CVE-2002-0653
CVSS4.6
发布时间 :2002-07-11 00:00:00
修订时间 :2016-10-17 22:21:07
NMCOE    

[原文]Off-by-one buffer overflow in the ssl_compat_directive function, as called by the rewrite_command hook for mod_ssl Apache module 2.8.9 and earlier, allows local users to execute arbitrary code as the Apache server user via .htaccess files with long entries.


[CNNVD]Mod_SSL Off-By-One HTAccess本地缓冲区溢出漏洞(CNNVD-200207-065)

        
        mod_ssl模块为Apache 1.3 WEB服务程序可以通过Secure Sockets Layer (SSL v2/v3)和Transport Layer Security (TLS v1)协议提供强壮加密的功能。
        mod_ssl在处理.htaccess配置文件中的变量时没有正确检查边界长度,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        Apache WEB服务程序提供扩展的API通过各种HOOKS调用来方便的为第三放模块接口,其中之一的HOOK是rewrite_command调用,如果WEB服务程序允许非特权用户为自己的WEB建立访问控制机制,就需要在.htaccess文件中设置"AllowOverride"选项激活,如果存在此选项,rewrite_command调用处理前会读取.htaccess配置文件中的内容,但rewrite_command hook中的ssl_compat_directive()调用在读取.htaccess文件中的DATE_LOCALE变量时存在off-by-one错误,问题代码如下:
        ...
         char *cp;
         char caCmd[1024];
         char *cpArgs;
         ...
         cp = (char *)oline;
         for (i = 0; *cp != ' ' && *cp != '\t' && *cp != NUL && i < 1024; )
         ^^^^^^^^
         caCmd[i++] = *cp++;
         caCmd[i] = NUL;
         cpArgs = cp;
         ...
        如果攻击者可以在.htaccess文件中设置包含10000字节的DATE_LOCALE变量,就可以导致WEB服务进程处理请求时产生缓冲区溢出,精心构建变量数据可能使之以WEB进程的权限执行任意命令。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0653
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0653
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200207-065
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-031.0.txt
(UNKNOWN)  CALDERA  CSSA-2002-031.0
http://archives.neohapsis.com/archives/bugtraq/2002-06/0350.html
(UNKNOWN)  BUGTRAQ  20020628 TSL-2002-0058 - apache/mod_ssl
http://archives.neohapsis.com/archives/hp/2002-q3/0018.html
(UNKNOWN)  HP  HPSBTL0207-052
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000504
(UNKNOWN)  CONECTIVA  CLA-2002:504
http://marc.info/?l=bugtraq&m=102513970919836&w=2
(UNKNOWN)  BUGTRAQ  20020624 Apache mod_ssl off-by-one vulnerability
http://marc.info/?l=bugtraq&m=102563469326072&w=2
(UNKNOWN)  ENGARDE  ESA-20020702-017
http://marc.info/?l=vuln-dev&m=102477330617604&w=2
(UNKNOWN)  VULN-DEV  20020622 Another flaw in Apache?
http://rhn.redhat.com/errata/RHSA-2002-164.html
(UNKNOWN)  REDHAT  RHSA-2002:164
http://www.debian.org/security/2002/dsa-135
(UNKNOWN)  DEBIAN  DSA-135
http://www.iss.net/security_center/static/9415.php
(UNKNOWN)  XF  apache-modssl-htaccess-bo(9415)
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-048.php
(UNKNOWN)  MANDRAKE  MDKSA-2002:048
http://www.novell.com/linux/security/advisories/2002_028_mod_ssl.html
(UNKNOWN)  SUSE  SuSE-SA:2002:028
http://www.redhat.com/support/errata/RHSA-2002-134.html
(UNKNOWN)  REDHAT  RHSA-2002:134
http://www.redhat.com/support/errata/RHSA-2002-135.html
(UNKNOWN)  REDHAT  RHSA-2002:135
http://www.redhat.com/support/errata/RHSA-2002-136.html
(UNKNOWN)  REDHAT  RHSA-2002:136
http://www.redhat.com/support/errata/RHSA-2002-146.html
(UNKNOWN)  REDHAT  RHSA-2002:146
http://www.redhat.com/support/errata/RHSA-2003-106.html
(UNKNOWN)  REDHAT  RHSA-2003:106
http://www.securityfocus.com/bid/5084
(UNKNOWN)  BID  5084

