Re: Apache mod_dav off-by-one

[John Helmert III <ajak () gentoo org>]

On Tue, Aug 09, 2022 at 02:50:34PM +0300, Evgeny Legerov wrote:
> Hi,
>
>
> How it happens that Apache process_if_header off-by-one, which has been 
> mentioned in
>
> The Art of Software Security Assessment (page 420), still remains unpatched?
>
> What am I missing?

Has anyone reported it upstream? Has anyone requested a CVE (seems
unlikely, given the last CVE for mod_dav is one from 2013)?

Upstreams don't magically know about security issues, they need to be
reported to the upstream one way or another.

> The code from Apache 2.4.54:
>
> static dav_error * dav_process_if_header(request_rec *r, dav_if_header 
> **p_ih)
> {
> ...
>
>       while (*list) {
>                  /* List is the entire production (in a uri scope) */
>
>                  switch (*list) {
>                  ...
>                  case 'N':
>                      if (list[1] == 'o' && list[2] == 't') {
>                          if (condition != DAV_IF_COND_NORMAL) {
>                              return dav_new_error(r->pool, HTTP_BAD_REQUEST,
> DAV_ERR_IF_MULTIPLE_NOT, 0,
>                                                   "Invalid \"If:\" header: "
>                                                   "Multiple \"not\" 
> entries "
>                                                   "for the same state.");
>                          }
>                          condition = DAV_IF_COND_NOT;
>                      }
>                      list += 2;
>                      break;
>
> It is not only out of bounds read, dav_fetch_next_token() will write 
> NULL byte on next iteration.

So we can be more descriptive than calling the vulnerability an
"off-by-one". It's more of an OOB read/write. And if NULL is the only
thing that can be written, it seems likely that the only impact is a
DoS, if that.

> regards,
>
> -e

Attachment: signature.asc
Description: