Vulnerabilities > CVE-2009-1902 - NULL Pointer Dereference vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The multipart processor in ModSecurity before 2.5.9 allows remote attackers to cause a denial of service (crash) via a multipart form datapost request with a missing part header name, which triggers a NULL pointer dereference.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description | ModSecurity < 2.5.9 Remote Denial of Service Vulnerability. CVE-2009-1902. Dos exploits for multiple platform |
file | exploits/multiple/dos/8241.txt |
id | EDB-ID:8241 |
last seen | 2016-02-01 |
modified | 2009-03-19 |
platform | multiple |
port | |
published | 2009-03-19 |
reporter | Juan Galiana Lara |
source | https://www.exploit-db.com/download/8241/ |
title | ModSecurity < 2.5.9 - Remote Denial of Service Vulnerability |
type | dos |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200907-02.NASL description The remote host is affected by the vulnerability described in GLSA-200907-02 (ModSecurity: Denial of Service) Multiple vulnerabilities were discovered in ModSecurity: Juan Galiana Lara of ISecAuditors discovered a NULL pointer dereference when processing multipart requests without a part header name (CVE-2009-1902). Steve Grubb of Red Hat reported that the last seen 2020-06-01 modified 2020-06-02 plugin id 39596 published 2009-07-03 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39596 title GLSA-200907-02 : ModSecurity: Denial of Service code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200907-02. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(39596); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:45"); script_cve_id("CVE-2009-1902", "CVE-2009-1903"); script_bugtraq_id(34096); script_xref(name:"GLSA", value:"200907-02"); script_name(english:"GLSA-200907-02 : ModSecurity: Denial of Service"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200907-02 (ModSecurity: Denial of Service) Multiple vulnerabilities were discovered in ModSecurity: Juan Galiana Lara of ISecAuditors discovered a NULL pointer dereference when processing multipart requests without a part header name (CVE-2009-1902). Steve Grubb of Red Hat reported that the 'PDF XSS protection' feature does not properly handle HTTP requests to a PDF file that do not use the GET method (CVE-2009-1903). Impact : A remote attacker might send requests containing specially crafted multipart data or send certain requests to access a PDF file, possibly resulting in a Denial of Service (crash) of the Apache HTTP daemon. NOTE: The PDF XSS protection is not enabled by default. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200907-02" ); script_set_attribute( attribute:"solution", value: "All ModSecurity users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apache/mod_security-2.5.9'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(16); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mod_security"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/07/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apache/mod_security", unaffected:make_list("ge 2.5.9"), vulnerable:make_list("lt 2.5.9"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ModSecurity"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2009-2686.NASL description Security fixes for potential denials of service when using PDF XSS protection as well as when parsing multipart requests. http://sourceforge.net/project/shownotes.php?release_id=667542&group_i d=68846 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37482 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37482 title Fedora 10 : mod_security-2.5.9-1.fc10 (2009-2686) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-2686. # include("compat.inc"); if (description) { script_id(37482); script_version ("1.12"); script_cvs_date("Date: 2019/08/02 13:32:29"); script_cve_id("CVE-2009-1902", "CVE-2009-1903"); script_bugtraq_id(34096); script_xref(name:"FEDORA", value:"2009-2686"); script_name(english:"Fedora 10 : mod_security-2.5.9-1.fc10 (2009-2686)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fixes for potential denials of service when using PDF XSS protection as well as when parsing multipart requests. http://sourceforge.net/project/shownotes.php?release_id=667542&group_i d=68846 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?af255791" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-March/021322.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?123f8bb6" ); script_set_attribute( attribute:"solution", value:"Update the affected mod_security package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(16); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mod_security"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/03/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^10([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 10.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC10", reference:"mod_security-2.5.9-1.fc10")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mod_security"); }
