49-r3 stable
Comment 13 Aron Griffis (RETIRED) gentoo-dev 2004-06-06 21:25:47 UTC
stable on ia64
Comment 14 Daniel Ostrow (RETIRED) gentoo-dev 2004-06-09 06:59:07 UTC
Good to go on ppc.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-06-09 08:45:58 UTC
Ready to send
Comment 16 Guy Martin (RETIRED) gentoo-dev 2004-06-09 10:58:13 UTC
All done for hppa.
Sorry for the delay but I had exams :-/
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2004-06-09 12:18:51 UTC
GLSA 200406-05