Vulnerability Development mailing list archives
Re: Apache ap_getpass vulnerability
From: Simon Tamás <simont () westel900 hu>
Date: Sun, 2 Jan 2000 22:03:27 +0100
Please imagine this situation: You have an apache module that communicates via SSL with some other server. Your module reads the configuration necessary for the SSL setup from the Apache configuration file. There will be things like: CA certificate client certificate private key The private key is usually password protected. So if someone get access to it he won't be able to use it unless he knows the password. These files are stored on the same machine where the Apache runs, probably in the conf directory. If your modules needs to use the private key it needs to get the password for it, so it calls ap_getpass() This however calls getpass() which stores the password in a static char* and returns that pointer. It should be ap_getpass's (or your modules) responsibility to copy that string and fill the memory pointed to by the char* with useless values. Unless this is done somebody who gets access to the webserver machine, and therefore can read the private-key file, can also crash the Apache in such a way that he can read the password from memory. All he has to know is where the static char* inside getpass is in memory. Regards S.T.
Attachment:
simont.vcf
Description: Card for Simon Tamás
Current thread:
- Apache ap_getpass vulnerability Simon Tamás (Nov 02)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 03)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 04)
- Re: Apache ap_getpass vulnerability Pavel Kankovsky (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 07)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 04)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 06)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Michael H. Warfield (Nov 07)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 03)