CVE-2004-0492
CVSS10.0
发布时间 :2004-08-06 00:00:00
修订时间 :2016-10-17 22:45:43
NMCOPS    

[原文]Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.


[CNNVD]Apache mod_proxy远程缓冲区溢出漏洞(CNNVD-200408-092)

        
        mod_proxy是一个可在Apache使用的代理模块。
        mod_proxy在处理负的Content-Length值时存在问题,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以Apache进程权限在系统上执行任意指令。
        连接远程服务器使其返回非法(负值)的Content-Length,可使Mod_proxy触发基于整数的溢出,会导致Apache子进程崩溃。问题存在于proxy_util.c中:
        n = ap_bread(f, buf, MIN((int)buf_size,
        (int)(len - total_bytes_rcvd)));
        这里len可为负值。
        
        在旧的OpenBSD/FreeBSD系统中可利用memcpy的反向拷贝实现来执行任意指令。新的BSD系统中由于攻击者可以控制3个任意字节也能用于执行任意指令。如果define AP_ENABLE_EXCEPTION_HOOK启用的情况下,可能在任何平台都可被利用。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:apache:http_server:1.3.26Apache Software Foundation Apache HTTP Server 1.3.26
cpe:/a:apache:http_server:1.3.27Apache Software Foundation Apache HTTP Server 1.3.27
cpe:/a:apache:http_server:1.3.28Apache Software Foundation Apache HTTP Server 1.3.28
cpe:/a:apache:http_server:1.3.29Apache Software Foundation Apache HTTP Server 1.3.29
cpe:/o:openbsd:openbsd:3.4OpenBSD 3.4
cpe:/a:ibm:http_server:1.3.26.2IBM IBM HTTP Server 1.3.26.2
cpe:/o:openbsd:openbsd:3.5OpenBSD 3.5
cpe:/a:hp:virtualvault:11.0.4
cpe:/o:openbsd:openbsdOpenBSD
cpe:/a:ibm:http_server:1.3.28IBM IBM HTTP Server 1.3.28
cpe:/a:sgi:propack:2.4SGI ProPack 2.4
cpe:/a:apache:http_server:1.3.31Apache Software Foundation Apache HTTP Server 1.3.31
cpe:/a:hp:webproxy:2.1HP Webproxy 2.1
cpe:/a:hp:webproxy:2.0HP Webproxy 2.0
cpe:/o:hp:vvos:11.04HP VVOS 11.04
cpe:/a:ibm:http_server:1.3.26IBM IBM HTTP Server 1.3.26
cpe:/a:ibm:http_server:1.3.26.1IBM IBM HTTP Server 1.3.26.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:4863Apache Mod_Proxy Remote Negative Content-Length Buffer Overflow
oval:org.mitre.oval:def:100112Apache mod_proxy Content-Length Header Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0492
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0492
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-092
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20040605-01-U.asc
(UNKNOWN)  SGI  20040605-01-U
http://marc.info/?l=bugtraq&m=108711172710140&w=2
(UNKNOWN)  BUGTRAQ  20040611 [OpenPKG-SA-2004.029] OpenPKG Security Advisory (apache)
http://marc.info/?l=bugtraq&m=130497311408250&w=2
(UNKNOWN)  HP  HPSBOV02683
http://rhn.redhat.com/errata/RHSA-2004-245.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:245
http://seclists.org/lists/fulldisclosure/2004/Jun/0296.html
(UNKNOWN)  FULLDISC  20040610 Buffer overflow in apache mod_proxy,yet still apache much better than windows
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101555-1
(UNKNOWN)  SUNALERT  101555
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101841-1
(UNKNOWN)  SUNALERT  101841
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57628-1
(UNKNOWN)  SUNALERT  57628
http://www.debian.org/security/2004/dsa-525
(VENDOR_ADVISORY)  DEBIAN  DSA-525
http://www.guninski.com/modproxy1.html
(UNKNOWN)  MISC  http://www.guninski.com/modproxy1.html
http://www.kb.cert.org/vuls/id/541310
(UNKNOWN)  CERT-VN  VU#541310
http://www.mandriva.com/security/advisories?name=MDKSA-2004:065
(UNKNOWN)  MANDRAKE  MDKSA-2004:065
http://xforce.iss.net/xforce/xfdb/16387
(VENDOR_ADVISORY)  XF  apache-modproxy-contentlength-bo(16387)
https://bugzilla.fedora.us/show_bug.cgi?id=1737
(UNKNOWN)  FEDORA  FLSA:1737

