安全研究
安全漏洞
Apache Mod_SSL SSL_Util_UUEncode_Binary堆栈缓冲区溢出漏洞
发布日期:2004-05-17
更新日期:2004-05-21
受影响系统:
Apache Software Foundation Apache 2.0a9描述:
Apache Software Foundation Apache 2.0.49
Apache Software Foundation Apache 2.0.48
Apache Software Foundation Apache 2.0.47
Apache Software Foundation Apache 2.0.46
Apache Software Foundation Apache 2.0.45
Apache Software Foundation Apache 2.0.44
Apache Software Foundation Apache 2.0.43
Apache Software Foundation Apache 2.0.42
Apache Software Foundation Apache 2.0.41
Apache Software Foundation Apache 2.0.40
Apache Software Foundation Apache 2.0.39
Apache Software Foundation Apache 2.0.38
Apache Software Foundation Apache 2.0.37
Apache Software Foundation Apache 2.0.36
Apache Software Foundation Apache 2.0.35
Apache Software Foundation Apache 2.0.32
Apache Software Foundation Apache 2.0.28
Apache Software Foundation Apache 2.0
Apache Software Foundation Apache 1.3.29
Apache Software Foundation Apache 1.3.28
Apache Software Foundation Apache 1.3.26
Apache Software Foundation Apache 1.3.25
Apache Software Foundation Apache 1.3.24
Apache Software Foundation Apache 1.3.23
Apache Software Foundation Apache 1.3.22
Apache Software Foundation Apache 1.3.20
Apache Software Foundation Apache 1.3.19
Apache Software Foundation Apache 1.3.18
Apache Software Foundation Apache 1.3.17
Apache Software Foundation Apache 1.3.14
Apache Software Foundation Apache 1.3.12
Apache Software Foundation Apache 1.3.11
Apache Software Foundation Apache 1.3
Apache Software Foundation Apache 1.3.27
- Conectiva Linux 9.0
- Conectiva Linux 8.0
- Debian Linux 3.0
- IBM AIX 4.3.3
- RedHat Enterprise Linux WS 2.1
- RedHat Enterprise Linux ES 3
- RedHat Enterprise Linux ES 2.1
- RedHat Enterprise Linux AS 3
- RedHat Enterprise Linux AS 2.1
- RedHat Linux 8.0
- RedHat Linux 7.3
- SGI IRIX 6.5.19
- SuSE Linux 8.2
- SuSE Linux 8.1
BUGTRAQ ID: 10355
CVE(CAN) ID: CVE-2004-0488
Mod_SSL是Apache服务器上的SSL实现,用来为Apache Web服务器提供加密支持。
Apache mod_ssl 2.8.17及其以前版本的实现中模块ssl_util.c的ssl_util_uuencode_binary
函数存在问题,远程攻击者可以利用使用该函数的ssl_engine_kernel.c模块进行拒绝服务攻
击或可能以WEB进程执行任意指令。问题代码如下:
ssl_util.c:
void ssl_util_uuencode_binary(
unsigned char *szTo, const unsigned char *szFrom, int nLength, BOOL bPad)
{
const unsigned char *s;
int nPad = 0;
for (s = szFrom; nLength > 0; s += 3) {
*szTo++ = ssl_util_uuencode_six2pr[s[0] >> 2];
*szTo++ = ssl_util_uuencode_six2pr[(s[0] << 4 | s[1] >> 4) & 0x3f];
if (--nLength == 0) {
nPad = 2;
break;
}
*szTo++ = ssl_util_uuencode_six2pr[(s[1] << 2 | s[2] >> 6) & 0x3f];
if (--nLength == 0) {
nPad = 1;
break;
}
*szTo++ = ssl_util_uuencode_six2pr[s[2] & 0x3f];
--nLength;
}
while(bPad && nPad--)
*szTo++ = NUL;
*szTo = NUL;
return;
}
-------------------------
很明显,可以向目标缓冲区拷贝的字符数是源缓冲区的4/3倍,因此在某些情况下会造成
问题,比如在如下代码中b1和b2的大小都是MAX_STRING_LEN,因此恶意构造的数据会造成
栈溢出:
ssl_engine_kernel.c:
int ssl_hook_Auth(request_rec *r)
{
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
char b1[MAX_STRING_LEN], b2[MAX_STRING_LEN];
char *clientdn;
.....
ap_snprintf(b1, sizeof(b1), "%s:password", clientdn);
ssl_util_uuencode(b2, b1, FALSE);
ap_snprintf(b1, sizeof(b1), "Basic %s", b2);
.....
目前还不确定是否能在X86结构上执行任意代码,其他结构可能被利用为执行任意指令。
<*来源:Georgi Guninski (guninski@guninski.com)
链接:http://lists.netsys.com/pipermail/full-disclosure/2004-May/021610.html
*>
建议:
厂商补丁:
Apache Software Foundation
--------------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.modssl.org/
浏览次数:6183
严重程度:1(网友投票)
绿盟科技给您安全的保障