CVE-2004-0751
CVSS5.0
发布时间 :2004-10-20 00:00:00
修订时间 :2010-08-21 00:21:12
NMCOEPS    

[原文]The char_buffer_read function in the mod_ssl module for Apache 2.x, when using reverse proxying to an SSL server, allows remote attackers to cause a denial of service (segmentation fault).


[CNNVD]Apache Mod_SSL反向代理SSL远程缓冲区溢出漏洞(CNNVD-200410-079)

        Mod_SSL是Apache服务器上的SSL实现,用来为Apache Web服务器提供加密支持。
        在某些条件下处理反向代理SSL实现时存在漏洞,该漏洞源于当使用RewriteRule在运行IIS的服务器上执行反向代理SSL时,在ssl_engine_io.c:348的char_buffer_read函数中可发生段错误。远程攻击者可以利用这个漏洞可能造成服务程序发生缓冲区溢出。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:apache:http_server:2.0.47Apache Software Foundation Apache HTTP Server 2.0.47
cpe:/a:apache:http_server:2.0.49Apache Software Foundation Apache HTTP Server 2.0.49
cpe:/a:apache:http_server:2.0.28Apache Software Foundation Apache HTTP Server 2.0.28
cpe:/a:apache:http_server:2.0.48Apache Software Foundation Apache HTTP Server 2.0.48
cpe:/a:apache:http_server:2.0.41Apache Software Foundation Apache HTTP Server 2.0.41
cpe:/a:apache:http_server:2.0.36Apache Software Foundation Apache HTTP Server 2.0.36
cpe:/a:apache:http_server:2.0.40Apache Software Foundation Apache HTTP Server 2.0.40
cpe:/a:apache:http_server:2.0.37Apache Software Foundation Apache HTTP Server 2.0.37
cpe:/a:apache:http_server:2.0.42Apache Software Foundation Apache HTTP Server 2.0.42
cpe:/a:apache:http_server:2.0.35Apache Software Foundation Apache HTTP Server 2.0.35
cpe:/a:apache:http_server:2.0.45Apache Software Foundation Apache HTTP Server 2.0.45
cpe:/a:apache:http_server:2.0.50Apache Software Foundation Apache HTTP Server 2.0.50
cpe:/a:apache:http_server:2.0.43Apache Software Foundation Apache HTTP Server 2.0.43
cpe:/a:apache:http_server:2.0.39Apache Software Foundation Apache HTTP Server 2.0.39
cpe:/a:apache:http_server:2.0.44Apache Software Foundation Apache HTTP Server 2.0.44
cpe:/a:apache:http_server:2.0.46Apache Software Foundation Apache HTTP Server 2.0.46
cpe:/a:apache:http_server:2.0.32Apache Software Foundation Apache HTTP Server 2.0.32
cpe:/a:apache:http_server:2.0Apache Software Foundation Apache HTTP Server 2.0
cpe:/a:apache:http_server:2.0.38Apache Software Foundation Apache HTTP Server 2.0.38

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11864The char_buffer_read function in the mod_ssl module for Apache 2.x, when using reverse proxying to an SSL server, allows remote attackers to...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0751
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0751
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-079
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17273
(VENDOR_ADVISORY)  XF  apache-modssl-speculative-dos(17273)
http://www.redhat.com/support/errata/RHSA-2004-463.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:463
http://www.trustix.org/errata/2004/0047/
(UNKNOWN)  TRUSTIX  2004-0047
http://www.novell.com/linux/security/advisories/2004_30_apache2.html
(UNKNOWN)  SUSE  SUSE-SA:2004:030
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:096
(UNKNOWN)  MANDRAKE  MDKSA-2004:096
http://www.gentoo.org/security/en/glsa/glsa-200409-21.xml
(UNKNOWN)  GENTOO  GLSA-200409-21
http://issues.apache.org/bugzilla/show_bug.cgi?id=30134
(UNKNOWN)  CONFIRM  http://issues.apache.org/bugzilla/show_bug.cgi?id=30134
http://archives.neohapsis.com/archives/bugtraq/2004-09/0096.html
(UNKNOWN)  BUGTRAQ  20040911 Remote buffer overflow in Apache mod_ssl when reverse proxying SSL

