Apache Http Server 2.2.29 / 2.4.12 NULL Pointer Dereference

2015.04.18
Credit: NicholasL
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-476

-=[Advanced Information Security Corporation]=- Advisory for Apache Http Server 2.2.29 / 2.4.12 NULL Pointer Dereference Author: Nicholas Lemonias Advisory Date: 14/4/2015 Email: lem.nikolas (at) gmail (dot) com Introduction ========== During a source-code audit of the Apache HTTPD 2.2.29 / 2.4.12 release implementation for linux; conducted internally by the Advanced Information Security Group, instances of insecure function use were observed, which could possibly lead to attacks. Software Overview =============== The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Apache httpd was launched in 1995, has been the most popular web server on the Internet since April 1996. Affected code =============== * protocol.c --- routines which directly communicate with the client. * * Code originally by Rob McCool; much redone by Robert S. Thau * and the Apache Software Foundation. PoC 1 - Code Snippet [CWE-476] ============================== (..\httpd-2.2.29\server\protocol.c:1286) (..\httpd-2.4.12\server\protocol.c:1286) ... AP_CORE_DECLARE_NONSTD(apr_status_t) ap_content_length_filter( ap_filter_t *f, apr_bucket_brigade *b) { request_rec *r = f->r; struct content_length_ctx *ctx; apr_bucket *e; int eos = 0; apr_read_type_e eblock = APR_NONBLOCK_READ; ctx = f->ctx; if (!ctx) { f->ctx = ctx = apr_palloc(r->pool, sizeof(*ctx)); ctx->data_sent = 0; } Description: Code at line 1286 is vulnerable to a Null Pointer Derference security issue, where (request_rec *r = f->r;). The filter is used to compute the Content-Length, but it also computes the number of bytes sent to the client. ........................................................................ .............................. The filter will always run through all of the buckets in all brigades. The (request_rec *r = f->r;) is user-controllable and can be set to NULL using a supplied parameter. The issue stems from the lack of any control metrics on the return value of (f) ~ line 1286 (to ensure that is non-NULL.) The value of (f) can be set to NULL using a user-supplied parameter. [1] CWE Mitre. (2015) CWE - Null Pointer Dereference - 476 [Online] Available at: https://cwe.mitre.org/data/definitions/476.html [Last Accessed 14 April, 2015]

References:

https://cwe.mitre.org/data/definitions/476.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top