- 漏洞信息

Mod_SSL Off-By-One HTAccess本地缓冲区溢出漏洞
中危 边界条件错误
2002-07-11 00:00:00 2006-11-07 00:00:00
本地  
        
        mod_ssl模块为Apache 1.3 WEB服务程序可以通过Secure Sockets Layer (SSL v2/v3)和Transport Layer Security (TLS v1)协议提供强壮加密的功能。
        mod_ssl在处理.htaccess配置文件中的变量时没有正确检查边界长度,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        Apache WEB服务程序提供扩展的API通过各种HOOKS调用来方便的为第三放模块接口,其中之一的HOOK是rewrite_command调用,如果WEB服务程序允许非特权用户为自己的WEB建立访问控制机制,就需要在.htaccess文件中设置"AllowOverride"选项激活,如果存在此选项,rewrite_command调用处理前会读取.htaccess配置文件中的内容,但rewrite_command hook中的ssl_compat_directive()调用在读取.htaccess文件中的DATE_LOCALE变量时存在off-by-one错误,问题代码如下:
        ...
         char *cp;
         char caCmd[1024];
         char *cpArgs;
         ...
         cp = (char *)oline;
         for (i = 0; *cp != ' ' && *cp != '\t' && *cp != NUL && i < 1024; )
         ^^^^^^^^
         caCmd[i++] = *cp++;
         caCmd[i] = NUL;
         cpArgs = cp;
         ...
        如果攻击者可以在.htaccess文件中设置包含10000字节的DATE_LOCALE变量,就可以导致WEB服务进程处理请求时产生缓冲区溢出,精心构建变量数据可能使之以WEB进程的权限执行任意命令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 不要设置"AllowOverride"选项。
        厂商补丁:
        Mod_SSL
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        mod_ssl Upgrade mod_ssl-2.8.10-1.3.26.tar.gz
        
        http://www.modssl.org/source/mod_ssl-2.8.10-1.3.26.tar.gz

- 漏洞信息 (21575)

Mod_SSL 2.8.x Off-By-One HTAccess Buffer Overflow Vulnerability (EDBID:21575)
multiple dos
2002-06-22 Verified
0 Frank DENIS
N/A [点击下载]
source: http://www.securityfocus.com/bid/5084/info

An off-by-one issue exists in mod_ssl that affects Apache when handling certain types of long entries in an .htaccess file. Though this capability within the web server is not enabled by default, it is popular as it allows non-privileged users to create web access control schemes for hosted sites, and is enabled through the "AllowOverride" configuration variable in Apache. A .htaccess file with 10000 or more bytes set into the variable DATE_LOCALE will result in a buffer overflow within the web server process handling the request.

In a regular .htaccess file:

SetEnv DATE_LOCALE "X"

where the character X represents a string of 12288 bytes. 		

- 漏洞信息

842
Apache HTTP Server mod_ssl ssl_compat_directive Function Overflow
Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

This host is running an Apache web server with a version of 'mod_ssl' older than 2.8.10. Old versions are vulnerable to an 'off by one' buffer overflow attack. This allows a potential intruder with write access to '.htaccess' files to execute arbitrary code on this host.

- 时间线

2002-06-24 Unknow
Unknow Unknow

- 解决方案

The vendor has released a patch that fixes this issue. Please upgrade to the latest version of mod_ssl available from http://www.modssl.org/. If this host is running a Linux distribution such as Red Hat Linux, please check with Red Hat support for an update.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站