Tutorial - Apache Module Vulnerabilities

Apache Module Vulnerabilities

Updated 4/30/03
CVE 2002-0082
CVE 2002-0653

Impact

A remote attacker may be able to crash the Apache process or execute arbitrary commands.

Background

Apache is a widely used, freely available web server developed by the Apache Software Foundation.

Several third-party developers have developed modules that can be added to Apache to add capabilities that are not part of the basic web server package. One such module is mod_ssl, which provides strong cryptography for the Apache web server using OpenSSL. Apache-SSL also uses OpenSSL to provide secure web services. mod_ntlm adds the capability to use Windows network authentication (NTLM) to control access to selected web pages.

The Problems

3/4/02
CVE 2002-0082
The mod_ssl Apache module and Apache-SSL make calls to the i2d_SSL_SESSION OpenSSL routine, which stores data into a buffer. Both mod_ssl and Apache-SSL improperly declare the buffer as a fixed-length character array, resulting in a buffer overflow condition. However, this buffer overflow is difficult to exploit. In order to exploit it, an attacker would need to create a very large session. The only obvious way for an attacker to attempt this would be to send a very large client certificate. But the certificate must be provided by a certificate authority which is trusted by the web server in order for the affected code to run. Additionally, both certificate authentication and dbm or shared memory session caching must be enabled for this vulnerability to be exploitable.

Despite the difficulty in exploitation, it would be advisable to remedy this problem, since other, more feasible, exploitation methods could be discovered at any time. Versions of mod_ssl prior to 2.8.7 and Apache-SSL prior to 1.47 are affected by this vulnerability.

7/9/02
CVE 2002-0653
A second vulnerability in mod_ssl prior to 2.8.10 is a one-byte buffer overflow in the processing of configuration directives. Exploitation of this vulnerability would require the attacker to create a long, specially-crafted directive in the Apache configuration. Since Apache allows per-directory configuration files (usually called .htaccess), a local user could exploit this vulnerability using an .htaccess file under his or her own directory. The result would be a denial of service or the ability to execute arbitrary commands with the privileges of the web server.

4/30/03
mod_ntlm 0.4 and earlier for Apache 1.3 and mod_ntlm 0.1 and earlier for Apache 2.0 are affected by two vulnerabilities in the logging function. The first is a buffer overflow condition. A remote attacker could run commands on the server by sending a specially crafted input string longer than 2048 bytes. The second vulnerability is a format string problem. A missing format string in the ap_log_rerror function could allow a remote attacker to specify his or her own format string, which could lead to arbitrary command execution.

Resolutions

To resolve the vulnerabilities in mod_ssl and Apache-SSL, rebuild Apache with mod_ssl 2.8.10 or higher, or upgrade to Apache-SSL 1.47 or higher. Alternatively, use mod_ssl 2.8.7 or higher, and set all AllowOverride directives to None in the Apache configuration file to disable .htaccess files.

To resolve the vulnerabilities in mod_ntlm, upgrade to version 0.5 or higher for Apache 1.3 or version 0.2 or higher for Apache 2.0. These versions will presumably contain a fix. If these versions are not yet available, it would be advisable to disable mod_ntlm in the Apache configuration file, and use Basic HTTP authentication instead of NTLM.

Where can I read more about this?

The vulnerability in mod_ssl and Apache-SSL was announced in CIAC Bulletin M-053, Bugtraq, and an Apache-SSL advisory. The one-byte buffer overflow in mod_ssl was posted to Bugtraq.

The vulnerabilities in mod_ntlm were posted to Bugtraq.