Apache prior 1.3.33 Mod_Proxy Remote Negative Content-Length Buffer Overflow Vulnerability 1.0
 
Plugin ID279
Plugin nameApache prior 1.3.33 Mod_Proxy Remote Negative Content-Length Buffer Overflow Vulnerability
Plugin filenameApache mod_proxy Buffer Overflow.plugin
Plugin filesize4035 bytes
Plugin familyDenial of Service
Plugin created nameDavid Nester
Plugin created emaildavid at icrew dot org
Plugin created webhttp://www.icrew.org
Plugin created companyiCrew Security
Plugin created date2004/12/03
Plugin updated nameMarc Ruef
Plugin updated emailmarc dot ruef at computec dot ch
Plugin updated webhttp://www.computec.ch
Plugin updated companycomputec.ch
Plugin updated date2004/12/05
Plugin version1.0
Plugin protocoltcp
Plugin port80
Plugin procedure detectionopen|send HEAD / HTTP/1.0\n\n|sleep|close|pattern_exists HTTP/#.# ### *Apache/1.3.[1-2]* OR HTTP/#.# ### *Apache/1.3.3[0-2]*
Plugin detection accuracy80
Plugin commentThis plugin was written with the ATK Attack Editor.
Bug published nameGeorgi Guninski
Bug published emailguninski at guninski dot com
Bug published webhttp://www.guninski.com/modproxy1.html
Bug published companyGeorgi Guninski
Bug published date2004/06/10
Bug produced nameApache Software Foundation
Bug produced emailapache at apache dot org
Bug produced webhttp://httpd.apache.org
Bug not affectedOther versions or solutions
Bug vulnerability classBuffer Overflow
Bug descriptionNote: This check is designed to identify hosts running vulnerable versions of Apache. It does not attempt to exploit the vulnerability on the intended host. If the application has been patched and the version has not been incremented in the banner, this check may report vulnerable.A remote buffer overflow vulnerability exists in Apache mod_proxy. The source of this issue is that a negative user-specified length value may be used in a memory copy operation, allowing for corruption of memory. This may triggered if a remote server returns a negative Content-Length: HTTP header field to be passed through the proxy. Exploitation will likely result in a denial of service, though there is an unconfirmed potential for execution of arbitrary code on some platforms (such as BSD implementations). Versions that have the optional AP_ENABLE_EXCEPTION_HOOK define enabled may also be exploitable on some platforms. This issue affects Apache servers 1.3.26 through 1.3.32 that have mod_proxy enabled and configured. Apache 2.0.x releases are not affected by this issue.
Bug solutionThis vulnerability is resolved by upgrading to the latest version available from: http://httpd.apache.org
Bug fixing timeApprox. 1 hour
Bug exploit availabilityYes
Bug exploit urlhttp://www.guninski.com/modproxy1.html
Bug remoteYes
Bug localNo
Bug severityHigh
Bug popularity6
Bug simplicity5
Bug impact9
Bug risk6
Bug Nessus riskHigh
Bug ISS Scanner ratingHigh
Source CVECAN-2004-0492
Source ISS X-Force ID16387
Source LiteratureHacking Exposed: Network Security Secrets & Solutions, Stuart McClure, Joel Scambray and George Kurtz, February 25, 2003, 4th Edition, McGraw-Hill Osborne Media, ISBN 0072227427
Source Misc.http://www.apacheweek.com/features/security-13

This file was generated by the Attack Tool Kit (ATK), the open-sourced security scanner and exploiting framework.