Vulnerabilities > CVE-2002-0082 - Buffer Overflow vulnerability in Apache mod_ssl/Apache-SSL
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The dbm and shm session cache code in mod_ssl before 2.8.7-1.3.23, and Apache-SSL before 1.3.22+1.46, does not properly initialize memory using the i2d_SSL_SESSION function, which allows remote attackers to use a buffer overflow to execute arbitrary code via a large client certificate that is signed by a trusted Certificate Authority (CA), which produces a large serialized session.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 | |
| Application | 8 |
Exploit-Db
| id | EDB-ID:47080 |
| last seen | 2019-07-10 |
| modified | 2019-07-07 |
| published | 2019-07-07 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/47080 |
| title | Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) |
Nessus
NASL family Web Servers NASL id MOD_SSL_OVERFLOW.NASL description According to the web server banner, the remote host is using a vulnerable version of mod_ssl. This version has a buffer overflow vulnerability. A remote attacker could exploit this issue to execute arbitrary code. *** Some vendors patched older versions of mod_ssl, so this *** might be a false positive. Check with your vendor to determine *** if you have a version of mod_ssl that is patched for this *** vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 10888 published 2002-03-08 reporter This script is Copyright (C) 2002-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10888 title Apache mod_ssl i2d_SSL_SESSION Function SSL Client Certificate Overflow code # # (C) Tenable Network Security, Inc. # # This script was written by Renaud Deraison <[email protected]>, # with the impulsion of H D Moore on the Nessus Plugins-Writers list include("compat.inc"); if (description) { script_id(10888); script_version("1.34"); script_cvs_date("Date: 2018/11/15 20:50:25"); script_cve_id("CVE-2002-0082"); script_bugtraq_id(4189); script_name(english:"Apache mod_ssl i2d_SSL_SESSION Function SSL Client Certificate Overflow"); script_summary(english:"Checks for version of mod_ssl"); script_set_attribute(attribute:"synopsis", value:"The remote web server module has a buffer overflow vulnerability."); script_set_attribute(attribute:"description", value: "According to the web server banner, the remote host is using a vulnerable version of mod_ssl. This version has a buffer overflow vulnerability. A remote attacker could exploit this issue to execute arbitrary code. *** Some vendors patched older versions of mod_ssl, so this *** might be a false positive. Check with your vendor to determine *** if you have a version of mod_ssl that is patched for this *** vulnerability."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Feb/376"); script_set_attribute(attribute:"solution", value:"Upgrade to mod_ssl 2.8.7 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/02/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2002/03/08"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc."); script_dependencie("find_service1.nasl", "no404.nasl", "http_version.nasl"); script_require_keys("Settings/ParanoidReport", "www/apache"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_http_port(default:80); banner = get_backport_banner(banner:get_http_banner(port:port)); if(!banner || backported)exit(0); serv = strstr(banner, "Server"); if("Apache/" >!< serv ) exit(0); if("Apache/2" >< serv) exit(0); if("Apache-AdvancedExtranetServer/2" >< serv)exit(0); if(ereg(pattern:".*mod_ssl/(1.*|2\.([0-7]\..*|8\.[0-6][^0-9])).*", string:serv)) { security_hole(port); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-120.NASL description Ed Moyle recently found a buffer overflow in Apache-SSL and mod_ssl. With session caching enabled, mod_ssl will serialize SSL session variables to store them for later use. These variables were stored in a buffer of a fixed size without proper boundary checks. To exploit the overflow, the server must be configured to require client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority which is trusted by the server. If these conditions are met, it would be possible for an attacker to execute arbitrary code on the server. last seen 2020-06-01 modified 2020-06-02 plugin id 14957 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14957 title Debian DSA-120-1 : mod_ssl - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-120. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(14957); script_version("1.21"); script_cvs_date("Date: 2019/10/16 10:34:21"); script_cve_id("CVE-2002-0082"); script_xref(name:"DSA", value:"120"); script_name(english:"Debian DSA-120-1 : mod_ssl - buffer overflow"); script_summary(english:"Checks dpkg output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Ed Moyle recently found a buffer overflow in Apache-SSL and mod_ssl. With session caching enabled, mod_ssl will serialize SSL session variables to store them for later use. These variables were stored in a buffer of a fixed size without proper boundary checks. To exploit the overflow, the server must be configured to require client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority which is trusted by the server. If these conditions are met, it would be possible for an attacker to execute arbitrary code on the server." ); script_set_attribute( attribute:"see_also", value:"http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2002/dsa-120" ); script_set_attribute( attribute:"solution", value: "Upgrade the Apache-SSL and mod_ssl packages. This problem has been fixed in version 1.3.9.13-4 of Apache-SSL and version 2.4.10-1.3.9-1potato1 of libapache-mod-ssl for the stable Debian distribution as well as in version 1.3.23.1+1.47-1 of Apache-SSL and version 2.8.7-1 of libapache-mod-ssl for the testing and unstable distribution of Debian." