-=[Advanced Information Security Corporation]=-
Advisory for Apache Http Server 2.2.29 / 2.4.12 NULL Pointer Dereference
Author: Nicholas Lemonias
Advisory Date: 14/4/2015
Email: lem.nikolas (at) gmail (dot) com
Introduction
==========
During a source-code audit of the Apache HTTPD 2.2.29 / 2.4.12 release implementation for linux; conducted internally by the Advanced Information Security Group, instances of insecure function use were observed, which could possibly lead to attacks.
Software Overview
===============
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.
Apache httpd was launched in 1995, has been the most popular web server on the Internet since April 1996.
Affected code
===============
* protocol.c --- routines which directly communicate with the client.
*
* Code originally by Rob McCool; much redone by Robert S. Thau
* and the Apache Software Foundation.
PoC 1 - Code Snippet [CWE-476]
==============================
(..\httpd-2.2.29\server\protocol.c:1286)
(..\httpd-2.4.12\server\protocol.c:1286)
...
AP_CORE_DECLARE_NONSTD(apr_status_t) ap_content_length_filter(
ap_filter_t *f,
apr_bucket_brigade *b)
{
request_rec *r = f->r;
struct content_length_ctx *ctx;
apr_bucket *e;
int eos = 0;
apr_read_type_e eblock = APR_NONBLOCK_READ;
ctx = f->ctx;
if (!ctx) {
f->ctx = ctx = apr_palloc(r->pool, sizeof(*ctx));
ctx->data_sent = 0;
}
Description: Code at line 1286 is vulnerable to a Null Pointer Derference security issue, where (request_rec *r = f->r;). The filter is used to compute the Content-Length, but it also computes the number of bytes sent to the client.
........................................................................
..............................
The filter will always run through all of the buckets in all brigades. The (request_rec *r = f->r;) is user-controllable and can be set to NULL using a supplied parameter. The issue stems from the lack of any control metrics on the return value of (f) ~ line 1286 (to ensure that is non-NULL.)
The value of (f) can be set to NULL using a user-supplied parameter.
[1] CWE Mitre. (2015) CWE - Null Pointer Dereference - 476 [Online]
Available at: https://cwe.mitre.org/data/definitions/476.html
[Last Accessed 14 April, 2015]