Re: Remote buffer overflow in Apache mod_ssl when reverse proxying SSL

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Jйrфme ATHIAS,

According  to  provided  information  and fix (without code analysis) it
looks  like access to unallocated memory, not like buffer overflow. It's
just non-working feature of Apache and it unconditionally crashes on any
request  in  specified configuration. Probably it means you can not find
server in this configuration in-the-wild.

Correct me, if I wrong.


--Saturday, September 11, 2004, 10:14:06 AM, you wrote to bugtraq () securityfocus com:



JA> http://issues.apache.org/bugzilla/show_bug.cgi?id=30134

JA> Summary: Segmentation fault in char_buffer_read when reverse proxying SSL (Version 2.0.50)
JA> Reporter: lxhankins002 at fastmail.fm (M. "Alex" Hankins)
 
JA> Overview Description:
 
JA> Intermittent segmentation faults occur in char_buffer_read at
JA> ssl_engine_io.c:348 when using a RewriteRule to do reverse proxying to an SSL
JA> origin server running IIS.
 
JA>     Steps to Reproduce:
 
JA> 1) Set up an IIS server using SSL and running eRoom 6.
 
JA> 2) Add the following directives to httpd.conf:
 
JA> Listen 47290
JA> SSLProxyEngine on
JA> RewriteEngine on
JA> RewriteRule /(.*) https://some.eroom6.iis.server.com/$1 [P]
 
JA> 3) Visit a URL similar to the following:
 
JA> http://reverse.proxy.com:47290/eRoomASP/CookieTest.asp?facility=facility&URL=%2FeRoom%2FFacility%2FRoom%2F0_4242
 
JA> If that doesn't cause the segfault, click around for a while.
 
JA> (Yes, reverse proxying from non-SSL to SSL is not a good idea, but it keeps the
JA> example simpler.)
 
JA>     Actual Results:
 
JA> Segmentation fault in error_log:
JA> [Thu Jul 15 19:38:36 2004] [notice] child pid 42 exit signal Segmentation fault
JA> (11), possible coredump in /usr/local/httpd-2.0.50
 
JA>     Build Date & Platform:
 
JA> 2004-07-14 build on SunOS 5.8 SUNW,UltraAX-i2
 
JA>     Additional Information:
 
JA> Here is a stack trace from gdb:
 
