Vulnerabilities > CVE-2004-0940 - Incorrect Calculation of Buffer Size vulnerability in multiple products

Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error.

Vulnerable Configurations

Part	Description	Count
Application	Openpkg Openpkg Openpkg 2.0 Openpkg Openpkg 2.1 Openpkg Openpkg 2.2	3
Application	Apache Apache Http Server 1.3 Apache Http Server 1.3.0 Apache Http Server 1.3.1 Apache Http Server 1.3.1.1 Apache Http Server 1.3.2 Apache Http Server 1.3.3 Apache Http Server 1.3.4 Apache Http Server 1.3.5 Apache Http Server 1.3.6 Apache Http Server 1.3.7 Apache Http Server 1.3.8 Apache Http Server 1.3.9 Apache Http Server 1.3.10 Apache Http Server 1.3.11 Apache Http Server 1.3.12 Apache Http Server 1.3.13 Apache Http Server 1.3.14 Apache Http Server 1.3.15 Apache Http Server 1.3.16 Apache Http Server 1.3.17 Apache Http Server 1.3.18 Apache Http Server 1.3.19 Apache Http Server 1.3.20 Apache Http Server 1.3.22 Apache Http Server 1.3.23 Apache Http Server 1.3.24 Apache Http Server 1.3.25 Apache Http Server 1.3.26 Apache Http Server 1.3.27 Apache Http Server 1.3.28 Apache Http Server 1.3.29 Apache Http Server 1.3.30 Apache Http Server 1.3.31 Apache Http Server 1.3.32	34
OS	Slackware Slackware Slackware Linux 9.0 Slackware Slackware Linux 8.1 Slackware Slackware Linux 10.0 Slackware Slackware Linux 8.0 Slackware Slackware Linux 9.1 Slackware Slackware Linux Current	6
OS	Hp HP HP UX 11.11 HP HP UX 11.00 HP HP UX 11.22 HP HP UX 11.20	4
OS	Suse Suse Suse Linux 9.2 Suse Suse Linux 9.0 Suse Suse Linux 8.2 Suse Suse Linux 8.0 Suse Suse Linux 9.1 Suse Suse Linux 8.1	6
OS	Trustix Trustix Secure Linux 1.5	1

Common Weakness Enumeration (CWE)

CWE-131 - Incorrect Calculation of Buffer Size

Common Attack Pattern Enumeration and Classification (CAPEC)

Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Buffer Overflow via Parameter Expansion
In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.

Exploit-Db

description	Apache 1.3.x mod_include Local Buffer Overflow Vulnerability. CVE-2004-0940. Local exploit for linux platform
id	EDB-ID:24694
last seen	2016-02-02
modified	2004-10-18
published	2004-10-18
reporter	xCrZx
source	https://www.exploit-db.com/download/24694/
title	Apache 1.3.x mod_include Local Buffer Overflow Vulnerability

description	Apache <= 1.3.31 mod_include Local Buffer Overflow Exploit. CVE-2004-0940. Local exploit for linux platform
id	EDB-ID:587
last seen	2016-01-31
modified	2004-10-21
published	2004-10-21
reporter	xCrZx
source	https://www.exploit-db.com/download/587/
title	Apache <= 1.3.31 mod_include Local Buffer Overflow Exploit

Nessus

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2004-305-01.NASL
description	New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix a security issue. Apache has been upgraded to version 1.3.33 which fixes a buffer overflow which may allow local users to execute arbitrary code as the apache user. The mod_ssl package has also been upgraded to version 2.8.22_1.3.33.
last seen	2020-06-01
modified	2020-06-02
plugin id	18788
published	2005-07-13
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/18788
title	Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : apache+mod_ssl (SSA:2004-305-01)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2004-305-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(18788); script_version("1.17"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2004-0940"); script_xref(name:"SSA", value:"2004-305-01"); script_name(english:"Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : apache+mod_ssl (SSA:2004-305-01)"); script_summary(english:"Checks for updated packages in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix a security issue. Apache has been upgraded to version 1.3.33 which fixes a buffer overflow which may allow local users to execute arbitrary code as the apache user. The mod_ssl package has also been upgraded to version 2.8.22_1.3.33." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.533785 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?bbba9317" ); script_set_attribute( attribute:"solution", value:"Update the affected apache and / or mod_ssl packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:apache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:mod_ssl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/11/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"8.1", pkgname:"apache", pkgver:"1.3.33", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"8.1", pkgname:"mod_ssl", pkgver:"2.8.22_1.3.33", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.0", pkgname:"apache", pkgver:"1.3.33", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.0", pkgname:"mod_ssl", pkgver:"2.8.22_1.3.33", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.1", pkgname:"apache", pkgver:"1.3.33", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"9.1", pkgname:"mod_ssl", pkgver:"2.8.22_1.3.33", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"10.0", pkgname:"apache", pkgver:"1.3.33", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"10.0", pkgname:"mod_ssl", pkgver:"2.8.22_1.3.33", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"current", pkgname:"apache", pkgver:"1.3.33", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"current", pkgname:"mod_ssl", pkgver:"2.8.22_1.3.33", pkgarch:"i486", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Web Servers
NASL id	APACHE_MOD_INCLUDE_PRIV_ESCALATION.NASL
description	The remote web server appears to be running a version of Apache that is older than version 1.3.33. This version is vulnerable to a local buffer overflow in the get_tag() function of the module
last seen	2020-06-01
modified	2020-06-02
plugin id	15554
published	2004-10-25
reporter	This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15554
title	Apache mod_include get_tag() Function Local Overflow