- 漏洞信息

Apache mod_proxy远程缓冲区溢出漏洞
危急 边界条件错误
2004-08-06 00:00:00 2006-08-31 00:00:00
远程  
        
        mod_proxy是一个可在Apache使用的代理模块。
        mod_proxy在处理负的Content-Length值时存在问题,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以Apache进程权限在系统上执行任意指令。
        连接远程服务器使其返回非法(负值)的Content-Length,可使Mod_proxy触发基于整数的溢出,会导致Apache子进程崩溃。问题存在于proxy_util.c中:
        n = ap_bread(f, buf, MIN((int)buf_size,
        (int)(len - total_bytes_rcvd)));
        这里len可为负值。
        
        在旧的OpenBSD/FreeBSD系统中可利用memcpy的反向拷贝实现来执行任意指令。新的BSD系统中由于攻击者可以控制3个任意字节也能用于执行任意指令。如果define AP_ENABLE_EXCEPTION_HOOK启用的情况下,可能在任何平台都可被利用。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * Georgi Guninski提供如下第三方补丁:
        -------------------------------------
        diff -u apache_1.3.31/src/modules/proxy/proxy_util.c apache_1.3.31my/src/modules/proxy/proxy_util.c
        --- apache_1.3.31/src/modules/proxy/proxy_util.c Tue Feb 17 23:52:22 2004
        +++ apache_1.3.31my/src/modules/proxy/proxy_util.c Tue Jun 8 11:24:15 2004
        @@ -545,8 +545,8 @@
         n = ap_bread(f, buf, buf_size);
         }
         else {
        - n = ap_bread(f, buf, MIN((int)buf_size,
        - (int)(len - total_bytes_rcvd)));
        + n = ap_bread(f, buf, MIN((size_t)buf_size,
        + (size_t)(len - total_bytes_rcvd)));
         }
         }
        -------------------------------------
        或者CNNVD建议您不要打开mod_proxy模块。
        厂商补丁:
        Apache Software Foundation
        --------------------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Index: src/CHANGES
        ===================================================================
        RCS file: /home/cvs/apache-1.3/src/CHANGES,v
        retrieving revision 1.1942
        diff -u -p -u -r1.1942 CHANGES
        --- src/CHANGES 2 Jun 2004 22:49:03 -0000 1.1942
        +++ src/CHANGES 9 Jun 2004 15:58:44 -0000
        @@ -1,5 +1,9 @@
         Changes with Apache 1.3.32
        
        + *) SECURITY: CAN-2004-0492 (cve.mitre.org)
        + Reject responses from a remote server if sent an invalid (negative)
        + Content-Length. [Mark Cox]
        +
         *) Fix a bunch of cases where the return code of the regex compiler
         was not checked properly. This affects mod_usertrack and
         core. PR 28218. [Andr?Malo]
        Index: src/modules/proxy/proxy_http.c
        ===================================================================
        RCS file: /home/cvs/apache-1.3/src/modules/proxy/proxy_http.c,v
        retrieving revision 1.106
        diff -u -p -u -r1.106 proxy_http.c
        --- src/modules/proxy/proxy_http.c 29 Mar 2004 17:47:15 -0000 1.106
        +++ src/modules/proxy/proxy_http.c 8 Jun 2004 14:23:05 -0000
        @@ -485,6 +485,13 @@ int ap_proxy_http_handler(request_rec *r
         content_length = ap_table_get(resp_hdrs, "Content-Length");
         if (content_length != NULL) {
         c->len = ap_strtol(content_length, NULL, 10);
        +
        + if (c->len < 0) {
        + ap_kill_timeout(r);
        + return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool,
        + "Invalid Content-Length from remote server",
        + NULL));
        + }
         }
        
