Public Vulnerability Reports

Apache Portable Runtime Denial of Service and Arbitrary Code

05.30.03

BACKGROUND

The Apache Software Foundation's HTTP Server Project is an effort to develop and maintain an open-source web server for modern OS' including Unix and Microsoft Corp.'s Windows. More information is available at http://httpd.apache.org/ .

The Apache Portable Runtime (APR) provides a free library of C data structures and routines, forming a system portability layer to as many OS' as possible. More information is available at http://apr.apache.org/ .

mod_dav is an open-source Apache module that provides Distributed Authoring and Versioning (DAV) capabilities to the Apache HTTP Server. More information is available at http://www.webdav.org/mod_dav/ .

DESCRIPTION

Passing an overly long string to the apr_psprintf() APR library function that is used by the Apache HTTP Server could cause an application to reference memory that should have already been returned to the heap allocation pool. Arbitrary code execution remains a possibility but has not been substantiated at the time of publication of this report.  Considering the strict conditions necessary for successful code execution, it would be feasible but difficult to develop an exploit capable of functioning outside of a lab environment.

ANALYSIS

The remote denial of service aspect of this vulnerability can be exploited if a remote attacker is able to pass large strings to the vulnerable function, as is the case in the mod_dav attack vector, where a specially crafted XML object request of approximately 12250 bytes crashed HTTP Server running on a non-Windows OS; approximately
20000 characters crashed it on a Windows OS.

DETECTION

Applications that rely on older versions of APR are vulnerable. A list of such projects is available at http://apr.apache.org/projects.html#open_source . Both the Windows
and Unix implementations of Apache HTTP Server 2.0.37 through 2.0.45 inclusive are vulnerable.

WORKAROUND

The following patch should mitigate this vulnerability:

- - --- srclib/apr/memory/unix/apr_pools.c  7 Mar 2003 12:12:43 -0000
  1.195
+++ srclib/apr/memory/unix/apr_pools.c  8 May 2003 20:11:14 -0000
@@ -976,7 +976,7 @@

         if (ps->got_a_new_node) {
             active->next = ps->free;
- - -            ps->free = node;
+            ps->free = active;
         }

         ps->got_a_new_node = 1;

VENDOR RESPONSE

Apache HTTP Server 2.0.46, which contains updates for APR, can be downloaded at http://httpd.apache.org/download.cgi .

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0245 to this issue.

DISCLOSURE TIMELINE

03/19/2003       Issue disclosed to iDEFENSE
04/08/2003       iDEFENSE Labs initial research complete
04/09/2003       security@apache.org contacted
04/09/2003       Response from Lars Eilebrecht and Bill Rowe of Apache
04/11/2003       Response from Ian Holsman of Apache
05/08/2003       Response from Mark Cox of Apache
05/08/2003       Initial Research and patch Submitted to iDEFENSE by Joe Orton of   Apache
05/09/2003       Apache patch verified by iDEFENSE Labs
05/12/2003       vendor-sec list notified
05/26/2003       iDEFENSE clients notified
05/30/2003       Coordinated Public Disclosure