Apache mod_rewrite contains off-by-one error in ldap scheme handling
A vulnerability in a common Apache HTTP server module, mod_rewrite, could allow a remote attacker to execute arbitrary code on an affected web server.
I. Description
The Apache HTTP server distribution includes a number of supplemental modules that provide additional functionality to the web server. One of these modules, mod_rewrite, provides a rule-based rewriting engine to rewrite requested URLs “on the fly” based on regular expressions.An off-by-one error exists in the ldap scheme handling in mod_rewrite. For some RewriteRules, specifically those where the remote user can influence the beginning of a rewritten URL and that do not include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE), this could lead to a pointer being written out of bounds. This flaw causes a remotely exploitable vulnerability on web servers that have mod_rewrite enabled (configuration directive “RewriteEngine on“) and configured to use certain rules. For example, rules with this format expose the vulnerability:
- RewriteRule fred/(.*) $1
While rules with this format do not expose the vulnerability:
- RewriteRule fred/(.*) joe/$1
The versions of the mod_rewrite module supplied with the Apache HTTP server versions
- 1.3 branch from 1.3.28
- 2.0 branch from 2.0.46
- 2.2 branch from 2.2.0
are vulnerable to this issue but earlier versions are not. The Apache Software Foundation notes that mod_rewrite is not enabled and configured as a normal default, however it is a commonly used module and may be provided in a vulnerable configuration by redistributors.
II. Impact
An attacker may be able to execute arbitrary code in the context of the web server user (e.g., “apache“, “httpd“, “nobody“, “SYSTEM“, etc.). The Apache Software Foundation notes that, due to the nature of the underlying flaw, successful exploitation is dependent upon the stack frame layout of apache running on the target host.
III. Solution
Apply a patch from the vendor
Patches have been released to address this vulnerability. Please see the Systems Affected section of this document for more details.
Workarounds
Disable mod_rewrite if it is not required in your web server configuration. Instructions for doing this can be found in the Apache HTTP server documentation. Sites, particularly those that are not able to apply the patches, are encouraged to implement this workaround.
Systems Affected
| Vendor | Status | Date Updated |
|---|---|---|
| Apache HTTP Server Project | Vulnerable | 28-Jul-2006 |
| Apple Computer, Inc. | Not Vulnerable | 27-Jul-2006 |
| Conectiva Inc. | Unknown | 25-Jul-2006 |
| Cray Inc. | Unknown | 25-Jul-2006 |
| Debian GNU/Linux | Unknown | 25-Jul-2006 |
| EMC, Inc. (formerly Data General Corporation) | Unknown | 25-Jul-2006 |
| Engarde Secure Linux | Unknown | 25-Jul-2006 |
| F5 Networks, Inc. | Unknown | 25-Jul-2006 |
| Fedora Project | Vulnerable | 27-Jul-2006 |
| FreeBSD, Inc. | Unknown | 25-Jul-2006 |
| Fujitsu | Not Vulnerable | 27-Jul-2006 |
| Gentoo Linux | Unknown | 25-Jul-2006 |
| Hewlett-Packard Company | Unknown | 25-Jul-2006 |
| Hitachi | Unknown | 25-Jul-2006 |
| IBM Corporation | Unknown | 25-Jul-2006 |
| IBM Corporation (zseries) | Unknown | 25-Jul-2006 |
| IBM eServer | Unknown | 27-Jul-2006 |
| Immunix Communications, Inc. | Unknown | 25-Jul-2006 |
| Ingrian Networks, Inc. | Unknown | 25-Jul-2006 |
| Juniper Networks, Inc. | Not Vulnerable | 27-Jul-2006 |
| Mandriva, Inc. | Unknown | 25-Jul-2006 |
| MontaVista Software, Inc. | Unknown | 25-Jul-2006 |
| NEC Corporation | Unknown | 25-Jul-2006 |
| NetBSD | Unknown | 25-Jul-2006 |
| Nokia | Unknown | 28-Jul-2006 |
| Novell, Inc. | Unknown | 25-Jul-2006 |
| OpenBSD | Unknown | 25-Jul-2006 |
| Openwall GNU/*/Linux | Unknown | 25-Jul-2006 |
| Oracle Corporation | Unknown | 25-Jul-2006 |
| QNX, Software Systems, Inc. | Unknown | 25-Jul-2006 |
| Red Hat, Inc. | Not Vulnerable | 27-Jul-2006 |
| Silicon Graphics, Inc. | Unknown | 25-Jul-2006 |
| Slackware Linux Inc. | Unknown | 25-Jul-2006 |
| Sony Corporation | Unknown | 25-Jul-2006 |
| Sun Microsystems, Inc. | Unknown | 25-Jul-2006 |
| SUSE Linux | Unknown | 25-Jul-2006 |
| The SCO Group | Unknown | 25-Jul-2006 |
| Trustix Secure Linux | Unknown | 25-Jul-2006 |
| Turbolinux | Unknown | 25-Jul-2006 |
| Ubuntu | Vulnerable | 27-Jul-2006 |
| Unisys | Unknown | 25-Jul-2006 |
| Wind River Systems, Inc. | Unknown | 25-Jul-2006 |
References
http://www.apache.org/dist/httpd/Announcement2.2.html
http://www.apache.org/dist/httpd/Announcement2.0.html
http://www.apache.org/dist/httpd/Announcement1.3.html
http://secunia.com/advisories/21197/
http://www.niscc.gov.uk/niscc/docs/al-20060728-00515.html?lang=en
Credit
Thanks to Mark Cox of the Apache Software Foundation for reporting this vulnerability. Mark, in turn, credits Mark Dowd of McAfee AVERT Labs with reporting this issue.
This entry was posted on Sunday, July 30th, 2006 at 2:47 am and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
