Vulnerabilities > CVE-2009-1902 - NULL Pointer Dereference vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
trustwave
fedoraproject
CWE-476
nessus
exploit available

Summary

The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference.

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionModSecurity < 2.5.9 Remote Denial of Service Vulnerability. CVE-2009-1902. Dos exploits for multiple platform
fileexploits/multiple/dos/8241.txt
idEDB-ID:8241
last seen2016-02-01
modified2009-03-19
platformmultiple
port
published2009-03-19
reporterJuan Galiana Lara
sourcehttps://www.exploit-db.com/download/8241/
titleModSecurity < 2.5.9 - Remote Denial of Service Vulnerability
typedos

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200907-02.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200907-02 (ModSecurity: Denial of Service) Multiple vulnerabilities were discovered in ModSecurity: Juan Galiana Lara of ISecAuditors discovered a NULL pointer dereference when processing multipart requests without a part header name (CVE-2009-1902). Steve Grubb of Red Hat reported that the
    last seen2020-06-01
    modified2020-06-02
    plugin id39596
    published2009-07-03
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/39596
    titleGLSA-200907-02 : ModSecurity: Denial of Service
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200907-02.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(39596);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:45");
    
      script_cve_id("CVE-2009-1902", "CVE-2009-1903");
      script_bugtraq_id(34096);
      script_xref(name:"GLSA", value:"200907-02");
    
      script_name(english:"GLSA-200907-02 : ModSecurity: Denial of Service");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200907-02
    (ModSecurity: Denial of Service)
    
        Multiple vulnerabilities were discovered in ModSecurity:
        Juan Galiana Lara of ISecAuditors discovered a NULL pointer
        dereference when processing multipart requests without a part header
        name (CVE-2009-1902).
        Steve Grubb of Red Hat reported that the
        'PDF XSS protection' feature does not properly handle HTTP requests to
        a PDF file that do not use the GET method (CVE-2009-1903).
      
    Impact :
    
        A remote attacker might send requests containing specially crafted
        multipart data or send certain requests to access a PDF file, possibly
        resulting in a Denial of Service (crash) of the Apache HTTP daemon.
        NOTE: The PDF XSS protection is not enabled by default.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200907-02"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All ModSecurity users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=www-apache/mod_security-2.5.9'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(16);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mod_security");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/07/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/03");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"www-apache/mod_security", unaffected:make_list("ge 2.5.9"), vulnerable:make_list("lt 2.5.9"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ModSecurity");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-2686.NASL
    descriptionSecurity fixes for potential denials of service when using PDF XSS protection as well as when parsing multipart requests. http://sourceforge.net/project/shownotes.php?release_id=667542&group_i d=68846 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id37482
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/37482
    titleFedora 10 : mod_security-2.5.9-1.fc10 (2009-2686)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2009-2686.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(37482);
      script_version ("1.12");
      script_cvs_date("Date: 2019/08/02 13:32:29");
    
      script_cve_id("CVE-2009-1902", "CVE-2009-1903");
      script_bugtraq_id(34096);
      script_xref(name:"FEDORA", value:"2009-2686");
    
      script_name(english:"Fedora 10 : mod_security-2.5.9-1.fc10 (2009-2686)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fixes for potential denials of service when using PDF XSS
    protection as well as when parsing multipart requests.
    http://sourceforge.net/project/shownotes.php?release_id=667542&group_i
    d=68846
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # http://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?af255791"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2009-March/021322.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?123f8bb6"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected mod_security package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(16);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mod_security");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/03/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^10([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 10.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC10", reference:"mod_security-2.5.9-1.fc10")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mod_security");
    }
    
  • NASL familyFirewalls
    NASL idMODSECURITY_2_5_9.NASL
    descriptionAccording to its banner, the version of ModSecurity installed on the remote host is earlier than 2.5.9. It is, therefore, potentially affected by a denial of service vulnerability. An error exists related to multipart form HTTP POST requests with a missing part header name that could allow an attacker to crash the application. Note that Nessus has not tested for this issue but has instead relied only on the version in the server
    last seen2020-06-01
    modified2020-06-02
    plugin id67125
    published2013-07-02
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/67125
    titleModSecurity < 2.5.9 Multipart Request Header Name DoS
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(67125);
      script_version("1.10");
      script_cvs_date("Date: 2018/11/15 20:50:22");
    
      script_cve_id("CVE-2009-1902");
      script_bugtraq_id(34096);
      script_xref(name:"EDB-ID", value:"8241");
    
      script_name(english:"ModSecurity < 2.5.9 Multipart Request Header Name DoS");
      script_summary(english:"Checks version in Server response header");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web application firewall may be affected by a denial of
    service vulnerability.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of ModSecurity installed on the
    remote host is earlier than 2.5.9. It is, therefore, potentially
    affected by a denial of service vulnerability. An error exists related
    to multipart form HTTP POST requests with a missing part header name
    that could allow an attacker to crash the application.
    
    Note that Nessus has not tested for this issue but has instead relied
    only on the version in the server's banner.");
      script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2009/Mar/187");
      script_set_attribute(attribute:"solution", value:"Upgrade to ModSecurity version 2.5.9 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/03/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/03/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/02");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:modsecurity:modsecurity");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Firewalls");
    
      script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
    
      script_dependencies("modsecurity_http_version.nasl");
      script_require_keys("www/ModSecurity", "Settings/ParanoidReport");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    port = get_http_port(default:80);
    
    # Make sure this is ModSecurity
    get_kb_item_or_exit('www/'+port+'/modsecurity');
    version = get_kb_item_or_exit('www/modsecurity/'+port+'/version', exit_code:1);
    backported = get_kb_item_or_exit('www/modsecurity/'+port+'/backported', exit_code:1);
    
    if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "ModSecurity");
    
    if (version == 'unknown') audit(AUDIT_UNKNOWN_WEB_SERVER_VER, "ModSecurity", port);
    
    fixed_ver = '2.5.9';
    if (
      version =~ "^[01]\." ||
      version =~ "^2\.([0-4]|5\.[0-8])($|[^0-9])"
    )
    {
      if (report_verbosity > 0)
      {
        source = get_kb_item_or_exit('www/modsecurity/'+port+'/source', exit_code:1);
        report =
          '\n  Version source    : ' + source +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fixed_ver + '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "ModSecurity", port, version);
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-2654.NASL
    descriptionSecurity fixes for potential denials of service when using PDF XSS protection as well as when parsing multipart requests. http://sourceforge.net/project/shownotes.php?release_id=667542&group_i d=68846 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id35926
    published2009-03-16
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35926
    titleFedora 9 : mod_security-2.5.9-1.fc9 (2009-2654)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2009-2654.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(35926);
      script_version ("1.13");
      script_cvs_date("Date: 2019/08/02 13:32:29");
    
      script_cve_id("CVE-2009-1902", "CVE-2009-1903");
      script_bugtraq_id(34096);
      script_xref(name:"FEDORA", value:"2009-2654");
    
      script_name(english:"Fedora 9 : mod_security-2.5.9-1.fc9 (2009-2654)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fixes for potential denials of service when using PDF XSS
    protection as well as when parsing multipart requests.
    http://sourceforge.net/project/shownotes.php?release_id=667542&group_i
    d=68846
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # http://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?af255791"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2009-March/021280.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e8f46f13"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected mod_security package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(16);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mod_security");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:9");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/03/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/03/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 9.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC9", reference:"mod_security-2.5.9-1.fc9")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mod_security");
    }