         }

- 漏洞信息 (F101257)

HP Security Bulletin HPSBOV02683 SSRT090208 (PacketStormID:F101257)
2011-05-10 00:00:00
HP  hp.com
advisory,web,denial of service,php,vulnerability
CVE-2002-0839,CVE-2002-0840,CVE-2003-0542,CVE-2004-0492,CVE-2005-2491,CVE-2005-3352,CVE-2005-3357,CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-3747,CVE-2006-3918,CVE-2006-4339,CVE-2006-4343,CVE-2007-5000,CVE-2007-6388,CVE-2008-0005,CVE-2009-1891,CVE-2009-3095,CVE-2009-3291,CVE-2009-3292,CVE-2009-3293,CVE-2009-3555,CVE-2010-0010
[点击下载]

HP Security Bulletin HPSBOV02683 SSRT090208 - Potential vulnerabilities have been identified with HP Secure Web Server (SWS) for OpenVMS running Apache and PHP. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS), unauthorized access, unauthorized disclosure of information, or unauthorized modifications. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c02824490
Version: 1

HPSBOV02683 SSRT090208 rev.1 - HP Secure Web Server (SWS) for OpenVMS running Apache/PHP, Remote Denial of Service (DoS), Unauthorized Access, Unauthorized Disclosure of Information, Unauthorized Modification

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2011-05-05
Last Updated: 2011-05-05

Potential Security Impact: Remote Denial of Service (DoS), unauthorized access, unauthorized disclosure of information, unauthorized modification

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential vulnerabilities have been identified with HP Secure Web Server (SWS) for OpenVMS running Apache and PHP. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS), unauthorized access, unauthorized disclosure of information, or unauthorized modifications.

References: CVE-2002-0839, CVE-2002-0840, CVE-2003-0542, CVE-2004-0492, CVE-2005-2491, CVE-2005-3352, CVE-2005-3357, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-3747, CVE-2006-3918, CVE-2006-4339, CVE-2006-4343, CVE-2007-5000, CVE-2007-6388, CVE-2008-0005, CVE-2009-1891, CVE-2009-3095, CVE-2009-3291, CVE-2009-3292, CVE-2009-3293, CVE-2009-3555, CVE-2010-0010

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Secure Web Server (SWS) for OpenVMS (based on Apache) V2.1-1 and earlier.

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2002-0839    (AV:L/AC:L/Au:N/C:C/I:C/A:C)        7.2
CVE-2002-0840    (AV:N/AC:M/Au:N/C:P/I:P/A:P)        6.8
CVE-2003-0542    (AV:L/AC:L/Au:N/C:C/I:C/A:C)        7.2
CVE-2004-0492    (AV:N/AC:L/Au:N/C:C/I:C/A:C)       10.0
CVE-2005-2491    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2005-3352    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2005-3357    (AV:N/AC:H/Au:N/C:N/I:N/A:C)        5.4
CVE-2006-2937    (AV:N/AC:L/Au:N/C:N/I:N/A:C)        7.8
CVE-2006-2940    (AV:N/AC:L/Au:N/C:N/I:N/A:C)        7.8
CVE-2006-3738    (AV:N/AC:L/Au:N/C:C/I:C/A:C)       10.0
CVE-2006-3747    (AV:N/AC:H/Au:N/C:C/I:C/A:C)        7.6
CVE-2006-3918    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2006-4339    (AV:N/AC:M/Au:N/C:P/I:N/A:N)        4.3
CVE-2006-4343    (AV:N/AC:M/Au:N/C:N/I:N/A:P)        4.3
CVE-2007-5000    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2007-6388    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2008-0005    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2009-1891    (AV:N/AC:M/Au:N/C:N/I:N/A:C)        7.1
CVE-2009-3095    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2009-3291    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2009-3292    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2009-3293    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2009-3555    (AV:N/AC:M/Au:N/C:N/I:P/A:P)        5.8
CVE-2010-0010    (AV:N/AC:M/Au:N/C:P/I:P/A:P)        6.8
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following software updates available to resolve these vulnerabilities.

