The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Apache 1.1.1 overflow (fwd)

To: security@debian.org
Subject: Apache 1.1.1 overflow (fwd)
From: lists@lina.inka.de (Bernd Eckenfels)
Date: Mon, 13 Jan 1997 13:15:22 +0100 (MET)
Delivered-to: security@debian.org
Importance: low
Priority: non-urgent
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"UKNk11.0.Dz4.OdYso"@master.debian.org>
Resent-reply-to: debian-private@lists.debian.org
Resent-sender: debian-private-request@lists.debian.org

Forwarded message:
>From firewalls-owner@GreatCircle.COM Mon Jan 13 13:06:54 1997
Date: Sun, 12 Jan 1997 19:50:43 -0700 (MST)
From: David Sacerdote <davids@secnet.com>
To: firewalls@greatcircle.com
Subject: Apache 1.1.1 overflow
Message-ID: <Pine.BSI.3.95.970112195026.20891A-100000@silence.secnet.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk
X-env-mail-from: (firewalls-owner@GreatCircle.COM)
X-env-rcpt-to: (<lists@lina.inka.de>)
X-lina: send to /usr/sbin/deliver (Mon, 13 Jan 1997 13:06:54 +0100 (MET))

                        ######    ##   ##    ######
                        ##        ###  ##      ##
                        ######    ## # ##      ##
                            ##    ##  ###      ##
                        ###### .  ##   ## .  ######.

                            Secure Networks Inc.

                             Security Advisory
                             January 12, 1997

                    Vulnerabilities in the Apache httpd

There is a serious vulnerability in the cookies module of the Apache httpd,
version 1.1.1 and earlier, which makes it possible for remote individuals
to obtain access to systems running the Apache httpd.  Only sites which
enabled mod_cookies, a nondefault option, are vulnerable.

Technical Details
~~~~~~~~~~~~~~~~~
The function make_cookie, in mod_cookies.c uses a 100 byte buffer,
new_cookie to store information used to track web site users.  The
hostname, which with even the most cautious of resolver libraries, can be
up to 255 characters long, is stuffed into this buffer, along with the
string "apache=" and a number.  The offending code reads:

void make_cookie(request_rec *r)
{
    struct timeval tv;
    char new_cookie[100];	/* blurgh */
    char *dot;
    const char *rname = pstrdup(r->pool, 
				get_remote_host(r->connection, r->per_dir_config,
						REMOTE_NAME));
struct timezone tz = { 0 , 0 };
    if ((dot = strchr(rname,'.'))) *dot='\0';	/* First bit of hostname */
    gettimeofday(&tv, &tz);
    sprintf(new_cookie,"%s%s%d%ld%d; path=/",
        COOKIE_NAME, rname,
        (int)getpid(),  
        (long)tv.tv_sec, (int)tv.tv_usec/1000 );
    table_set(r->headers_out,"Set-Cookie",new_cookie);
    return;
}

Note that although the get_remote_host() function converts all uppercase
letters to lowercase letters, there is at least one way in which a
determined attacker can still exploit the overflow.

Impact
~~~~~~
Remote individuals can obtain access to the web server.  If the httpd
services requests as user root, attackers can obtain root access.  If the
httpd is run in a chroot() environment, the attacker will be restricted to
the chrooted environment.  We strongly advise adminstrators to run their
web servers as an unpriviliged user in an chrooted environment whenever
possible.

Vulnerable Systems
~~~~~~~~~~~~~~~~~~
Any system running the Apache httpd 1.1.1 or earlier, with the compile-time
option mod_cookies enabled is vulnerable.  To tell which web server
software you are using, telnet to port 80 of the web server, and issue the
command:
GET / HTTP/1.0
to the web server, followed by two carriage returns.  You should see
something which looks like:

$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 200 OK
Date: Tue, 07 Jan 1997 18:59:31 GMT
Server: Apache/1.1.1
Content-type: text/html
Set-Cookie: Apache=localhost9185266357164; path=/

--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Prev by Date: Re: X11R6 dependencies... (fwd)
Next by Date: Re: The Unified Package Manager
Previous by thread: Nils Rennebarth?
Next by thread: Re: Unified Package Manager
Index(es):
- Date
- Thread