- 漏洞信息

Apache Mod_SSL反向代理SSL远程缓冲区溢出漏洞
中危 其他
2004-10-20 00:00:00 2012-12-07 00:00:00
远程  
        Mod_SSL是Apache服务器上的SSL实现,用来为Apache Web服务器提供加密支持。
        在某些条件下处理反向代理SSL实现时存在漏洞,该漏洞源于当使用RewriteRule在运行IIS的服务器上执行反向代理SSL时,在ssl_engine_io.c:348的char_buffer_read函数中可发生段错误。远程攻击者可以利用这个漏洞可能造成服务程序发生缓冲区溢出。
        

- 公告与补丁

        厂商补丁:
        Apache
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Apache Software Foundation Upgrade httpd-2.0.51.tar.gz
        
        http://www.apache.org/dist/httpd/httpd-2.0.51.tar.gz

- 漏洞信息 (24590)

Apache 2.0.x mod_ssl Remote Denial of Service Vulnerability (EDBID:24590)
linux dos
2004-09-10 Verified
0 M. "Alex" Hankins
N/A [点击下载]
source: http://www.securityfocus.com/bid/11154/info

Apache 2.x mod_ssl is reported prone to a remote denial of service vulnerability. This issue likely exists because the application fails to handle exceptional conditions. The vulnerability originates in the 'char_buffer_read' function of the 'ssl_engine_io.c' file. 

It is likely that this issue only results in a denial of service condition in child process. This BID will be updated as more information becomes available.

Apache 2.0.50 is reported to be affected by this issue, however, it is possible that other versions are vulnerable as well.

With the following configuration in httpd.conf:
Listen 47290
SSLProxyEngine on
RewriteEngine on
RewriteRule /(.*) https://www.example.com/$1 [P]

The server may be crashed by issuing the following URI:
http://www.example.com:47290/eRoomASP/CookieTest.asp?facility=facility&URL=%2FeRoom%2FFacility%2FRoom%2F0_4242		

- 漏洞信息 (F34325)

modSSLreverse.txt (PacketStormID:F34325)
2004-09-13 00:00:00
M. Alex Hankins  
advisory
CVE-2004-0751
[点击下载]

mod_ssl segmentation faults in the char_buffer_read function when reverse proxying SSL originating from an IIS server. Verified in build 2.0.50.

http://issues.apache.org/bugzilla/show_bug.cgi?id=30134

Summary: Segmentation fault in char_buffer_read when reverse proxying SSL (Version 2.0.50)
Reporter: lxhankins002 at fastmail.fm (M. "Alex" Hankins)
 
Overview Description:
 
Intermittent segmentation faults occur in char_buffer_read at
ssl_engine_io.c:348 when using a RewriteRule to do reverse proxying to an SSL
origin server running IIS.
 
    Steps to Reproduce:
 
1) Set up an IIS server using SSL and running eRoom 6.
 
2) Add the following directives to httpd.conf:
 
Listen 47290
SSLProxyEngine on
RewriteEngine on
RewriteRule /(.*) https://some.eroom6.iis.server.com/$1 [P]
 
3) Visit a URL similar to the following:
 
http://reverse.proxy.com:47290/eRoomASP/CookieTest.asp?facility=facility&URL=%2FeRoom%2FFacility%2FRoom%2F0_4242
 
If that doesn't cause the segfault, click around for a while.
 
(Yes, reverse proxying from non-SSL to SSL is not a good idea, but it keeps the
example simpler.)
 
