Plugin ID | 279 |
Plugin name | Apache prior 1.3.33 Mod_Proxy Remote Negative Content-Length Buffer Overflow Vulnerability |
Plugin filename | Apache mod_proxy Buffer Overflow.plugin |
Plugin filesize | 4035 bytes |
Plugin family | Denial of Service |
Plugin created name | David Nester |
Plugin created email | david at icrew dot org |
Plugin created web | http://www.icrew.org |
Plugin created company | iCrew Security |
Plugin created date | 2004/12/03 |
Plugin updated name | Marc Ruef |
Plugin updated email | marc dot ruef at computec dot ch |
Plugin updated web | http://www.computec.ch |
Plugin updated company | computec.ch |
Plugin updated date | 2004/12/05 |
Plugin version | 1.0 |
Plugin protocol | tcp |
Plugin port | 80 |
Plugin procedure detection | open|send HEAD / HTTP/1.0\n\n|sleep|close|pattern_exists HTTP/#.# ### *Apache/1.3.[1-2]* OR HTTP/#.# ### *Apache/1.3.3[0-2]* |
Plugin detection accuracy | 80 |
Plugin comment | This plugin was written with the ATK Attack Editor. |
Bug published name | Georgi Guninski |
Bug published email | guninski at guninski dot com |
Bug published web | http://www.guninski.com/modproxy1.html |
Bug published company | Georgi Guninski |
Bug published date | 2004/06/10 |
Bug produced name | Apache Software Foundation |
Bug produced email | apache at apache dot org |
Bug produced web | http://httpd.apache.org |
Bug not affected | Other versions or solutions |
Bug vulnerability class | Buffer Overflow |
Bug description | Note: This check is designed to identify hosts running vulnerable versions of Apache. It does not attempt to exploit the vulnerability on the intended host. If the application has been patched and the version has not been incremented in the banner, this check may report vulnerable.A remote buffer overflow vulnerability exists in Apache mod_proxy. The source of this issue is that a negative user-specified length value may be used in a memory copy operation, allowing for corruption of memory. This may triggered if a remote server returns a negative Content-Length: HTTP header field to be passed through the proxy. Exploitation will likely result in a denial of service, though there is an unconfirmed potential for execution of arbitrary code on some platforms (such as BSD implementations). Versions that have the optional AP_ENABLE_EXCEPTION_HOOK define enabled may also be exploitable on some platforms. This issue affects Apache servers 1.3.26 through 1.3.32 that have mod_proxy enabled and configured. Apache 2.0.x releases are not affected by this issue. |
Bug solution | This vulnerability is resolved by upgrading to the latest version available from: http://httpd.apache.org |
Bug fixing time | Approx. 1 hour |
Bug exploit availability | Yes |
Bug exploit url | http://www.guninski.com/modproxy1.html |
Bug remote | Yes |
Bug local | No |
Bug severity | High |
Bug popularity | 6 |
Bug simplicity | 5 |
Bug impact | 9 |
Bug risk | 6 |
Bug Nessus risk | High |
Bug ISS Scanner rating | High |
Source CVE | CAN-2004-0492 |
Source ISS X-Force ID | 16387 |
Source Literature | Hacking Exposed: Network Security Secrets & Solutions, Stuart McClure, Joel Scambray and George Kurtz, February 25, 2003, 4th Edition, McGraw-Hill Osborne Media, ISBN 0072227427 |
Source Misc. | http://www.apacheweek.com/features/security-13 |