Vulnerabilities > CVE-2004-0940 - Incorrect Calculation of Buffer Size vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
openpkg
apache
slackware
hp
suse
trustix
CWE-131
nessus
exploit available

Summary

Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.

Exploit-Db

  • descriptionApache 1.3.x mod_include Local Buffer Overflow Vulnerability. CVE-2004-0940. Local exploit for linux platform
    idEDB-ID:24694
    last seen2016-02-02
    modified2004-10-18
    published2004-10-18
    reporterxCrZx
    sourcehttps://www.exploit-db.com/download/24694/
    titleApache 1.3.x mod_include Local Buffer Overflow Vulnerability
  • descriptionApache <= 1.3.31 mod_include Local Buffer Overflow Exploit. CVE-2004-0940. Local exploit for linux platform
    idEDB-ID:587
    last seen2016-01-31
    modified2004-10-21
    published2004-10-21
    reporterxCrZx
    sourcehttps://www.exploit-db.com/download/587/
    titleApache <= 1.3.31 mod_include Local Buffer Overflow Exploit

Nessus

  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2004-305-01.NASL
    descriptionNew apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix a security issue. Apache has been upgraded to version 1.3.33 which fixes a buffer overflow which may allow local users to execute arbitrary code as the apache user. The mod_ssl package has also been upgraded to version 2.8.22_1.3.33.
    last seen2020-06-01
    modified2020-06-02
    plugin id18788
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18788
    titleSlackware 10.0 / 8.1 / 9.0 / 9.1 / current : apache+mod_ssl (SSA:2004-305-01)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2004-305-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(18788);
      script_version("1.17");
      script_cvs_date("Date: 2019/10/25 13:36:20");
    
      script_cve_id("CVE-2004-0940");
      script_xref(name:"SSA", value:"2004-305-01");
    
      script_name(english:"Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : apache+mod_ssl (SSA:2004-305-01)");
      script_summary(english:"Checks for updated packages in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0,
    and -current to fix a security issue. Apache has been upgraded to
    version 1.3.33 which fixes a buffer overflow which may allow local
    users to execute arbitrary code as the apache user. The mod_ssl
    package has also been upgraded to version 2.8.22_1.3.33."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.533785
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?bbba9317"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected apache and / or mod_ssl packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:apache");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:mod_ssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/11/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13");
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"8.1", pkgname:"apache", pkgver:"1.3.33", pkgarch:"i386", pkgnum:"1")) flag++;
    if (slackware_check(osver:"8.1", pkgname:"mod_ssl", pkgver:"2.8.22_1.3.33", pkgarch:"i386", pkgnum:"1")) flag++;
    
    if (slackware_check(osver:"9.0", pkgname:"apache", pkgver:"1.3.33", pkgarch:"i386", pkgnum:"1")) flag++;
    if (slackware_check(osver:"9.0", pkgname:"mod_ssl", pkgver:"2.8.22_1.3.33", pkgarch:"i386", pkgnum:"1")) flag++;
    
    if (slackware_check(osver:"9.1", pkgname:"apache", pkgver:"1.3.33", pkgarch:"i486", pkgnum:"1")) flag++;
    if (slackware_check(osver:"9.1", pkgname:"mod_ssl", pkgver:"2.8.22_1.3.33", pkgarch:"i486", pkgnum:"1")) flag++;
    
    if (slackware_check(osver:"10.0", pkgname:"apache", pkgver:"1.3.33", pkgarch:"i486", pkgnum:"1")) flag++;
    if (slackware_check(osver:"10.0", pkgname:"mod_ssl", pkgver:"2.8.22_1.3.33", pkgarch:"i486", pkgnum:"1")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"apache", pkgver:"1.3.33", pkgarch:"i486", pkgnum:"1")) flag++;
    if (slackware_check(osver:"current", pkgname:"mod_ssl", pkgver:"2.8.22_1.3.33", pkgarch:"i486", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyWeb Servers
    NASL idAPACHE_MOD_INCLUDE_PRIV_ESCALATION.NASL
    descriptionThe remote web server appears to be running a version of Apache that is older than version 1.3.33. This version is vulnerable to a local buffer overflow in the get_tag() function of the module
    last seen2020-06-01
    modified2020-06-02
    plugin id15554
    published2004-10-25
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15554
    titleApache mod_include get_tag() Function Local Overflow
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_6E6A6B8A2FDE11D9B3A20050FC56D258.NASL
    descriptionThere is a buffer overflow in a function used by mod_include that may enable a local user to gain privileges of a httpd child. Only users that are able to create SSI documents can take advantage of that vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id37841
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/37841
    titleFreeBSD : apache mod_include buffer overflow vulnerability (6e6a6b8a-2fde-11d9-b3a2-0050fc56d258)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_APACHE_1333_MOD_INCLUDE.NASL
    descriptionThe following package needs to be updated: apache+ipv6
    last seen2016-09-26
    modified2011-10-03
    plugin id15797
    published2004-11-23
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=15797
    titleFreeBSD : apache mod_include buffer overflow vulnerability (11)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-594.NASL
    descriptionTwo vulnerabilities have been identified in the Apache 1.3 webserver : - CAN-2004-0940
    last seen2020-06-01
    modified2020-06-02
    plugin id15729
    published2004-11-17
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15729
    titleDebian DSA-594-1 : apache - buffer overflows
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200411-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200411-03 (Apache 1.3: Buffer overflow vulnerability in mod_include) A possible buffer overflow exists in the get_tag() function of mod_include.c. Impact : If Server Side Includes (SSI) are enabled, a local attacker may be able to run arbitrary code with the rights of an httpd child process by making use of a specially crafted document with malformed SSI. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id15606
    published2004-11-02
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15606
    titleGLSA-200411-03 : Apache 1.3: Buffer overflow vulnerability in mod_include
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-600.NASL
    descriptionUpdated apache and mod_ssl packages that fix various minor security issues and bugs in the Apache Web server are now available for Red Hat Enterprise Linux 2.1. The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. A buffer overflow was discovered in the mod_include module. This flaw could allow a local user who is authorized to create server-side include (SSI) files to gain the privileges of a httpd child (user
    last seen2020-06-01
    modified2020-06-02
    plugin id15960
    published2004-12-14
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/15960
    titleRHEL 2.1 : apache, mod_ssl (RHSA-2004:600)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2004-134.NASL
    descriptionA possible buffer overflow exists in the get_tag() function of mod_include, and if SSI (Server Side Includes) are enabled, a local attacker may be able to run arbitrary code with the rights of an httpd child process. This could be done with a special HTML document using malformed SSI. The updated packages have been patched to prevent this problem.
    last seen2020-06-01
    modified2020-06-02
    plugin id15739
    published2004-11-17
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15739
    titleMandrake Linux Security Advisory : apache (MDKSA-2004:134)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD20041202.NASL
    descriptionThe remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs : - Apache - Apache2 - AppKit - Cyrus IMAP - HIToolbox - Kerberos - Postfix - PSNormalizer - QuickTime Streaming Server - Safari - Terminal These programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id15898
    published2004-12-02
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15898
    titleMac OS X Multiple Vulnerabilities (Security Update 2004-12-02)

Redhat

advisories
  • rhsa
    idRHSA-2004:600
  • rhsa
    idRHSA-2005:816

Statements

contributorMark J Cox
lastmodified2008-07-02
organizationApache
statementFixed in Apache HTTP Server 1.3.33: http://httpd.apache.org/security/vulnerabilities_13.html

References