Home / vulnerabilitiesPDF  

Apache 2.2.29 protocol.c Null Pointer Dereference

Posted on 15 April 2015
Source : packetstormsecurity.org Link

 

-=[Advanced Information Security Corporation]=-

Advisory for Apache Http Server 2.2.29 / 2.4.12 NULL Pointer Dereference

Author: Nicholas Lemonias
Advisory Date: 14/4/2015
Email: lem.nikolas (at) gmail (dot) com

Introduction
==========
During a source-code audit of the Apache HTTPD 2.2.29 / 2.4.12 release
implementation for linux; conducted internally by the Advanced
Information Security
Group, instances of insecure function use were observed, which could
possibly lead to attacks.

Software Overview
===============

The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for modern operating systems including UNIX
and Windows NT. The goal of this project is to provide a secure,
efficient and extensible server that provides HTTP services in sync
with the current HTTP standards.

Apache httpd was launched in 1995, has been the most popular web
server on the Internet since April 1996.

Affected code
===============
* protocol.c --- routines which directly communicate with the client.
*
* Code originally by Rob McCool; much redone by Robert S. Thau
* and the Apache Software Foundation.

PoC 1 - Code Snippet [CWE-476]
==============================
(..httpd-2.2.29serverprotocol.c:1286)
(..httpd-2.4.12serverprotocol.c:1286)

...

AP_CORE_DECLARE_NONSTD(apr_status_t) ap_content_length_filter(
ap_filter_t *f,
apr_bucket_brigade *b)
{
request_rec *r = f->r;
struct content_length_ctx *ctx;
apr_bucket *e;
int eos = 0;
apr_read_type_e eblock = APR_NONBLOCK_READ;

ctx = f->ctx;
if (!ctx) {
f->ctx = ctx = apr_palloc(r->pool, sizeof(*ctx));
ctx->data_sent = 0;
}

Description: Code at line 1286 is vulnerable to a Null Pointer
Derference security issue, where (request_rec *r = f->r;). The
filter is used to compute the Content-Length, but it also computes the
number of bytes sent to the client.
......................................................................................................
The filter will always run through all of the buckets in all brigades.
The (request_rec *r = f->r;) is user-controllable and can be set to
NULL using a supplied parameter. The issue stems from the lack of any
control metrics on the return value of (f) ~ line 1286 (to ensure that
is non-NULL.)

[1] CWE Mitre. (2015) CWE - Null Pointer Dereference - 476 [Online]
Available at: https://cwe.mitre.org/data/definitions/476.html
[Last Accessed 14 April, 2015]

 

TOP

Malware :

Exploits :