Vulnerabilities > CVE-2004-0940 - Incorrect Calculation of Buffer Size vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Buffer Overflow via Parameter Expansion In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
Exploit-Db
description Apache 1.3.x mod_include Local Buffer Overflow Vulnerability. CVE-2004-0940. Local exploit for linux platform id EDB-ID:24694 last seen 2016-02-02 modified 2004-10-18 published 2004-10-18 reporter xCrZx source https://www.exploit-db.com/download/24694/ title Apache 1.3.x mod_include Local Buffer Overflow Vulnerability description Apache <= 1.3.31 mod_include Local Buffer Overflow Exploit. CVE-2004-0940. Local exploit for linux platform id EDB-ID:587 last seen 2016-01-31 modified 2004-10-21 published 2004-10-21 reporter xCrZx source https://www.exploit-db.com/download/587/ title Apache <= 1.3.31 mod_include Local Buffer Overflow Exploit
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2004-305-01.NASL description New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix a security issue. Apache has been upgraded to version 1.3.33 which fixes a buffer overflow which may allow local users to execute arbitrary code as the apache user. The mod_ssl package has also been upgraded to version 2.8.22_1.3.33. last seen 2020-06-01 modified 2020-06-02 plugin id 18788 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18788 title Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : apache+mod_ssl (SSA:2004-305-01) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2004-305-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(18788); script_version("1.17"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2004-0940"); script_xref(name:"SSA", value:"2004-305-01"); script_name(english:"Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : apache+mod_ssl (SSA:2004-305-01)"); script_summary(english:"Checks for updated packages in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix a security issue. Apache has been upgraded to version 1.3.33 which fixes a buffer overflow which may allow local users to execute arbitrary code as the apache user. The mod_ssl package has also been upgraded to version 2.8.22_1.3.33." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.533785 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?bbba9317" ); script_set_attribute( attribute:"solution", value:"Update the affected apache and / or mod_ssl packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:apache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:mod_ssl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/11/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"8.1", pkgname:"apache", pkgver:"1.3.33", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"8.1", pkgname:"mod_ssl", pkgver:"2.8.22_1.3.33", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.0", pkgname:"apache", pkgver:"1.3.33", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.0", pkgname:"mod_ssl", pkgver:"2.8.22_1.3.33", pkgarch:"i386", pkgnum:"1")) flag++; if (slackware_check(osver:"9.1", pkgname:"apache", pkgver:"1.3.33", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"9.1", pkgname:"mod_ssl", pkgver:"2.8.22_1.3.33", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"10.0", pkgname:"apache", pkgver:"1.3.33", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"10.0", pkgname:"mod_ssl", pkgver:"2.8.22_1.3.33", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"current", pkgname:"apache", pkgver:"1.3.33", pkgarch:"i486", pkgnum:"1")) flag++; if (slackware_check(osver:"current", pkgname:"mod_ssl", pkgver:"2.8.22_1.3.33", pkgarch:"i486", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Web Servers NASL id APACHE_MOD_INCLUDE_PRIV_ESCALATION.NASL description The remote web server appears to be running a version of Apache that is older than version 1.3.33. This version is vulnerable to a local buffer overflow in the get_tag() function of the module last seen 2020-06-01 modified 2020-06-02 plugin id 15554 published 2004-10-25 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15554 title Apache mod_include get_tag() Function Local Overflow NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6E6A6B8A2FDE11D9B3A20050FC56D258.NASL description There is a buffer overflow in a function used by mod_include that may enable a local user to gain privileges of a httpd child. Only users that are able to create SSI documents can take advantage of that vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 37841 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37841 title FreeBSD : apache mod_include buffer overflow vulnerability (6e6a6b8a-2fde-11d9-b3a2-0050fc56d258) NASL family FreeBSD Local Security Checks NASL id FREEBSD_APACHE_1333_MOD_INCLUDE.NASL description The following package needs to be updated: apache+ipv6 last seen 2016-09-26 modified 2011-10-03 plugin id 15797 published 2004-11-23 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=15797 title FreeBSD : apache mod_include buffer overflow vulnerability (11) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-594.NASL description Two vulnerabilities have been identified in the Apache 1.3 webserver : - CAN-2004-0940 last seen 2020-06-01 modified 2020-06-02 plugin id 15729 published 2004-11-17 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15729 title Debian DSA-594-1 : apache - buffer overflows NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200411-03.NASL description The remote host is affected by the vulnerability described in GLSA-200411-03 (Apache 1.3: Buffer overflow vulnerability in mod_include) A possible buffer overflow exists in the get_tag() function of mod_include.c. Impact : If Server Side Includes (SSI) are enabled, a local attacker may be able to run arbitrary code with the rights of an httpd child process by making use of a specially crafted document with malformed SSI. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 15606 published 2004-11-02 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15606 title GLSA-200411-03 : Apache 1.3: Buffer overflow vulnerability in mod_include NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-600.NASL description Updated apache and mod_ssl packages that fix various minor security issues and bugs in the Apache Web server are now available for Red Hat Enterprise Linux 2.1. The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. A buffer overflow was discovered in the mod_include module. This flaw could allow a local user who is authorized to create server-side include (SSI) files to gain the privileges of a httpd child (user last seen 2020-06-01 modified 2020-06-02 plugin id 15960 published 2004-12-14 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/15960 title RHEL 2.1 : apache, mod_ssl (RHSA-2004:600) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-134.NASL description A possible buffer overflow exists in the get_tag() function of mod_include, and if SSI (Server Side Includes) are enabled, a local attacker may be able to run arbitrary code with the rights of an httpd child process. This could be done with a special HTML document using malformed SSI. The updated packages have been patched to prevent this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 15739 published 2004-11-17 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15739 title Mandrake Linux Security Advisory : apache (MDKSA-2004:134) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD20041202.NASL description The remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs : - Apache - Apache2 - AppKit - Cyrus IMAP - HIToolbox - Kerberos - Postfix - PSNormalizer - QuickTime Streaming Server - Safari - Terminal These programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 15898 published 2004-12-02 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15898 title Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)
Redhat
advisories |
|
Statements
contributor | Mark J Cox |
lastmodified | 2008-07-02 |
organization | Apache |
statement | Fixed in Apache HTTP Server 1.3.33: http://httpd.apache.org/security/vulnerabilities_13.html |
References
- http://marc.info/?l=bugtraq&m=109906660225051&w=2
- http://marc.info/?l=bugtraq&m=109906660225051&w=2
- http://secunia.com/advisories/12898/
- http://secunia.com/advisories/12898/
- http://secunia.com/advisories/19073
- http://secunia.com/advisories/19073
- http://securitytracker.com/id?1011783
- http://securitytracker.com/id?1011783
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102197-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102197-1
- http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm
- http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm
- http://www.apacheweek.com/features/security-13
- http://www.apacheweek.com/features/security-13
- http://www.debian.org/security/2004/dsa-594
- http://www.debian.org/security/2004/dsa-594
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:134
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:134
- http://www.redhat.com/support/errata/RHSA-2004-600.html
- http://www.redhat.com/support/errata/RHSA-2004-600.html
- http://www.redhat.com/support/errata/RHSA-2005-816.html
- http://www.redhat.com/support/errata/RHSA-2005-816.html
- http://www.securityfocus.com/bid/11471
- http://www.securityfocus.com/bid/11471
- http://www.vupen.com/english/advisories/2006/0789
- http://www.vupen.com/english/advisories/2006/0789
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17785
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17785
- https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r734a07156abf332d5ab27fb91d9d962cacfef4f3681e44056f064fa8%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r734a07156abf332d5ab27fb91d9d962cacfef4f3681e44056f064fa8%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd65d8ba68ba17e7deedafbf5bb4899f2ae4dad781d21b931c2941ac3%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd65d8ba68ba17e7deedafbf5bb4899f2ae4dad781d21b931c2941ac3%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re895fc1736d25c8cf57e102c871613b8aeec9ea26fd8a44e7942b5ab%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re895fc1736d25c8cf57e102c871613b8aeec9ea26fd8a44e7942b5ab%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E