oss-sec mailing list archives
Re: Apache mod_dav off-by-one
From: John Helmert III <ajak () gentoo org>
Date: Wed, 10 Aug 2022 13:34:34 -0500
On Tue, Aug 09, 2022 at 02:50:34PM +0300, Evgeny Legerov wrote:
Hi, How it happens that Apache process_if_header off-by-one, which has been mentioned in The Art of Software Security Assessment (page 420), still remains unpatched? What am I missing?
Has anyone reported it upstream? Has anyone requested a CVE (seems unlikely, given the last CVE for mod_dav is one from 2013)? Upstreams don't magically know about security issues, they need to be reported to the upstream one way or another.
The code from Apache 2.4.54: static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih) { ... while (*list) { /* List is the entire production (in a uri scope) */ switch (*list) { ... case 'N': if (list[1] == 'o' && list[2] == 't') { if (condition != DAV_IF_COND_NORMAL) { return dav_new_error(r->pool, HTTP_BAD_REQUEST, DAV_ERR_IF_MULTIPLE_NOT, 0, "Invalid \"If:\" header: " "Multiple \"not\" entries " "for the same state."); } condition = DAV_IF_COND_NOT; } list += 2; break; It is not only out of bounds read, dav_fetch_next_token() will write NULL byte on next iteration.
So we can be more descriptive than calling the vulnerability an "off-by-one". It's more of an OOB read/write. And if NULL is the only thing that can be written, it seems likely that the only impact is a DoS, if that.
regards, -e
Attachment:
signature.asc
Description:
Current thread:
- Apache mod_dav off-by-one Evgeny Legerov (Aug 09)
- Re: Apache mod_dav off-by-one John Helmert III (Aug 10)