Fixed in Apache httpd 1.3.33-dev
moderate: mod_include overflow CAN-2004-0940
A buffer overflow in mod_include could allow a local user who is authorised to create server side include (SSI) files to gain the privileges of a httpd child.
Affects: 1.3.32, 1.3.31, 1.3.29, 1.3.28, 1.3.27, 1.3.26, 1.3.24, 1.3.22, 1.3.20, 1.3.19, 1.3.17, 1.3.14, 1.3.12, 1.3.11, 1.3.9, 1.3.6, 1.3.4, 1.3.3, 1.3.2, 1.3.1, 1.3.0
Secunia Advisory: SA12898
Release Date: 2004-10-22
Impact: Privilege escalation
Where: Local system
Solution Status: Vendor Patch
Software: Apache 1.3.x
CVE reference: CAN-2004-0940
Crazy Einstein has discovered a vulnerability in Apache, which can be exploited by malicious, local users to gain escalated privileges.
The vulnerability is caused due to a boundary error in the "get_tag()" function of the "mod_include" module. This can be exploited to cause a buffer overflow when a specially crafted document with malformed server-side includes is requested through a HTTP session.
Successful exploitation can lead to execution of arbitrary code with escalated privileges, but requires that server-side includes (SSI) is enabled.
The vulnerability has been confirmed on version 1.3.31. Other versions may also be affected.
The vulnerability has been fixed in version 1.3.33-dev.
Disable server-side includes (SSI).
Provided and/or discovered by:
SecurityTracker Alert ID: 1011783
SecurityTracker URL: http://securitytracker.com/id?1011783
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Oct 19 2004
Impact: Execution of arbitrary code via local system, User access via local system
Exploit Included: Yes
Description: Crazy Einstein reported a buffer overflow in Apache mod_include. A local user may be able to gain elevated privileges.
It is reported that the get_tag() function contains a buffer overflow that can be triggered, for example, from the handle_echo() function. A local user can create specially crafted HTML that, when processed by Apache, will execute arbitrary code with the privileges of the httpd child process.
Impact: A local user can execute arbitrary code with the privileges of the Apache httpd child process.
Solution: No solution was available at the time of this entry.
Vendor URL: httpd.apache.org/ (Links to External Site)
Cause: Boundary error
Underlying OS: Linux (Any), UNIX (Any)
Reported By: Crazy Einstein <email@example.com>
apache team, pls review/patch as appropriate
commited as 1.3.32-r1
thx stuart and tigger
arches, pls test apache-1.3.32-r1 and mark stable if possible
current KEYWORDS="~x86 ~ppc ~sparc ~alpha ~hppa ~amd64 ~ia64 ~mips"
target KEYWORDS="x86 ppc sparc alpha hppa amd64 ia64 mips"
Stable on amd64
Stable on sparc
stable on ppc
Stable on alpha.
Could apache maintainers or someone on x86 test and mark x86 stable ?
Apache-1.3.33 is now in the tree. Upstream haven't released a corresponding mod_ssl yet, however, so this ebuild is masked for the moment.
At this rate of Apache releases, we should start thinking about a dedicated apache security & arch test group ;-)
arches, mod_ssl-2.8.21 is also needed to be marked stable
current KEYWORDS="x86 ~ppc ~sparc ~alpha ~hppa ~mips"
target KEYWORDS="x86 ppc sparc alpha hppa mips"
Stable on sparc.
Stable on ppc.
mod_ssl-2.8.21 still missing amd64 to test and mark stable
otherwise ready for GLSA
stable on amd64
hppa, ia64 and mips, please mark stable to benefit from GLSA