Date: 14 Sep 2004 18:16:47 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [UNIX] Apache mod_ssl Remote Buffer Overflow When Performing SSL Reverse Proxy
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Apache mod_ssl Remote Buffer Overflow When Performing SSL Reverse Proxy
------------------------------------------------------------------------
SUMMARY
mod_ssl has been found to be susceptible to a buffer overflow when
performing an SSL reverse proxying.
DETAILS
Vulnerable Systems:
* Apache with mod_ssl, version 2.0.50
Immune Systems:
* Apache with mod_ssl, latest CVS (see below)
Intermittent segmentation faults occur in char_buffer_read at
ssl_engine_io.c:348 when using a RewriteRule to do reverse proxying to an
SSL origin server running IIS. In order to reproduce this problem:
* Set up an IIS server using SSL and running eRoom 6.
* Add the following directives to httpd.conf:
Listen 47290
SSLProxyEngine on
RewriteEngine on
RewriteRule /(.*) https://some.eroom6.iis.server.com/$1 [P]
* Visit a URL such as the following:
http://reverse.proxy.com:47290/eRoomASP/CookieTest.asp?facility=facility&URL=%2FeRoom%2FFacility%2FRoom%2F0_4242.
If this doesn't cause the segmentation fault immediately, clicking around
for a while will eventually trigger it.
Note: Reverse proxying from non-SSL to SSL is not a good idea, but it
keeps the example simpler.
A link to the bugzilla tracking system for Apache which describes the bug
is provided for convenience:
<http://issues.apache.org/bugzilla/show_bug.cgi?id=30134>;
http://issues.apache.org/bugzilla/show_bug.cgi?id=30134.
A log file of the error is listed below:
[Thu Jul 15 19:38:36 2004] [notice] child pid 42 exit signal Segmentation
fault
(11), possible coredump in /usr/local/httpd-2.0.50
Build Date & Platform:
2004-07-14 build on SunOS 5.8 SUNW,UltraAX-i2
And a stack trace from gdb is also available:
#0 0xfef5060c in memcpy ()
from /usr/platform/SUNW,UltraAX-i2/lib/libc_psr.so.1
#1 0xfeafef54 in char_buffer_read (buffer=0x1649ac,
in=0x2000 <Address 0x2000 out of bounds>, inl=8192) at
ssl_engine_io.c:348
#2 0xfeaff388 in ssl_io_input_read (inctx=0x164990,
buf=0x1649b8 "Content-Length:
121\r\nCort/Martonia/0_2615\r\nContent-Length:
121\r\nCent-Length: 121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
121\r\nCrtonia/0_2615\r\nContent-Le"..., len=0xffbea8cc) at
ssl_engine_io.c:561
#3 0xfeaff624 in ssl_io_input_getline (inctx=0x164990,
buf=0x1649b8 "Content-Length:
121\r\nCort/Martonia/0_2615\r\nContent-Length:
121\r\nCent-Length: 121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
121\r\nCrtonia/0_2615\r\nContent-Le"..., len=0xffbea944) at
ssl_engine_io.c:712
#4 0xfeb00118 in ssl_io_filter_input (f=0x1669c0, bb=0x158f98,
mode=4290685252, block=APR_BLOCK_READ, readbytes=0) at
ssl_engine_io.c:1226
#5 0x42978 in ap_get_brigade (next=0x1669c0, bb=0x158f98,
mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0)
at util_filter.c:474
#6 0x4aab4 in net_time_filter (f=0x158e20, b=0x158f98,
mode=AP_MODE_GETLINE,
block=APR_BLOCK_READ, readbytes=0) at core.c:3600
#7 0x42978 in ap_get_brigade (next=0x158e20, bb=0x158f98,
mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0)
at util_filter.c:474
#8 0x43e0c in ap_rgetline_core (s=0xffbeab94, n=8192, read=0xffbeab90,
r=0x1671b8, fold=1, bb=0x158f98) at protocol.c:214
#9 0x441a4 in ap_getline (s=0xffbeccd8 "Content-Length", n=8192,
r=0x1671b8,
fold=1) at protocol.c:478
#10 0xfe8552d4 in ap_proxy_read_headers (r=0x1821d0, rr=0x1671b8,
buffer=0xffbeccd8 "Content-Length", size=8192, c=0x1671b8)
at proxy_util.c:457
#11 0xfe833014 in ap_proxy_http_process_response (p=0x157960, r=0x1821d0,
p_conn=0x157ee8, origin=0x158168, backend=0x157f00, conf=0xf0268,
bb=0x157e98, server_portstr=0xffbeed68 ":47290") at proxy_http.c:755
#12 0xfe833ba4 in ap_proxy_http_handler (r=0x1821d0, conf=0xf0268,
url=0x158038
"/eRoomASP/CookieTest.asp?facility=memeport&URL=%2FeRoom%2Fmemeport%2FMartonia%2F0_2615",
proxyname=0x0, proxyport=60776) at proxy_http.c:1121
#13 0xfe85435c in proxy_run_scheme_handler (r=0x1821d0, conf=0xf0268,
url=0x1839ce
"https://eroomhost.aaa.bbb.com/eRoomASP/CookieTest.asp?facility=memeport&URL=%2FeRoom%2Fmemeport%2FMartonia%2F0_2615",
proxyhost=0x0,
proxyport=0) at mod_proxy.c:1113
#14 0xfe852ed8 in proxy_handler (r=0x1821d0) at mod_proxy.c:418
#15 0x359a8 in ap_run_handler (r=0x1821d0) at config.c:151
#16 0x35fa4 in ap_invoke_handler (r=0x1821d0) at config.c:358
#17 0x32c44 in ap_process_request (r=0x1821d0) at http_request.c:246
#18 0x2df14 in ap_process_http_connection (c=0x157a70) at http_core.c:250
#19 0x40090 in ap_run_process_connection (c=0x157a70) at connection.c:42
#20 0x403a4 in ap_process_connection (c=0x157a70, csd=0x157998)
at connection.c:175
#21 0x3422c in child_main (child_num_arg=5) at prefork.c:609
#22 0x343ac in make_child (s=0x8edb0, slot=5) at prefork.c:703
#23 0x345fc in perform_idle_server_maintenance (p=0x8c690) at
prefork.c:838
#24 0x34a34 in ap_mpm_run (_pconf=0x0, plog=0x63400, s=0x83000)
at prefork.c:1039
#25 0x3ad44 in main (argc=3, argv=0xffbef4ac) at main.c:617
Patch Availability:
The Apache development team have already fixed the bug and posted the fix
to the CVS. The fix is available at
<http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126>; http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]>
"JXrXme" ATHIAS.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
