Brief description: The Apache httpd (1) web server uses an unchecked buffer to store the hostname associated with a cookie. If httpd is running as root , this buffer can be overflowed to execute arbitrary commands.
Full description: In Apache httpd version 1.1.1 and earlier, the buffer used to store the hostname associated with a cookie is of size 100. The hostname is put into this buffer without its length being checked, allowing an attacker to overflow this buffer and execute commands with the privileges that httpd is running with. The non-default compile time option mod_cookies must be enabled for the vulnerability to exist. The code causing the vulnerability is in the routine make_cookie():
void make_cookie(request_rec *r)
{
struct timeval tv;
char new_cookie[100]; /* blurgh */
char *dot;
const char *rname = pstrdup(r->pool,
get_remote_host(r->connection, r->per_dir_config,
REMOTE_NAME));
struct timezone tz = { 0 , 0 };
if ((dot = strchr(rname,'.'))) *dot='\0'; /* First bit of hostname */
gettimeofday(&tv, &tz);
sprintf(new_cookie,"%s%s%d%ld%d; path=/",
COOKIE_NAME, rname,
(int)getpid(),
(long)tv.tv_sec, (int)tv.tv_usec/1000 );
table_set(r->headers_out,"Set-Cookie",new_cookie);
return;
}
Components: Apache httpd version 1.1.1 or earlier, with mod_cookies enabled; trusted
Systems: Any OS running the Apache web server.
Effect(s) of exploiting: Remote user can work with the privileges of the web server.
Detecting the hole:
GET / HTTP/1.0Note there are two carriage returns after the 0! You should get back something like this:
HTTP/1.0 200 OK Date: Tue, 07 Jan 1997 18:59:31 GMT Server: Apache/1.1.1 Content-type: text/html Set-Cookie: Apache=localhost9185266357164; path=/ ...The server line says the system is running Apache 1.1.1, and the set-cookie line's presence says the server is using cookies. So this is vulnerable.
Fixing the hole:
*** mod_cookies.c Tue Jan 7 14:38:15 1997
--- /usr/tmp/mod_cookies.c Tue Jan 7 14:38:11 1997
***************
*** 119,125 ****
void make_cookie(request_rec *r)
{
struct timeval tv;
! char new_cookie[100]; /* blurgh */
char *dot;
const char *rname = pstrdup(r->pool,
get_remote_host(r->connection, r->per_dir_config,
--- 119,125 ----
void make_cookie(request_rec *r)
{
struct timeval tv;
! char new_cookie[1024]; /* blurgh */
char *dot;
const char *rname = pstrdup(r->pool,
get_remote_host(r->connection, r->per_dir_config,
***************
*** 128,133 ****
--- 128,136 ----
struct timezone tz = { 0 , 0 };
if ((dot = strchr(rname,'.'))) *dot='\0'; /* First bit of hostname */
+ if (strlen (rname) > 255)
+ rname[256] = 0;
+
gettimeofday(&tv, &tz);
sprintf(new_cookie,"%s%s%d%ld%d; path=/",
COOKIE_NAME, rname,
Other information:
web server cookies buffer overflow root
PA Classification(s):
RISOS Classification(s):
DCS Classification(s):
CVE Number: CVE-1999-0071 -- Apache httpd cookie buffer overflow for versions 1.1.1 and earlier.
Attack:
Advisories: Network Associates Inc. security advisory #2, Vulnerabilities in the Apache httpd ; ISS X-Force database entry http-apache-cookie ; Secure Networks, Inc. security advisory Vulnerabilities in the Apache httpd (the original seems to be no longer available); Apache announcement Security Release: Apache 1.1.3
Related Vulnerabilities:
Reporting: Secure Networks Inc. in Bugtraq (Sun Jan 12 1997 18:48:15 )