NASL family Firewalls NASL id MODSECURITY_2_5_9.NASL description According to its banner, the version of ModSecurity installed on the remote host is earlier than 2.5.9. It is, therefore, potentially affected by a denial of service vulnerability. An error exists related to multipart form HTTP POST requests with a missing part header name that could allow an attacker to crash the application. Note that Nessus has not tested for this issue but has instead relied only on the version in the server last seen 2020-06-01 modified 2020-06-02 plugin id 67125 published 2013-07-02 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67125 title ModSecurity < 2.5.9 Multipart Request Header Name DoS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(67125); script_version("1.10"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_cve_id("CVE-2009-1902"); script_bugtraq_id(34096); script_xref(name:"EDB-ID", value:"8241"); script_name(english:"ModSecurity < 2.5.9 Multipart Request Header Name DoS"); script_summary(english:"Checks version in Server response header"); script_set_attribute(attribute:"synopsis", value: "The remote web application firewall may be affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to its banner, the version of ModSecurity installed on the remote host is earlier than 2.5.9. It is, therefore, potentially affected by a denial of service vulnerability. An error exists related to multipart form HTTP POST requests with a missing part header name that could allow an attacker to crash the application. Note that Nessus has not tested for this issue but has instead relied only on the version in the server's banner."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2009/Mar/187"); script_set_attribute(attribute:"solution", value:"Upgrade to ModSecurity version 2.5.9 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/03/11"); script_set_attribute(attribute:"patch_publication_date", value:"2009/03/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/02"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:modsecurity:modsecurity"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Firewalls"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("modsecurity_http_version.nasl"); script_require_keys("www/ModSecurity", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); # Make sure this is ModSecurity get_kb_item_or_exit('www/'+port+'/modsecurity'); version = get_kb_item_or_exit('www/modsecurity/'+port+'/version', exit_code:1); backported = get_kb_item_or_exit('www/modsecurity/'+port+'/backported', exit_code:1); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "ModSecurity"); if (version == 'unknown') audit(AUDIT_UNKNOWN_WEB_SERVER_VER, "ModSecurity", port); fixed_ver = '2.5.9'; if ( version =~ "^[01]\." || version =~ "^2\.([0-4]|5\.[0-8])($|[^0-9])" ) { if (report_verbosity > 0) { source = get_kb_item_or_exit('www/modsecurity/'+port+'/source', exit_code:1); report = '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_ver + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "ModSecurity", port, version);
NASL family Fedora Local Security Checks NASL id FEDORA_2009-2654.NASL description Security fixes for potential denials of service when using PDF XSS protection as well as when parsing multipart requests. http://sourceforge.net/project/shownotes.php?release_id=667542&group_i d=68846 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 35926 published 2009-03-16 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35926 title Fedora 9 : mod_security-2.5.9-1.fc9 (2009-2654) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-2654. # include("compat.inc"); if (description) { script_id(35926); script_version ("1.13"); script_cvs_date("Date: 2019/08/02 13:32:29"); script_cve_id("CVE-2009-1902", "CVE-2009-1903"); script_bugtraq_id(34096); script_xref(name:"FEDORA", value:"2009-2654"); script_name(english:"Fedora 9 : mod_security-2.5.9-1.fc9 (2009-2654)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fixes for potential denials of service when using PDF XSS protection as well as when parsing multipart requests. http://sourceforge.net/project/shownotes.php?release_id=667542&group_i d=68846 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?af255791" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-March/021280.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e8f46f13" ); script_set_attribute( attribute:"solution", value:"Update the affected mod_security package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(16); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mod_security"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:9"); script_set_attribute(attribute:"patch_publication_date", value:"2009/03/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/03/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 9.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC9", reference:"mod_security-2.5.9-1.fc9")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mod_security"); }
References
- https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00487.html
- http://www.securityfocus.com/bid/34096
- http://secunia.com/advisories/34311
- http://secunia.com/advisories/34256
- http://www.securityfocus.com/archive/1/501968
- https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00529.html
- http://www.osvdb.org/52553
- http://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846
- http://www.vupen.com/english/advisories/2009/0703
- http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html
- http://security.gentoo.org/glsa/glsa-200907-02.xml
- http://secunia.com/advisories/35687
- https://exchange.xforce.ibmcloud.com/vulnerabilities/49212
- https://www.exploit-db.com/exploits/8241