Kit Name
 Location

HP SWS V2.2 for OpenVMS Alpha and OpenVMS Integrity servers.
 http://h71000.www7.hp.com/openvms/products/ips/apache/csws.html

CSWS_PHP V2.2
 http://h71000.www7.hp.com/openvms/products/ips/apache/csws_php.html

HISTORY
Version:1 (rev.1) - 5 May 2011 Initial release

Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-alert@hp.com
  Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
    -check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
    -verify your operating system selections are checked and save.

To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."

Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEUEARECAAYFAk3C8qwACgkQ4B86/C0qfVnBqgCYtJgc2OLmG0JEGU4sCpzntC4E
HACgjeWEt9Ja5qNdjhL5iwOp3JVtVic=
=EvRT
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F34887)

apache_1.3.33.tar.gz (PacketStormID:F34887)
2004-10-29 00:00:00
 
unix
CVE-2004-0492,CVE-2004-0940
[点击下载]

Apache is the most popular webserver on the Internet, quite possibly the best in terms of security, functionality, efficiency, and speed.

- 漏洞信息

6839
Apache HTTP Server mod_proxy Content-Length Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

Apache contains a flaw that may allow a remote denial of service. The issue is triggered when a malicious user sends a "Content-Length:" header that contains a large negative value through the mod_proxy module, and will result in loss of availability for the service.

- 时间线

2004-06-10 Unknow
2004-06-10 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apache has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Apache Mod_Proxy Remote Negative Content-Length Buffer Overflow Vulnerability
Boundary Condition Error 10508
Yes No
2004-06-10 12:00:00 2009-07-12 05:16:00
Discovery is credited to Georgi Guninski.

