Bugtraq mailing list archives
Overflow in one of Apache 1.1.1 (maybe later too)'s modules
From: shok () COBRA ONLINEX NET (Matt Conover)
Date: Thu, 4 Sep 1997 22:05:13 -0600
Hello (sorry if this gets long or if it's known but I don't think it is): Well this is an obvious overflow in one of apache's modules; it is remote too.....however, luckily for the web admin's it's not installed by default. The problem is in mod_auth_anon.c in the function anon_authenticate_basic_user(). It contains the following lines: char errstr[MAX_STRING_LEN]; [...] if (sec->auth_anon_logemail) { sprintf(errstr,"Anonymous: Passwd <%s> Accepted", send_pw ? send_pw : "\'none\'"); [...] } else { if (sec->auth_anon_authorative) { sprintf(errstr,"Anonymous: Authorative, Passwd <%s> not accepted", send_pw ? send_pw : "\'none\'"); [...] Now as you can see this is easy to exploit. It simple compiles the string (password) into the buffer without any bounds checking. Whether you enter a valid password (it expects an email address) or an invalid one it can still be overflowed. But as you can see they need to log the email address... here is what is needed: 1.) mod_auth_anon installed 2.) "Anonymous_LogEmail on" in access.conf A quote from www.apache/docs in the apache modules, mod_auth_anon: This module is contained in the mod_auth_anon.c file and is not compiled in by default. It is only available in Apache 1.1 and later. It allows "anonymous" user access to authenticated areas. So if they use the same code or no bounds checking, this will be exploitable in Apache 1.1.1 and greater. This may of in fact been fixed in the later versions, I only have the source to 1.1.1, and I will check the later versions later...maybe someone else would like to check (?) Also I may have missed or left something out.......this is completely based on the code itself....I have never used mod_auth_anon so I might be missing something...but the apache docs say it works ftp style, meaning you enter your email address as the password...but if you do AVERYLONGSTRINGANDTHEYHAVEAUTHEMAILLOGONTHISWILLOVERFLOW@LBHALBHALBHA..... and do that to a size greater than MAX_STRING_LEN it would overflow. (Feel free to make any corrections I admit I didn't look into this for too long) Thanks, [Matt Conover] Shok (shok () onlinex net, shok () janova org)
Current thread:
- MS responds to Exchange Server 5.0 POP3 Security problem, (continued)
- MS responds to Exchange Server 5.0 POP3 Security problem Manley, Jim W (Sep 01)
- Re: Pine's re-occuring nightmare Mark Crispin (Sep 01)
- HP UX Bug :) Leonid S Knyshov (Sep 01)
- Re: HP UX Bug :) Brian Mitchell (Sep 02)
- in.comsat DoS vulnerability Andrew Hobgood (Sep 02)
- You can find jizz.c here T o r g (Sep 03)
- You can find jizz.c here anonymous () ANONYMOUS ORG (Sep 03)
- [linux-security] Announce: chkexploit 1.13 (fwd) iON BARRiER (Sep 04)
- Re: [linux-security] Announce: chkexploit 1.13 (fwd) W.C. Epperson (Sep 04)
- [Alert] Website's uploader.exe (from demo) vulnerable Aleph One (Sep 04)
- Overflow in one of Apache 1.1.1 (maybe later too)'s modules Matt Conover (Sep 04)
- Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Artur Pydo - EuroBretagne (Sep 05)
- Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Marc Slemko (Sep 05)
- Announcement: Phrack 51 Nate (Sep 01)
- Pine has a few more problems... dynamo () IME NET (Sep 01)
- SNI-18: Vacation Vulnerability Secure Networks Inc. (Sep 01)
- SNI-18: Vacation Vulnerability ggajic () FREENET NETHER NET (Sep 02)