Vulnerabilities > CVE-2002-0653 - Off-by-one Error vulnerability in Modssl MOD SSL

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
modssl
CWE-193
nessus
exploit available

Summary

Off-by-one buffer overflow in the ssl_compat_directive function, as called by the rewrite_command hook for mod_ssl Apache module 2.8.9 and earlier, allows local users to execute arbitrary code as the Apache server user via .htaccess files with long entries.

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionMod_SSL 2.8.x Off-By-One HTAccess Buffer Overflow Vulnerability. CVE-2002-0653. Dos exploits for multiple platform
idEDB-ID:21575
last seen2016-02-02
modified2002-06-22
published2002-06-22
reporterFrank DENIS
sourcehttps://www.exploit-db.com/download/21575/
titleMod_SSL 2.8.x Off-By-One HTAccess Buffer Overflow Vulnerability

Nessus

  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_18706.NASL
    descriptionSeveral security updates are now available for Slackware 8.1, including updated packages for Apache, glibc, mod_ssl, openssh, openssl, and php.
    last seen2016-09-26
    modified2013-01-25
    plugin id18706
    published2005-07-13
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=18706
    titleSSA-18706 Security updates for Slackware 8.1
    code
    #%NASL_MIN_LEVEL 999999
    
    # @DEPRECATED@
    #
    # This script has been deprecated and is no longer used 
    # after a revamping of the Slackware generator.
    #
    # Disabled on 2011/05/27. 
    #
    # This script was automatically generated from a
    # Slackware Security Advisory
    # It is released under the Nessus Script Licence.
    # Slackware Security Advisories are copyright 1999-2004 Slackware Linux, Inc.
    # SSA2nasl Convertor is copyright 2004 Tenable Network Security, Inc.
    # See http://www.slackware.com/about/ or http://www.slackware.com/security/
    # Slackware(R) is a registered trademark of Slackware Linux, Inc.
    
    if (! defined_func("bn_random")) exit(0);
    
    
    include("compat.inc");
    
    if (description) {
    script_id(18706);
    script_version("1.12");
    script_cvs_date("Date: 2018/07/20  0:18:52");
    script_category(ACT_GATHER_INFO);
    script_family(english: "Slackware Local Security Checks");
    script_dependencies("ssh_get_info.nasl");
    script_copyright("This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
    script_require_keys("Host/Slackware/release", "Host/Slackware/packages");
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a security update." );
     script_set_attribute(attribute:"description", value:
    "Several security updates are now available for Slackware 8.1, including
    updated packages for Apache, glibc, mod_ssl, openssh, openssl, and php." );
     script_set_attribute(attribute:"solution", value:
    "Update the packages that are referenced in the security advisory." );
     script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C");
     script_set_attribute(attribute:"plugin_publication_date", value: "2005/07/13");
    script_end_attributes();
    
    
    script_summary("SSA Security updates for Slackware 8.1");
    name["english"] = "SSA-18706 Security updates for Slackware 8.1";
    script_name(english:name["english"]);script_cve_id("CVE-2002-0653","CVE-2002-0658","CVE-2002-0659");
    exit(0);
    }
    
    exit(0);
    
    include('slackware.inc');
    include('global_settings.inc');
    