- 受影响的程序版本

Trustix Secure Linux 1.5
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.1
SGI ProPack 2.4
RedHat Linux 7.3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux AS 2.1 IA64
RedHat Enterprise Linux AS 2.1
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
OpenBSD OpenBSD 3.5
OpenBSD OpenBSD 3.4
OpenBSD OpenBSD -current
IBM HTTP Server 1.3.28
IBM HTTP Server 1.3.26 .2
IBM HTTP Server 1.3.26 .1
IBM HTTP Server 1.3.26
HP Webproxy 2.1
+ HP HP-UX 11.0 4
HP Webproxy 2.0
+ HP HP-UX 11.0 4
HP Webproxy A.02.10
+ HP HP-UX B.11.04
HP Webproxy A.02.00
+ HP HP-UX B.11.04
HP VirtualVault 11.0.4
HP VirtualVault A.04.70
+ HP HP-UX B.11.04
HP VirtualVault A.04.60
+ HP HP-UX B.11.04
HP VirtualVault A.04.50
+ HP HP-UX B.11.04
HP HP-UX (VVOS) 11.0 4
HP HP-UX 11.22
HP HP-UX 11.20
HP HP-UX 11.11
HP HP-UX 11.0
HP HP-UX B.11.22
HP HP-UX B.11.11
HP HP-UX B.11.00
Apache Software Foundation Apache 1.3.32
+ Gentoo Linux 1.4
+ Gentoo Linux
Apache Software Foundation Apache 1.3.31
+ OpenPKG OpenPKG Current
Apache Software Foundation Apache 1.3.29
+ Apple Mac OS X 10.3.5
+ Apple Mac OS X 10.2.7
+ Apple Mac OS X Server 10.3.5
+ Apple Mac OS X Server 10.2.7
+ MandrakeSoft Linux Mandrake 10.0 AMD64
+ MandrakeSoft Linux Mandrake 10.0
+ OpenPKG OpenPKG 2.0
Apache Software Foundation Apache 1.3.28
+ Conectiva Linux 8.0
+ MandrakeSoft Linux Mandrake 9.2 amd64
+ MandrakeSoft Linux Mandrake 9.2
+ OpenBSD OpenBSD 3.4
+ OpenPKG OpenPKG 1.3
Apache Software Foundation Apache 1.3.27
+ HP HP-UX (VVOS) 11.0 4
+ HP VirtualVault 4.6
+ HP VirtualVault 4.5
+ HP Webproxy 2.0
+ Immunix Immunix OS 7+
+ MandrakeSoft Linux Mandrake 9.1 ppc
+ MandrakeSoft Linux Mandrake 9.1
+ OpenBSD OpenBSD 3.3
+ OpenPKG OpenPKG Current
+ RedHat Enterprise Linux AS 2.1 IA64
+ RedHat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux Advanced Work Station 2.1
+ SGI IRIX 6.5.19
Apache Software Foundation Apache 1.3.26
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Linux Mandrake 9.0
+ OpenPKG OpenPKG 1.1
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
Apache Software Foundation Apache 1.3.25
Apache Software Foundation Apache 1.3.24
+ OpenBSD OpenBSD 3.1
+ Oracle Oracle HTTP Server 9.2 .0
+ Oracle Oracle HTTP Server 9.0.1
+ Oracle Oracle9i Application Server 9.0.2
+ Oracle Oracle9i Application Server 1.0.2 .2
+ Oracle Oracle9i Application Server 1.0.2 .1s
+ Oracle Oracle9i Application Server 1.0.2
+ Slackware Linux 8.1
+ Unisphere Networks SDX-300 2.0.3
Apache Software Foundation Apache 1.3.23
- IBM AIX 4.3
+ MandrakeSoft Linux Mandrake 8.2 ppc
+ MandrakeSoft Linux Mandrake 8.2
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
Apache Software Foundation Apache 1.3.22
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Linux Mandrake 8.1 ia64
+ MandrakeSoft Linux Mandrake 8.1
+ MandrakeSoft Linux Mandrake 8.0 ppc
+ MandrakeSoft Linux Mandrake 8.0
+ MandrakeSoft Linux Mandrake 7.2
+ OpenPKG OpenPKG 1.0
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
Apache Software Foundation Apache 1.3.20
- HP HP-UX 11.22
- HP HP-UX 11.20
+ MandrakeSoft Single Network Firewall 7.2
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ SGI IRIX 6.5.18
+ SGI IRIX 6.5.17
+ SGI IRIX 6.5.16
+ SGI IRIX 6.5.15
+ SGI IRIX 6.5.14 m
+ SGI IRIX 6.5.14 f
+ SGI IRIX 6.5.14
+ SGI IRIX 6.5.13 m
+ SGI IRIX 6.5.13 f
+ SGI IRIX 6.5.13
+ SGI IRIX 6.5.12 m
+ SGI IRIX 6.5.12 f
+ SGI IRIX 6.5.12
+ Slackware Linux 8.0
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt RaQ 550
+ Sun Solaris 9_x86 Update 2
+ Sun Solaris 9_x86
+ Sun Solaris 9
+ Sun SunOS 5.9 _x86
+ Sun SunOS 5.9
Apache Software Foundation Apache 1.3.19
- Apple Mac OS X 10.0.3
- Caldera OpenLinux 2.4
+ Debian Linux 2.3
- Digital (Compaq) TRU64/DIGITAL UNIX 5.0
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 g
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 f
+ EnGarde Secure Linux 1.0.1