JA> #0  0xfef5060c in memcpy ()
JA>    from /usr/platform/SUNW,UltraAX-i2/lib/libc_psr.so.1
JA> #1  0xfeafef54 in char_buffer_read (buffer=0x1649ac,
JA>     in=0x2000 <Address 0x2000 out of bounds>, inl=8192) at ssl_engine_io.c:348
JA> #2  0xfeaff388 in ssl_io_input_read (inctx=0x164990,
JA>     buf=0x1649b8 "Content-Length:
JA> 121\r\nCort/Martonia/0_2615\r\nContent-Length:
JA> 121\r\nCent-Length:
JA> 121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
JA> 121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
JA> 121\r\nCrtonia/0_2615\r\nContent-Le"..., len=0xffbea8cc) at ssl_engine_io.c:561
JA> #3  0xfeaff624 in ssl_io_input_getline (inctx=0x164990,
JA>     buf=0x1649b8 "Content-Length:
JA> 121\r\nCort/Martonia/0_2615\r\nContent-Length:
JA> 121\r\nCent-Length:
JA> 121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
JA> 121\r\nCmeport/Martonia/0_2615\r\nContent-Length:
JA> 121\r\nCrtonia/0_2615\r\nContent-Le"..., len=0xffbea944) at ssl_engine_io.c:712
JA> #4  0xfeb00118 in ssl_io_filter_input (f=0x1669c0, bb=0x158f98,
JA>     mode=4290685252, block=APR_BLOCK_READ, readbytes=0) at ssl_engine_io.c:1226
JA> #5  0x42978 in ap_get_brigade (next=0x1669c0, bb=0x158f98,
JA>     mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0)
JA>     at util_filter.c:474
JA> #6  0x4aab4 in net_time_filter (f=0x158e20, b=0x158f98, mode=AP_MODE_GETLINE,
JA>     block=APR_BLOCK_READ, readbytes=0) at core.c:3600
JA> #7  0x42978 in ap_get_brigade (next=0x158e20, bb=0x158f98,
JA>     mode=AP_MODE_GETLINE, block=APR_BLOCK_READ, readbytes=0)
JA>     at util_filter.c:474
JA> #8  0x43e0c in ap_rgetline_core (s=0xffbeab94, n=8192, read=0xffbeab90,
JA>     r=0x1671b8, fold=1, bb=0x158f98) at protocol.c:214
JA> #9  0x441a4 in ap_getline (s=0xffbeccd8 "Content-Length", n=8192, r=0x1671b8,
JA>     fold=1) at protocol.c:478
JA> #10 0xfe8552d4 in ap_proxy_read_headers (r=0x1821d0, rr=0x1671b8,
JA>     buffer=0xffbeccd8 "Content-Length", size=8192, c=0x1671b8)
JA>     at proxy_util.c:457
JA> #11 0xfe833014 in ap_proxy_http_process_response (p=0x157960, r=0x1821d0,
JA>     p_conn=0x157ee8, origin=0x158168, backend=0x157f00, conf=0xf0268,
JA>     bb=0x157e98, server_portstr=0xffbeed68 ":47290") at proxy_http.c:755
JA> #12 0xfe833ba4 in ap_proxy_http_handler (r=0x1821d0, conf=0xf0268,
JA>     url=0x158038
JA> "/eRoomASP/CookieTest.asp?facility=memeport&URL=%2FeRoom%2Fmemeport%2FMartonia%2F0_2615",
JA> proxyname=0x0, proxyport=60776) at proxy_http.c:1121
JA> #13 0xfe85435c in proxy_run_scheme_handler (r=0x1821d0, conf=0xf0268,
JA>     url=0x1839ce
JA> 
"https://eroomhost.aaa.bbb.com/eRoomASP/CookieTest.asp?facility=memeport&URL=%2FeRoom%2Fmemeport%2FMartonia%2F0_2615";,
JA> proxyhost=0x0,
JA>     proxyport=0) at mod_proxy.c:1113
JA> #14 0xfe852ed8 in proxy_handler (r=0x1821d0) at mod_proxy.c:418
JA> #15 0x359a8 in ap_run_handler (r=0x1821d0) at config.c:151
JA> #16 0x35fa4 in ap_invoke_handler (r=0x1821d0) at config.c:358
JA> #17 0x32c44 in ap_process_request (r=0x1821d0) at http_request.c:246
JA> #18 0x2df14 in ap_process_http_connection (c=0x157a70) at http_core.c:250
JA> #19 0x40090 in ap_run_process_connection (c=0x157a70) at connection.c:42
JA> #20 0x403a4 in ap_process_connection (c=0x157a70, csd=0x157998)
JA>     at connection.c:175
JA> #21 0x3422c in child_main (child_num_arg=5) at prefork.c:609
JA> #22 0x343ac in make_child (s=0x8edb0, slot=5) at prefork.c:703
JA> #23 0x345fc in perform_idle_server_maintenance (p=0x8c690) at prefork.c:838
JA> #24 0x34a34 in ap_mpm_run (_pconf=0x0, plog=0x63400, s=0x83000)
JA>     at prefork.c:1039
JA> #25 0x3ad44 in main (argc=3, argv=0xffbef4ac) at main.c:617


JA> Solution:  A fix is available via CVS at:

JA> http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.125&r2=1.126



-- 
~/ZARAZA
Клянусь лысиной пророка Моисея - я тебя сейчас съем. (Твен)