Vulnerabilities > CVE-2002-0653 - Off-by-one Error vulnerability in Modssl MOD SSL
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Off-by-one buffer overflow in the ssl_compat_directive function, as called by the rewrite_command hook for mod_ssl Apache module 2.8.9 and earlier, allows local users to execute arbitrary code as the Apache server user via .htaccess files with long entries.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Mod_SSL 2.8.x Off-By-One HTAccess Buffer Overflow Vulnerability. CVE-2002-0653. Dos exploits for multiple platform |
| id | EDB-ID:21575 |
| last seen | 2016-02-02 |
| modified | 2002-06-22 |
| published | 2002-06-22 |
| reporter | Frank DENIS |
| source | https://www.exploit-db.com/download/21575/ |
| title | Mod_SSL 2.8.x Off-By-One HTAccess Buffer Overflow Vulnerability |
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_18706.NASL description Several security updates are now available for Slackware 8.1, including updated packages for Apache, glibc, mod_ssl, openssh, openssl, and php. last seen 2016-09-26 modified 2013-01-25 plugin id 18706 published 2005-07-13 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=18706 title SSA-18706 Security updates for Slackware 8.1 code #%NASL_MIN_LEVEL 999999 # @DEPRECATED@ # # This script has been deprecated and is no longer used # after a revamping of the Slackware generator. # # Disabled on 2011/05/27. # # This script was automatically generated from a # Slackware Security Advisory # It is released under the Nessus Script Licence. # Slackware Security Advisories are copyright 1999-2004 Slackware Linux, Inc. # SSA2nasl Convertor is copyright 2004 Tenable Network Security, Inc. # See http://www.slackware.com/about/ or http://www.slackware.com/security/ # Slackware(R) is a registered trademark of Slackware Linux, Inc. if (! defined_func("bn_random")) exit(0); include("compat.inc"); if (description) { script_id(18706); script_version("1.12"); script_cvs_date("Date: 2018/07/20 0:18:52"); script_category(ACT_GATHER_INFO); script_family(english: "Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_copyright("This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_require_keys("Host/Slackware/release", "Host/Slackware/packages"); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a security update." ); script_set_attribute(attribute:"description", value: "Several security updates are now available for Slackware 8.1, including updated packages for Apache, glibc, mod_ssl, openssh, openssl, and php." ); script_set_attribute(attribute:"solution", value: "Update the packages that are referenced in the security advisory." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/07/13"); script_end_attributes(); script_summary("SSA Security updates for Slackware 8.1"); name["english"] = "SSA-18706 Security updates for Slackware 8.1"; script_name(english:name["english"]);script_cve_id("CVE-2002-0653","CVE-2002-0658","CVE-2002-0659"); exit(0); } exit(0); include('slackware.inc'); include('global_settings.inc'); desc=""; if (slackware_check(osver: "8.1", pkgname: "apache", pkgver: "1.3.26", pkgnum: "2", pkgarch: "i386")) { w++; if (report_verbosity > 0) desc = strcat(desc, ' The package apache is vulnerable in Slackware 8.1 Upgrade to apache-1.3.26-i386-2 or newer. '); } if (slackware_check(osver: "8.1", pkgname: "glibc", pkgver: "2.2.5", pkgnum: "3", pkgarch: "i386")) { w++; if (report_verbosity > 0) desc = strcat(desc, ' The package glibc is vulnerable in Slackware 8.1 Upgrade to glibc-2.2.5-i386-3 or newer. '); } if (slackware_check(osver: "8.1", pkgname: "glibc-solibs", pkgver: "2.2.5", pkgnum: "3", pkgarch: "i386")) { w++; if (report_verbosity > 0) desc = strcat(desc, ' The package glibc-solibs is vulnerable in Slackware 8.1 Upgrade to glibc-solibs-2.2.5-i386-3 or newer. '); } if (slackware_check(osver: "8.1", pkgname: "mod_ssl", pkgver: "2.8.10_1.3.26", pkgnum: "1", pkgarch: "i386")) { w++; if (report_verbosity > 0) desc = strcat(desc, ' The package mod_ssl is vulnerable in Slackware 8.1 Upgrade to mod_ssl-2.8.10_1.3.26-i386-1 or newer. '); } if (slackware_check(osver: "8.1", pkgname: "openssh", pkgver: "3.4p1", pkgnum: "2", pkgarch: "i386")) { w++; if (report_verbosity > 0) desc = strcat(desc, ' The package openssh is vulnerable in Slackware 8.1 Upgrade to openssh-3.4p1-i386-2 or newer. '); } if (slackware_check(osver: "8.1", pkgname: "openssl", pkgver: "0.9.6e", pkgnum: "1", pkgarch: "i386")) { w++; if (report_verbosity > 0) desc = strcat(desc, ' The package openssl is vulnerable in Slackware 8.1 Upgrade to openssl-0.9.6e-i386-1 or newer. '); } if (slackware_check(osver: "8.1", pkgname: "openssl-solibs", pkgver: "0.9.6e", pkgnum: "1", pkgarch: "i386")) { w++; if (report_verbosity > 0) desc = strcat(desc, ' The package openssl-solibs is vulnerable in Slackware 8.1 Upgrade to openssl-solibs-0.9.6e-i386-1 or newer. '); } if (slackware_check(osver: "8.1", pkgname: "php", pkgver: "4.2.2", pkgnum: "1", pkgarch: "i386")) { w++; if (report_verbosity > 0) desc = strcat(desc, ' The package php is vulnerable in Slackware 8.1 Upgrade to php-4.2.2-i386-1 or newer. '); } if (w) { security_warning(port: 0, extra: desc); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-135.NASL description The libapache-mod-ssl package provides SSL capability to the apache webserver. Recently, a problem has been found in the handling of .htaccess files, allowing arbitrary code execution as the web server user (regardless of ExecCGI / suexec settings), DoS attacks (killing off apache children), and allowing someone to take control of apache child processes - all through specially crafted .htaccess files. last seen 2020-06-01 modified 2020-06-02 plugin id 14972 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14972 title Debian DSA-135-1 : libapache-mod-ssl - buffer overflow / DoS NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2002-136.NASL description Updated mod_ssl packages are now available for Red Hat Advanced Server. These updates incorporate a fix for an incorrect bounds check in versions of mod_ssl up to and including version 2.8.9. The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Versions of mod_ssl prior to 2.8.10 are subject to a single NULL overflow that can cause arbitrary code execution. In order to exploit this vulnerability, the Apache Web server has to be configured to allow overriding of configuration settings on a per-directory basis, and untrusted local users must be able to modify a directory in which the server is configured to allow overriding. The local attacker may then become the user that Apache is running as (usually last seen 2020-06-01 modified 2020-06-02 plugin id 12310 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12310 title RHEL 2.1 : mod_ssl (RHSA-2002:136) NASL family Web Servers NASL id MOD_SSL_OFFBY1.NASL description The remote host is using a version of mod_ssl that is older than 2.8.10. This version is vulnerable to an off-by-one buffer overflow that could allow a user with write access to .htaccess files to execute arbitrary code on the system with permissions of the web server. *** Note that several Linux distributions (such as RedHat) *** patched the old version of this module. Therefore, this *** might be a false positive. Please check with your vendor *** to determine if you really are vulnerable to this flaw last seen 2020-06-01 modified 2020-06-02 plugin id 11039 published 2002-07-02 reporter This script is Copyright (C) 2002-2018 Thomas Reinke source https://www.tenable.com/plugins/nessus/11039 title Apache mod_ssl ssl_compat_directive Function Overflow NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2002-048.NASL description Frank Denis discovered an off-by-one error in mod_ssl dealing with the handling of older configuration directorives (the rewrite_command hook). A malicious user could use a specially crafted .htaccess file to execute arbitrary commands as the apache user or execute a DoS against the apache child processes. This vulnerability is fixed in mod_ssl 2.8.10; patches have been applied to correct this problem in these packages. last seen 2020-06-01 modified 2020-06-02 plugin id 13951 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13951 title Mandrake Linux Security Advisory : mod_ssl (MDKSA-2002:048)
Redhat
| advisories |
|
References
- http://www.redhat.com/support/errata/RHSA-2002-134.html
- http://www.redhat.com/support/errata/RHSA-2002-135.html
- http://www.redhat.com/support/errata/RHSA-2002-136.html
- http://www.redhat.com/support/errata/RHSA-2002-146.html
- http://rhn.redhat.com/errata/RHSA-2002-164.html
- http://www.redhat.com/support/errata/RHSA-2003-106.html
- ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-031.0.txt
- http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-048.php
- http://www.debian.org/security/2002/dsa-135
- http://www.novell.com/linux/security/advisories/2002_028_mod_ssl.html
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000504
- http://archives.neohapsis.com/archives/bugtraq/2002-06/0350.html
- http://archives.neohapsis.com/archives/hp/2002-q3/0018.html
- http://www.securityfocus.com/bid/5084
- http://www.iss.net/security_center/static/9415.php
- http://marc.info/?l=bugtraq&m=102513970919836&w=2
- http://marc.info/?l=bugtraq&m=102563469326072&w=2
- http://marc.info/?l=vuln-dev&m=102477330617604&w=2