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 3.5.1
- HP HP-UX 11.11
- HP HP-UX 11.0 4
- HP HP-UX 11.0
- HP HP-UX 10.20
+ HP Secure OS software for Linux 1.0
- HP VirtualVault 4.5
+ MandrakeSoft Linux Mandrake 8.1
- MandrakeSoft Linux Mandrake 8.0
- MandrakeSoft Linux Mandrake 7.2
- MandrakeSoft Linux Mandrake 7.1
- NetBSD NetBSD 1.5.1
- NetBSD NetBSD 1.5
+ OpenBSD OpenBSD 2.9
- OpenBSD OpenBSD 2.8
+ OpenBSD OpenBSD 3.0
- RedHat Linux 7.1
- RedHat Linux 7.0
- RedHat Linux 6.2
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
- SCO eDesktop 2.4
- SCO eServer 2.3.1
- SGI IRIX 6.5.9
- SGI IRIX 6.5.8
- Sun Solaris 8_sparc
- Sun Solaris 7.0
Apache Software Foundation Apache 1.3.18
Apache Software Foundation Apache 1.3.17
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Linux Mandrake 8.0 ppc
+ MandrakeSoft Linux Mandrake 8.0
+ OpenBSD OpenBSD 2.8
+ S.u.S.E. Linux 7.1
Apache Software Foundation Apache 1.3.14
+ EnGarde Secure Linux 1.0.1
+ MandrakeSoft Linux Mandrake 7.2
+ MandrakeSoft Linux Mandrake 7.1
- MandrakeSoft Single Network Firewall 7.2
+ SGI IRIX 6.5.11
+ SGI IRIX 6.5.10
+ SGI IRIX 6.5.9
+ SGI IRIX 6.5.8
+ SGI IRIX 6.5.7
+ SGI IRIX 6.5.6
+ SGI IRIX 6.5.5
+ SGI IRIX 6.5.4
+ SGI IRIX 6.5.3
+ SGI IRIX 6.5.2
+ SGI IRIX 6.5.1
+ SGI IRIX 6.5
Apache Software Foundation Apache 1.3.12
+ NetScreen NetScreen-Global PRO Express Policy Manager Server
+ NetScreen NetScreen-Global PRO Policy Manager Server
+ OpenBSD OpenBSD 2.8
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0
+ Sun Cobalt ManageRaQ v2 3599BD
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ4 3001R
Apache Software Foundation Apache 1.3.11
Apache Software Foundation Apache 1.3.9
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ NetScreen NetScreen-Global PRO Express Policy Manager Server
+ NetScreen NetScreen-Global PRO Policy Manager Server
+ Sun Solaris 8_x86
+ Sun Solaris 8_sparc
+ Sun SunOS 5.8 _x86
+ Sun SunOS 5.8
Apache Software Foundation Apache 1.3.7 -dev
Apache Software Foundation Apache 1.3.6
+ Sun Cobalt ManageRaQ3 3000R-mr
+ Sun Cobalt RaQ3 3000R
+ Sun Cobalt Velociraptor
Apache Software Foundation Apache 1.3.4
+ BSDI BSD/OS 4.0
Apache Software Foundation Apache 1.3.3
+ RedHat Linux 5.2 sparc
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 alpha
Apache Software Foundation Apache 1.3.1
Apache Software Foundation Apache 1.3
+ Apple Mac OS X 10.3.2
+ Apple Mac OS X 10.3.1
+ Apple Mac OS X 10.3
+ Apple Mac OS X 10.2.8
+ Apple Mac OS X 10.2.7
+ Apple Mac OS X 10.2.6
+ Apple Mac OS X 10.2.5
+ Apple Mac OS X 10.2.4
+ Apple Mac OS X 10.2.3
+ Apple Mac OS X 10.2.2
+ Apple Mac OS X 10.2.1
+ Apple Mac OS X 10.2
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X Server 10.3.2
+ Apple Mac OS X Server 10.3.1
+ Apple Mac OS X Server 10.3
+ Apple Mac OS X Server 10.2.8
+ Apple Mac OS X Server 10.2.7
+ Apple Mac OS X Server 10.2.6
+ Apple Mac OS X Server 10.2.5
+ Apple Mac OS X Server 10.2.4
+ Apple Mac OS X Server 10.2.3
+ Apple Mac OS X Server 10.2.2
+ Apple Mac OS X Server 10.2.1
+ Apple Mac OS X Server 10.2
+ Apple Mac OS X Server 10.1.5
+ Apple Mac OS X Server 10.1.4
+ Apple Mac OS X Server 10.1.3
+ Apple Mac OS X Server 10.1.2
+ Apple Mac OS X Server 10.1.1
+ Apple Mac OS X Server 10.1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
IBM HTTP Server 2.0.47
IBM HTTP Server 2.0.42 .2
IBM HTTP Server 2.0.42
IBM HTTP Server 1.3.19 .5
IBM HTTP Server 1.3.19 .4
IBM HTTP Server 1.3.19 .3
IBM HTTP Server 1.3.19 .2
IBM HTTP Server 1.3.19 .1
IBM HTTP Server 1.3.19
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- RedHat Linux 7.1
- S.u.S.E. Linux 7.1
- Sun Solaris 7.0
- Sun Solaris 2.6
Apache Software Foundation Apache 1.3.33
+ Apple Mac OS X 10.3.6
+ Apple Mac OS X 10.2.8
+ Apple Mac OS X Server 10.3.6
+ Apple Mac OS X Server 10.2.8
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1

