Apache mod_proxy模块HTTP分块编码整数溢出漏洞
发布日期:2010-01-27
更新日期:2010-01-28
受影响系统:
Apache Group Apache 1.3.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 37966
CVE(CAN) ID: CVE-2010-0010
Apache HTTP Server是一款流行的Web服务器。
Apache服务器的mod_proxy模块在执行字符类型转换时存在最终可导致堆溢出的整数溢出漏洞。以下是有漏洞的代码段:
"./src/modules/proxy/proxy_util.c"
long int ap_proxy_send_fb(BUFF *f, request_rec *r, cache_req *c, off_t len, int nowrite, int chunked, size_t recv_buffer_size)
{
...
size_t buf_size;
long remaining = 0;
...
for (end_of_chunk = ok = 1; ok;) {
...
if (chunked) {
long chunk_start = 0;
n = 0;
/* start of a new chunk */
if (end_of_chunk) {
end_of_chunk = 0;
/* get the chunk size from the stream */
chunk_start = ap_getline(buf, buf_size, f, 0); <---------------- [0] reading line from traffic (socket)
if ((chunk_start <= 0) || ((size_t)chunk_start + 1 >= buf_size) || !ap_isxdigit(*buf)) {
n = -1;
}
/* parse the chunk size */
else {
remaining = ap_get_chunk_size(buf); <---------------- [1] convert readed data to 'long' size!
if (remaining == 0) { /* Last chunk indicated, get footers */
...
...
}
}
else if (remaining < 0) {
n = -1;
ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, r,
"proxy: remote protocol error, invalid chunk size");
}
}
}
/* read the chunk */
if (remaining > 0) {
n = ap_bread(f, buf, MIN((int)buf_size, (int)remaining)); <------------- [2] convert 'long' to 'int' !!!!
if (n > -1) {
remaining -= n;
end_of_chunk = (remaining == 0);
}
}
...
...
}
服务器在读取HTTP头时,如果是分块连接,在[0]处会等待并从套接字读取块大小的数据,在[1]处将所接收到的数据转换为long类型;如果存在正值的块大小,[2]处直接将long类型转换为int类型,这在amd64架构上可能触发整数溢出。
<*来源:Adam Zabrocki ([email protected])
链接:http://site.pi3.com.pl/adv/mod_proxy.txt
http://secunia.com/advisories/38319/
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
http://site.pi3.com.pl/adv/mod_proxy.txt
建议:
--------------------------------------------------------------------------------
厂商补丁:
Apache Group
------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: