Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 283729 (CVE-2009-3094)

Summary: www-servers/apache[apache2_modules_proxy_ftp] before 2.2.14: NULL pointer deref DoS ,access restriction bypass (CVE-2009-{3094,3095})
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: apache-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.intevydis.com/blog/?p=59
Whiteboard: C3 [noglsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-05 08:23:07 UTC 
From Secunia (http://secunia.com/advisories/36549/):

A vulnerability has been discovered in the Apache mod_proxy_ftp module, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in mod_proxy_ftp when processing responses received from FTP servers. This can be exploited to trigger a NULL-pointer dereference and crash an Apache child process via a malformed EPSV response.

Successful exploitation requires that a threaded Multi-Processing Module is used and that the mod_proxy_ftp module is enabled.

The vulnerability is confirmed in Apache versions 2.0.63 and 2.2.13. Other versions may also be affected.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-05 08:23:51 UTC 
The Secunia advisory indicates that there is no patch yet.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-10 09:53:24 UTC 
CVE-2009-3094 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3094):
  The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the
  mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13
  allows remote FTP servers to cause a denial of service (NULL pointer
  dereference and child process crash) via a malformed reply to an EPSV
  command.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-09-14 22:49:02 UTC 
CVE-2009-3095 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3095):
  The mod_proxy_ftp module in the Apache HTTP Server allows remote
  attackers to bypass intended access restrictions and send arbitrary
  commands to an FTP server via vectors related to the embedding of
  these commands in the Authorization HTTP header, as demonstrated by a
  certain module in VulnDisco Pack Professional 8.11.  NOTE: as of
  20090903, this disclosure has no actionable information. However,
  because the VulnDisco Pack author is a reliable researcher, the issue
  is being assigned a CVE identifier for tracking purposes.
Comment 4 Hanno Böck gentoo-dev 2009-10-06 10:28:33 UTC 
2.2.14 is out with fix:
http://www.apache.org/dist/httpd/CHANGES_2.2.14
Comment 5 Benedikt Böhm (RETIRED) gentoo-dev 2009-10-06 12:44:27 UTC 
2.2.14 in cvs
Comment 6 Benedikt Böhm (RETIRED) gentoo-dev 2010-01-11 08:07:12 UTC 
2.2.14-r1 is already stable.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 16:16:23 UTC 
proxy_ftp is not enabled by default, if I see it correctly, thus I re-rate C3, and voting is needed.

Vote: NO.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-14 14:28:04 UTC 
NO too, closing.