    Actual Results:
 
Segmentation fault in error_log:
[Thu Jul 15 19:38:36 2004] [notice] child pid 42 exit signal Segmentation fault
(11), possible coredump in /usr/local/httpd-2.0.50
 
    Build Date & Platform:
 
2004-07-14 build on SunOS 5.8 SUNW,UltraAX-i2
 
    Additional Information:
 
Here is a stack trace from gdb:
 
#0  0xfef5060c in memcpy ()
   from /usr/platform/SUNW,UltraAX-i2/lib/libc_psr.so.1
#1  0xfeafef54 in char_buffer_read (buffer=0x1649ac,
    in=0x2000 <Address 0x2000 out of bounds>, inl=8192) at ssl_engine_io.c:348
#2  0xfeaff388 in ssl_io_input_read (inctx=0x164990,
    buf=0x1649b8 "Content-Length: 121\r\nCort/Martonia/0_2615\r\nContent-Length:
121\r\nCent-Length: 121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
121\r\nCrtonia/0_2615\r\nContent-Le"..., len=0xffbea8cc) at ssl_engine_io.c:561
#3  0xfeaff624 in ssl_io_input_getline (inctx=0x164990,
    buf=0x1649b8 "Content-Length: 121\r\nCort/Martonia/0_2615\r\nContent-Length:
121\r\nCent-Length: 121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
121\r\nCrtonia/0_2615\r\nContent-Le"..., len=0xffbea944) at ssl_engine_io.c:712
#4  0xfeb00118 in ssl_io_filter_input (f=0x1669c0, bb=0x158f98,
    mode=4290685252, block=APR_BLOCK_READ, readbytes=0) at ssl_engine_io.c:1226
#5  0x42978 in ap_get_brigade (next=0x1669c0, bb=0x158f98,
    mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0)
    at util_filter.c:474
#6  0x4aab4 in net_time_filter (f=0x158e20, b=0x158f98, mode=AP_MODE_GETLINE,
    block=APR_BLOCK_READ, readbytes=0) at core.c:3600
#7  0x42978 in ap_get_brigade (next=0x158e20, bb=0x158f98,
    mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0)
    at util_filter.c:474
#8  0x43e0c in ap_rgetline_core (s=0xffbeab94, n=8192, read=0xffbeab90,
    r=0x1671b8, fold=1, bb=0x158f98) at protocol.c:214
#9  0x441a4 in ap_getline (s=0xffbeccd8 "Content-Length", n=8192, r=0x1671b8,
    fold=1) at protocol.c:478
#10 0xfe8552d4 in ap_proxy_read_headers (r=0x1821d0, rr=0x1671b8,
    buffer=0xffbeccd8 "Content-Length", size=8192, c=0x1671b8)
    at proxy_util.c:457
#11 0xfe833014 in ap_proxy_http_process_response (p=0x157960, r=0x1821d0,
    p_conn=0x157ee8, origin=0x158168, backend=0x157f00, conf=0xf0268,
    bb=0x157e98, server_portstr=0xffbeed68 ":47290") at proxy_http.c:755
#12 0xfe833ba4 in ap_proxy_http_handler (r=0x1821d0, conf=0xf0268,
    url=0x158038
"/eRoomASP/CookieTest.asp?facility=memeport&URL=%2FeRoom%2Fmemeport%2FMartonia%2F0_2615",
proxyname=0x0, proxyport=60776) at proxy_http.c:1121
#13 0xfe85435c in proxy_run_scheme_handler (r=0x1821d0, conf=0xf0268,
    url=0x1839ce
"https://eroomhost.aaa.bbb.com/eRoomASP/CookieTest.asp?facility=memeport&URL=%2FeRoom%2Fmemeport%2FMartonia%2F0_2615",
proxyhost=0x0,
    proxyport=0) at mod_proxy.c:1113
#14 0xfe852ed8 in proxy_handler (r=0x1821d0) at mod_proxy.c:418
#15 0x359a8 in ap_run_handler (r=0x1821d0) at config.c:151
#16 0x35fa4 in ap_invoke_handler (r=0x1821d0) at config.c:358
#17 0x32c44 in ap_process_request (r=0x1821d0) at http_request.c:246
#18 0x2df14 in ap_process_http_connection (c=0x157a70) at http_core.c:250
#19 0x40090 in ap_run_process_connection (c=0x157a70) at connection.c:42
#20 0x403a4 in ap_process_connection (c=0x157a70, csd=0x157998)
    at connection.c:175
#21 0x3422c in child_main (child_num_arg=5) at prefork.c:609
#22 0x343ac in make_child (s=0x8edb0, slot=5) at prefork.c:703
#23 0x345fc in perform_idle_server_maintenance (p=0x8c690) at prefork.c:838
#24 0x34a34 in ap_mpm_run (_pconf=0x0, plog=0x63400, s=0x83000)
    at prefork.c:1039
#25 0x3ad44 in main (argc=3, argv=0xffbef4ac) at main.c:617