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:apache-ssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libapache-mod-ssl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"patch_publication_date", value:"2002/03/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/02/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"apache-ssl", reference:"1.3.9.13-4")) flag++; if (deb_check(release:"2.2", prefix:"libapache-mod-ssl", reference:"2.4.10-1.3.9-1potato1")) flag++; if (deb_check(release:"2.2", prefix:"libapache-mod-ssl-doc", reference:"2.4.10-1.3.9-1potato1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Web Servers NASL id APACHE_SSL_OVERFLOW.NASL description The remote host is using a version of Apache-SSL that is older than 1.3.22+1.46. Such versions are vulnerable to a buffer overflow that, albeit difficult to exploit, may allow an attacker to execute arbitrary commands on this host subject to the privileges under which the web server operates. last seen 2020-06-01 modified 2020-06-02 plugin id 10918 published 2002-03-19 reporter This script is Copyright (C) 2002-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10918 title Apache-SSL < 1.3.23+1.46 i2d_SSL_SESSION Function SSL Client Certificate Overflow code # # (C) Tenable Network Security, Inc. # # # This script was written by Renaud Deraison <[email protected]>, # with the impulsion of H D Moore on the Nessus Plugins-Writers list # include("compat.inc"); if(description) { script_id(10918); script_version("1.31"); script_bugtraq_id(4189); script_cve_id("CVE-2002-0082"); script_name(english:"Apache-SSL < 1.3.23+1.46 i2d_SSL_SESSION Function SSL Client Certificate Overflow"); script_set_attribute(attribute:"synopsis", value: "The remote web server is vulnerable to a buffer overflow attack." ); script_set_attribute(attribute:"description", value: "The remote host is using a version of Apache-SSL that is older than 1.3.22+1.46. Such versions are vulnerable to a buffer overflow that, albeit difficult to exploit, may allow an attacker to execute arbitrary commands on this host subject to the privileges under which the web server operates." ); script_set_attribute(attribute:"see_also", value:"http://www.apache-ssl.org/advisory-20020301.txt" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Feb/376" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Mar/64" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Mar/76" ); script_set_attribute(attribute:"solution", value: "Upgrade to Apache-SSL version 1.3.23+1.47 or later. [Note that the vulnerability was initially addressed in 1.3.23+1.46 but that version had a bug.]"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2002/03/19"); script_set_attribute(attribute:"vuln_publication_date", value: "2002/02/27"); script_cvs_date("Date: 2018/11/15 20:50:25"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:apache-ssl:apache-ssl"); script_end_attributes(); summary["english"] = "Checks for version of Apache-SSL"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc."); script_family(english:"Web Servers"); script_dependencie("apache_http_version.nasl"); script_require_keys("installed_sw/Apache"); script_require_ports("Services/www", 80); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("audit.inc"); include("install_func.inc"); get_install_count(app_name:"Apache", exit_if_zero:TRUE); port = get_http_port(default:80); install = get_single_install(app_name:"Apache", port:port, exit_if_unknown_ver:TRUE); banner = get_kb_item_or_exit('www/apache/'+port+'/source', exit_code:1); server = strstr(banner, "Server:"); server = server - strstr(server, '\r\n'); if (" Ben-SSL/" >< server) { ver = NULL; pat = "^Server:.*Apache(-AdvancedExtranetServer)?/.* Ben-SSL/([0-9]+\.[0-9]+)"; item = pregmatch(pattern:pat, string:server); if (!isnull(item)) ver = item[2]; if (!isnull(ver) && ver =~ "^1\.([0-9]($|[^0-9])|([0-3][0-9]|4[0-5])($|[^0-9]))") { report = string( "\n", "The remote Apache-SSL server uses the following Server response\n", "header :\n", "\n", " ", server, "\n" ); security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); exit(0); } } audit(AUDIT_LISTEN_NOT_VULN, "Apache", port, install["version"]);NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2002-020.NASL description Ed Moyle discovered a buffer overflow in mod_ssl last seen 2020-06-01 modified 2020-06-02 plugin id 13928 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13928 title Mandrake Linux Security Advisory : mod_ssl (MDKSA-2002:020) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2002:020. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(13928); script_version ("1.20"); script_cvs_date("Date: 2019/10/16 10:34:21"); script_cve_id("CVE-2002-0082"); script_bugtraq_id(4189); script_xref(name:"MDKSA", value:"2002:020"); script_name(english:"Mandrake Linux Security Advisory : mod_ssl (MDKSA-2002:020)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Ed Moyle discovered a buffer overflow in mod_ssl's session caching mechanisms that use shared memory and dbm. This could potentially be triggered by sending a very long client certificate to the server." ); script_set_attribute( attribute:"solution", value:"Update the affected mod_ssl package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mod_ssl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1"); script_set_attribute(attribute:"patch_publication_date", value:"2002/03/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"mod_ssl-2.8.5-2.4mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"mod_ssl-2.8.5-2.3mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"mod_ssl-2.8.5-2.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"mod_ssl-2.8.5-2.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Redhat
| advisories |
|
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000465
- http://ftp.support.compaq.com/patches/.new/html/SSRT0817.shtml
- http://marc.info/?l=bugtraq&m=101518491916936&w=2
- http://marc.info/?l=bugtraq&m=101528358424306&w=2
- http://online.securityfocus.com/archive/1/258646
- http://packetstormsecurity.com/files/153567/Apache-mod_ssl-OpenSSL-Remote-Buffer-Overflow.html
- http://www.apacheweek.com/issues/02-03-01#security
- http://www.calderasystems.com/support/security/advisories/CSSA-2002-011.0.txt
- http://www.debian.org/security/2002/dsa-120
- http://www.iss.net/security_center/static/8308.php
- http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-020.php
- http://www.linuxsecurity.com/advisories/other_advisory-1923.html
- http://www.redhat.com/support/errata/RHSA-2002-041.html
- http://www.redhat.com/support/errata/RHSA-2002-042.html
- http://www.redhat.com/support/errata/RHSA-2002-045.html
- http://www.securityfocus.com/advisories/3965
- http://www.securityfocus.com/advisories/4008
- http://www.securityfocus.com/bid/4189