    desc="";
    if (slackware_check(osver: "8.1", pkgname: "apache", pkgver: "1.3.26", pkgnum:  "2", pkgarch: "i386")) {
    w++;
    if (report_verbosity > 0) desc = strcat(desc, '
    The package apache is vulnerable in Slackware 8.1
    Upgrade to apache-1.3.26-i386-2 or newer.
    ');
    }
    if (slackware_check(osver: "8.1", pkgname: "glibc", pkgver: "2.2.5", pkgnum:  "3", pkgarch: "i386")) {
    w++;
    if (report_verbosity > 0) desc = strcat(desc, '
    The package glibc is vulnerable in Slackware 8.1
    Upgrade to glibc-2.2.5-i386-3 or newer.
    ');
    }
    if (slackware_check(osver: "8.1", pkgname: "glibc-solibs", pkgver: "2.2.5", pkgnum:  "3", pkgarch: "i386")) {
    w++;
    if (report_verbosity > 0) desc = strcat(desc, '
    The package glibc-solibs is vulnerable in Slackware 8.1
    Upgrade to glibc-solibs-2.2.5-i386-3 or newer.
    ');
    }
    if (slackware_check(osver: "8.1", pkgname: "mod_ssl", pkgver: "2.8.10_1.3.26", pkgnum:  "1", pkgarch: "i386")) {
    w++;
    if (report_verbosity > 0) desc = strcat(desc, '
    The package mod_ssl is vulnerable in Slackware 8.1
    Upgrade to mod_ssl-2.8.10_1.3.26-i386-1 or newer.
    ');
    }
    if (slackware_check(osver: "8.1", pkgname: "openssh", pkgver: "3.4p1", pkgnum:  "2", pkgarch: "i386")) {
    w++;
    if (report_verbosity > 0) desc = strcat(desc, '
    The package openssh is vulnerable in Slackware 8.1
    Upgrade to openssh-3.4p1-i386-2 or newer.
    ');
    }
    if (slackware_check(osver: "8.1", pkgname: "openssl", pkgver: "0.9.6e", pkgnum:  "1", pkgarch: "i386")) {
    w++;
    if (report_verbosity > 0) desc = strcat(desc, '
    The package openssl is vulnerable in Slackware 8.1
    Upgrade to openssl-0.9.6e-i386-1 or newer.
    ');
    }
    if (slackware_check(osver: "8.1", pkgname: "openssl-solibs", pkgver: "0.9.6e", pkgnum:  "1", pkgarch: "i386")) {
    w++;
    if (report_verbosity > 0) desc = strcat(desc, '
    The package openssl-solibs is vulnerable in Slackware 8.1
    Upgrade to openssl-solibs-0.9.6e-i386-1 or newer.
    ');
    }
    if (slackware_check(osver: "8.1", pkgname: "php", pkgver: "4.2.2", pkgnum:  "1", pkgarch: "i386")) {
    w++;
    if (report_verbosity > 0) desc = strcat(desc, '
    The package php is vulnerable in Slackware 8.1
    Upgrade to php-4.2.2-i386-1 or newer.
    ');
    }
    
    if (w) { security_warning(port: 0, extra: desc); }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-135.NASL
    descriptionThe libapache-mod-ssl package provides SSL capability to the apache webserver. Recently, a problem has been found in the handling of .htaccess files, allowing arbitrary code execution as the web server user (regardless of ExecCGI / suexec settings), DoS attacks (killing off apache children), and allowing someone to take control of apache child processes - all through specially crafted .htaccess files.
    last seen2020-06-01
    modified2020-06-02
    plugin id14972
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14972
    titleDebian DSA-135-1 : libapache-mod-ssl - buffer overflow / DoS
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2002-136.NASL
    descriptionUpdated mod_ssl packages are now available for Red Hat Advanced Server. These updates incorporate a fix for an incorrect bounds check in versions of mod_ssl up to and including version 2.8.9. The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. Versions of mod_ssl prior to 2.8.10 are subject to a single NULL overflow that can cause arbitrary code execution. In order to exploit this vulnerability, the Apache Web server has to be configured to allow overriding of configuration settings on a per-directory basis, and untrusted local users must be able to modify a directory in which the server is configured to allow overriding. The local attacker may then become the user that Apache is running as (usually
    last seen2020-06-01
    modified2020-06-02
    plugin id12310
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12310
    titleRHEL 2.1 : mod_ssl (RHSA-2002:136)
  • NASL familyWeb Servers
    NASL idMOD_SSL_OFFBY1.NASL
    descriptionThe remote host is using a version of mod_ssl that is older than 2.8.10. This version is vulnerable to an off-by-one buffer overflow that could allow a user with write access to .htaccess files to execute arbitrary code on the system with permissions of the web server. *** Note that several Linux distributions (such as RedHat) *** patched the old version of this module. Therefore, this *** might be a false positive. Please check with your vendor *** to determine if you really are vulnerable to this flaw
    last seen2020-06-01
    modified2020-06-02
    plugin id11039
    published2002-07-02
    reporterThis script is Copyright (C) 2002-2018 Thomas Reinke
    sourcehttps://www.tenable.com/plugins/nessus/11039
    titleApache mod_ssl ssl_compat_directive Function Overflow
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-048.NASL
    descriptionFrank Denis discovered an off-by-one error in mod_ssl dealing with the handling of older configuration directorives (the rewrite_command hook). A malicious user could use a specially crafted .htaccess file to execute arbitrary commands as the apache user or execute a DoS against the apache child processes. This vulnerability is fixed in mod_ssl 2.8.10; patches have been applied to correct this problem in these packages.
    last seen2020-06-01
    modified2020-06-02
    plugin id13951
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13951
    titleMandrake Linux Security Advisory : mod_ssl (MDKSA-2002:048)

Redhat

advisories
  • rhsa
    idRHSA-2002:134
  • rhsa
    idRHSA-2002:135
  • rhsa
    idRHSA-2002:136
  • rhsa
    idRHSA-2002:146
  • rhsa
    idRHSA-2002:164
  • rhsa
    idRHSA-2003:106

References