- 不受影响的程序版本

IBM HTTP Server 2.0.47
IBM HTTP Server 2.0.42 .2
IBM HTTP Server 2.0.42
IBM HTTP Server 1.3.19 .5
IBM HTTP Server 1.3.19 .4
IBM HTTP Server 1.3.19 .3
IBM HTTP Server 1.3.19 .2
IBM HTTP Server 1.3.19 .1
IBM HTTP Server 1.3.19
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- RedHat Linux 7.1
- S.u.S.E. Linux 7.1
- Sun Solaris 7.0
- Sun Solaris 2.6
Apache Software Foundation Apache 1.3.33
+ Apple Mac OS X 10.3.6
+ Apple Mac OS X 10.2.8
+ Apple Mac OS X Server 10.3.6
+ Apple Mac OS X Server 10.2.8
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1

- 漏洞讨论

A remote buffer overflow vulnerability exists in Apache mod_proxy.

The source of this issue is that a negative user-specified length value may be used in a memory copy operation, allowing for corruption of memory. This may triggered if a remote server returns a negative Content-Length: HTTP header field to be passed through the proxy.

Exploitation will likely result in a denial of service, though there is an unconfirmed potential for execution of arbitrary code on some platforms (such as BSD implementations). Versions that have the optional AP_ENABLE_EXCEPTION_HOOK define enabled may also be exploitable on some platforms.

This issue affects Apache servers 1.3.26 through 1.3.32 that have mod_proxy enabled and configured. Apache 2.0.x releases are not affected by this issue.

- 漏洞利用

A denial of service proof-of-concept script has been published at the following location:

http://www.guninski.com/modproxy1.html

- 解决方案

Updates are available. Please see the references for more information.


OpenBSD OpenBSD 3.5

OpenBSD OpenBSD 3.4

Sun Solaris 9_x86

Apache Software Foundation Apache 1.3

Apache Software Foundation Apache 1.3.1

Apache Software Foundation Apache 1.3.14

Apache Software Foundation Apache 1.3.17

Apache Software Foundation Apache 1.3.22

Apache Software Foundation Apache 1.3.23

Apache Software Foundation Apache 1.3.25

IBM HTTP Server 1.3.26 .1

Apache Software Foundation Apache 1.3.26

IBM HTTP Server 1.3.26

IBM HTTP Server 1.3.26 .2

Apache Software Foundation Apache 1.3.27

Apache Software Foundation Apache 1.3.28

IBM HTTP Server 1.3.28

Apache Software Foundation Apache 1.3.29

Apache Software Foundation Apache 1.3.3

Apache Software Foundation Apache 1.3.31

Apache Software Foundation Apache 1.3.4

Apache Software Foundation Apache 1.3.7 -dev

SGI ProPack 2.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站