Solution:  A fix is available via CVS at:

http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126
    

- 漏洞信息

9742
Apache HTTP Server mod_ssl char_buffer_read Function Reverse Proxy DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Apache contains a flaw that may allow a remote denial of service. The issue is triggered when a remote attacker aborts an SSL connection in a particular state causing an infinite loop to occur. The flaw occurs in ssl_engine_io.c when using a RewriteRule to do reverse proxying to an SSL server.

- 时间线

2004-09-02 Unknow
2004-09-11 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: 1. Disable mod_ssl in your Apache configuration file. 2. If your running one of the Redhat Enterprise Operating Systems, you can apply an appropriate RPM from: RHSA link above. 3. There's a workaround available from CVS. It has not been tested and should be considered unstable: --- httpd-2.0/modules/ssl/ssl_engine_io.c 2004/07/13 18:11:22 1.124 +++ httpd-2.0/modules/ssl/ssl_engine_io.c 2004/08/11 13:19:24 1.125 @@ -589,6 +589,10 @@ while (1) { if (!inctx->filter_ctx->pssl) { + /* Ensure a non-zero error code is returned */ + if (inctx->rc == APR_SUCCESS) { + inctx->rc = APR_EGENERAL; + } break; }

- 相关参考

- 漏洞作者

- 漏洞信息

Apache mod_ssl Remote Denial of Service Vulnerability
Failure to Handle Exceptional Conditions 11154
Yes No
2004-09-10 12:00:00 2009-07-12 07:06:00
Discovery is credited to M. "Alex" Hankins <lxhankins002@fastmail.fm>.

- 受影响的程序版本

Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Home
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Trustix Secure Enterprise Linux 2.0
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 3
RedHat Desktop 3.0
Red Hat Enterprise Linux AS 3
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
Mandriva Linux Mandrake 9.2 amd64
Mandriva Linux Mandrake 9.2
HP Tru64 UNIX Compaq Secure Web Server 6.3
HP Tru64 UNIX Compaq Secure Web Server 5.9.2
HP Tru64 UNIX Compaq Secure Web Server 5.9.1
HP Tru64 UNIX Compaq Secure Web Server 5.8.2
HP Tru64 UNIX Compaq Secure Web Server 5.8.1
HP Tru64 UNIX Compaq Secure Web Server 5.1 A
HP Tru64 UNIX Compaq Secure Web Server 5.1
HP Tru64 UNIX Compaq Secure Web Server 5.0 A
HP Tru64 UNIX Compaq Secure Web Server 4.0 G
HP Tru64 UNIX Compaq Secure Web Server 4.0 F
HP HP-UX B.11.23
HP HP-UX B.11.22
HP HP-UX B.11.11
HP HP-UX B.11.00
Gentoo Linux 1.4
Conectiva Linux 10.0
Conectiva Linux 9.0
Apache Software Foundation Apache 2.0.50
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
Apache Software Foundation Apache 2.0.47
+ Apple Mac OS X Server 10.3.5
+ Apple Mac OS X Server 10.3.4
+ Apple Mac OS X Server 10.3.3
+ Apple Mac OS X Server 10.3.2
+ Apple Mac OS X Server 10.3.1
+ Apple Mac OS X Server 10.3
+ Apple Mac OS X Server 10.2.8
+ Apple Mac OS X Server 10.2.7
+ Apple Mac OS X Server 10.2.6
+ Apple Mac OS X Server 10.2.5
+ Apple Mac OS X Server 10.2.4
+ Apple Mac OS X Server 10.2.3
+ Apple Mac OS X Server 10.2.2
+ Apple Mac OS X Server 10.2.1
+ Apple Mac OS X Server 10.2
+ Apple Mac OS X Server 10.1.5
+ Apple Mac OS X Server 10.1.4
+ Apple Mac OS X Server 10.1.3
+ Apple Mac OS X Server 10.1.2
+ Apple Mac OS X Server 10.1.1
+ Apple Mac OS X Server 10.1
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
HP Tru64 UNIX Compaq Secure Web Server 6.3.2 a
Apache Software Foundation Apache 2.0.51
+ Red Hat Fedora Core2
+ Red Hat Fedora Core1