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_6E6A6B8A2FDE11D9B3A20050FC56D258.NASL
description	There is a buffer overflow in a function used by mod_include that may enable a local user to gain privileges of a httpd child. Only users that are able to create SSI documents can take advantage of that vulnerability.
last seen	2020-06-01
modified	2020-06-02
plugin id	37841
published	2009-04-23
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/37841
title	FreeBSD : apache mod_include buffer overflow vulnerability (6e6a6b8a-2fde-11d9-b3a2-0050fc56d258)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_APACHE_1333_MOD_INCLUDE.NASL
description	The following package needs to be updated: apache+ipv6
last seen	2016-09-26
modified	2011-10-03
plugin id	15797
published	2004-11-23
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=15797
title	FreeBSD : apache mod_include buffer overflow vulnerability (11)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-594.NASL
description	Two vulnerabilities have been identified in the Apache 1.3 webserver : - CAN-2004-0940
last seen	2020-06-01
modified	2020-06-02
plugin id	15729
published	2004-11-17
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15729
title	Debian DSA-594-1 : apache - buffer overflows

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200411-03.NASL
description	The remote host is affected by the vulnerability described in GLSA-200411-03 (Apache 1.3: Buffer overflow vulnerability in mod_include) A possible buffer overflow exists in the get_tag() function of mod_include.c. Impact : If Server Side Includes (SSI) are enabled, a local attacker may be able to run arbitrary code with the rights of an httpd child process by making use of a specially crafted document with malformed SSI. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	15606
published	2004-11-02
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15606
title	GLSA-200411-03 : Apache 1.3: Buffer overflow vulnerability in mod_include

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2004-600.NASL
description	Updated apache and mod_ssl packages that fix various minor security issues and bugs in the Apache Web server are now available for Red Hat Enterprise Linux 2.1. The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. A buffer overflow was discovered in the mod_include module. This flaw could allow a local user who is authorized to create server-side include (SSI) files to gain the privileges of a httpd child (user
last seen	2020-06-01
modified	2020-06-02
plugin id	15960
published	2004-12-14
reporter	This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/15960
title	RHEL 2.1 : apache, mod_ssl (RHSA-2004:600)

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2004-134.NASL
description	A possible buffer overflow exists in the get_tag() function of mod_include, and if SSI (Server Side Includes) are enabled, a local attacker may be able to run arbitrary code with the rights of an httpd child process. This could be done with a special HTML document using malformed SSI. The updated packages have been patched to prevent this problem.
last seen	2020-06-01
modified	2020-06-02
plugin id	15739
published	2004-11-17
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15739
title	Mandrake Linux Security Advisory : apache (MDKSA-2004:134)

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_SECUPD20041202.NASL
description	The remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs : - Apache - Apache2 - AppKit - Cyrus IMAP - HIToolbox - Kerberos - Postfix - PSNormalizer - QuickTime Streaming Server - Safari - Terminal These programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code.
last seen	2020-06-01
modified	2020-06-02
plugin id	15898
published	2004-12-02
reporter	This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/15898
title	Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)

Redhat

advisories

rhsa
id RHSA-2004:600
rhsa
id RHSA-2005:816

Statements

contributor	Mark J Cox
lastmodified	2008-07-02
organization	Apache
statement	Fixed in Apache HTTP Server 1.3.33: http://httpd.apache.org/security/vulnerabilities_13.html

Summary