- 不受影响的程序版本

HP Tru64 UNIX Compaq Secure Web Server 6.3.2 a
Apache Software Foundation Apache 2.0.51
+ Red Hat Fedora Core2
+ Red Hat Fedora Core1

- 漏洞讨论

Apache 2.x mod_ssl is reported prone to a remote denial of service vulnerability. This issue likely exists because the application fails to handle exceptional conditions. The vulnerability originates in the 'char_buffer_read' function of the 'ssl_engine_io.c' file.

It is likely that this issue only results in a denial of service condition in child process. This BID will be updated as more information becomes available.

Apache 2.0.50 is reported to be affected by this issue, however, it is possible that other versions are vulnerable as well.

- 漏洞利用

No exploit is required.

The following proof of concept is available:

With the following configuration in httpd.conf:
Listen 47290
SSLProxyEngine on
RewriteEngine on
RewriteRule /(.*) https://www.example.com/$1 [P]

The server may be crashed by issuing the following URI:
http://www.example.com:47290/eRoomASP/CookieTest.asp?facility=facility&amp;URL=%2FeRoom%2FFacility%2FRoom%2F0_4242

- 解决方案

Turbolinux has released advisory TLSA-2005-01-13 along with fixes dealing with this and other issues. Please see the referenced advisory for more information.

HP has released an advisory (HPSBGN01091) and an update to fix this vulnerability and other vulnerabilities in Secure Web Server for Tru64 UNIX; the Secure Web Server product is based on Apache.

SuSE has released advisory SUSE-SA:2004:030 and fixes that eliminate this vulnerability. Please see the referenced advisory.

RedHat has released advisory RHSA-2004:463-09 along with fixes to address these issues for RedHat Enterprise Linux operating systems. Please see the referenced advisory for further information.

Mandrake Linux has released an advisory (MDKSA-2004:096) along with fixes dealing with this issue. Please see the referenced advisory for more information.

Trustix Secure Linux has released an advisory (TSLSA-2004-0047) along with fixes dealing with this, and other issues. Please see the referenced advisory for further information.

Gentoo Linux has released advisory GLSA 200409-21 to address this, and other issues. Please see the referenced advisory for further information. Users of affected packages are urged to execute the following with superuser privileges:
emerge sync
emerge -pv ">=net-www/apache-2.0.51"
emerge ">=net-www/apache-2.0.51"
emerge -pv ">=net-www/mod_dav-1.0.3-r2"
emerge ">=net-www/mod_dav-1.0.3-r2"

Conectiva Linux has released advisory CLA-2004:868 along with fixes to address this, and other issues. Please see the referenced advisory for further information.

Red Hat Fedora has released an advisory (FEDORA-2004-313) along with fixes dealing with this and other issues. Please see the referenced advisory for more information.

Apache has released version 2.0.51, as well as a patch for previous versions:

HP has released an advisory (HPSBUX01090) to address various issues affecting HP-UX running Apache and PHP. Please see the referenced advisory for more information.

Apple has released an advisory (APPLE-SA-2004-12-02) dealing with this and other issues. Please see the referenced advisory for more information.


Apache Software Foundation Apache 2.0.47

Apache Software Foundation Apache 2.0.50

HP Tru64 UNIX Compaq Secure Web Server 4.0 F

HP Tru64 UNIX Compaq Secure Web Server 4.0 G

HP Tru64 UNIX Compaq Secure Web Server 5.0 A

HP Tru64 UNIX Compaq Secure Web Server 5.1

HP Tru64 UNIX Compaq Secure Web Server 5.1 A

HP Tru64 UNIX Compaq Secure Web Server 5.8.1

HP Tru64 UNIX Compaq Secure Web Server 5.8.2

HP Tru64 UNIX Compaq Secure Web Server 5.9.1

HP Tru64 UNIX Compaq Secure Web Server 5.9.2

HP Tru64 UNIX Compaq Secure Web Server 6.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站