Vulnerabilities > CVE-2010-0010 - Numeric Errors vulnerability in Apache Http Server
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Web Servers NASL id APACHE_1_3_42.NASL description According to its banner, the version of Apache 1.3.x running on the remote host is prior 1.3.42. It is, therefore, potentially affected by an integer overflow vulnerability in the mod_proxy Apache module. A remote attacker can exploit this to cause a denial of service condition or to execute arbitrary code. Note that successful exploitation is possible only on platforms where sizeof(int) < sizeof(long), such as 64-bit architectures. Also note that version 1.3.42 is the final release of Apache 1.3. last seen 2020-06-01 modified 2020-06-02 plugin id 44589 published 2010-02-11 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44589 title Apache 1.3.x < 1.3.42 mod_proxy Integer Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(44589); script_version("1.17"); script_cvs_date("Date: 2018/11/15 20:50:25"); script_cve_id("CVE-2010-0010"); script_bugtraq_id(37966); script_xref(name:"Secunia", value:"38319"); script_name(english:"Apache 1.3.x < 1.3.42 mod_proxy Integer Overflow"); script_summary(english:"Checks the Apache version in Server response header."); script_set_attribute(attribute:"synopsis", value: "The remote web server may be affected by an integer overflow vulnerability."); script_set_attribute(attribute:"description", value: "According to its banner, the version of Apache 1.3.x running on the remote host is prior 1.3.42. It is, therefore, potentially affected by an integer overflow vulnerability in the mod_proxy Apache module. A remote attacker can exploit this to cause a denial of service condition or to execute arbitrary code. Note that successful exploitation is possible only on platforms where sizeof(int) < sizeof(long), such as 64-bit architectures. Also note that version 1.3.42 is the final release of Apache 1.3."); script_set_attribute(attribute:"see_also", value:"http://site.pi3.com.pl/adv/mod_proxy.txt" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2010/Jan/584" ); # http://web.archive.org/web/20100515000000*/http://httpd.apache.org/dev/dist/CHANGES_1.3.42 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2b8a4a59" ); script_set_attribute(attribute:"solution", value: "Upgrade to Apache version 1.3.42 or later. Alternatively, disable mod_proxy." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(189); script_set_attribute(attribute:"vuln_publication_date", value: "2010/01/27"); script_set_attribute(attribute:"patch_publication_date", value: "2010/01/27"); script_set_attribute(attribute:"plugin_publication_date", value: "2010/02/11"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:http_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("apache_http_version.nasl", "proxy_use.nasl"); script_require_keys("installed_sw/Apache"); script_require_ports("Services/www", 80, 3128, 8080); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("audit.inc"); include("install_func.inc"); get_install_count(app_name:"Apache", exit_if_zero:TRUE); port = get_kb_item("Services/http_proxy"); if (!port) { if (get_port_state(3128)) port = 3128; else port = 8080; } if (!get_port_state(port)) exit(0, "Port "+port+" is not open."); install = get_single_install(app_name:"Apache", port:port, exit_if_unknown_ver:TRUE); # Check if we could get a version first, then check if it was # backported version = get_kb_item_or_exit('www/apache/'+port+'/version', exit_code:1); backported = get_kb_item_or_exit('www/apache/'+port+'/backported', exit_code:1); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "Apache"); source = get_kb_item_or_exit('www/apache/'+port+'/source', exit_code:1); # Check if the version looks like either ServerTokesn Major/Minor # was used if (version =~ '^1(\\.3)?$') exit(1, "The banner from the Apache server listening on port "+port+" - "+source+" - is not granular enough to make a determination."); if (version !~ "^\d+(\.\d+)*$") exit(1, "The version of Apache listening on port " + port + " - " + version + " - is non-numeric and, therefore, cannot be used to make a determination."); if (version =~ '^1\\.3' && ver_compare(ver:version, fix:'1.3.42') == -1) { if (report_verbosity > 0) { report = '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : 1.3.42\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "Apache", port, install["version"]);
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_CAE01D7B110D11DF955A00219B0FC4D8.NASL description Apache ChangeLog reports : Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow. last seen 2020-06-01 modified 2020-06-02 plugin id 44390 published 2010-02-04 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44390 title FreeBSD : apache -- Prevent chunk-size integer overflow on platforms where sizeof(int) < sizeof(long) (cae01d7b-110d-11df-955a-00219b0fc4d8) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2019 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(44390); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:40"); script_name(english:"FreeBSD : apache -- Prevent chunk-size integer overflow on platforms where sizeof(int) < sizeof(long) (cae01d7b-110d-11df-955a-00219b0fc4d8)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Apache ChangeLog reports : Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow." ); # http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0010 script_set_attribute( attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2010-0010" ); script_set_attribute( attribute:"see_also", value:"http://www.security-database.com/detail.php?alert=CVE-2010-0010" ); # http://security-tracker.debian.org/tracker/CVE-2010-0010 script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2010-0010" ); # http://www.vupen.com/english/Reference-CVE-2010-0010.php script_set_attribute( attribute:"see_also", value:"https://www.ovh.co.uk/mail/" ); # https://vuxml.freebsd.org/freebsd/cae01d7b-110d-11df-955a-00219b0fc4d8.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?967e9e0d" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel+mod_deflate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel+mod_deflate+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_deflate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_deflate+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_accel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_accel+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_deflate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_deflate+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+ssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache_fp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ru-apache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ru-apache+mod_ssl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/06/30"); script_set_attribute(attribute:"patch_publication_date", value:"2010/02/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/04"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"apache<1.3.42")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_perl<1.3.42")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+ipv6<1.3.42")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache_fp>=0")) flag++; if (pkg_test(save_report:TRUE, pkg:"ru-apache<1.3.42+30.23")) flag++; if (pkg_test(save_report:TRUE, pkg:"ru-apache+mod_ssl<1.3.42")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+ssl<1.3.42.1.57_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+ipv6<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_accel<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_accel+ipv6<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_accel+mod_deflate<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_accel+mod_deflate+ipv6<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_deflate<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_deflate+ipv6<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_snmp<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_snmp+mod_accel<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_snmp+mod_accel+ipv6<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_snmp+mod_deflate<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_snmp+mod_deflate+ipv6<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6<1.3.41+2.8.27_2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id SUSE9_12609.NASL description Specially crafted requests could lead to an integer overflow in mod_proxy. Attackers could exploit that to crash Apache or potentially cause execution of arbitrary code. (CVE-2010-0010) The problem only affects 64bit architectures. last seen 2020-06-01 modified 2020-06-02 plugin id 58228 published 2012-04-23 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58228 title SuSE9 Security Update : Apache (YOU Patch Number 12609) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(58228); script_version("1.4"); script_cvs_date("Date: 2019/10/25 13:36:37"); script_cve_id("CVE-2010-0010"); script_name(english:"SuSE9 Security Update : Apache (YOU Patch Number 12609)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 9 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Specially crafted requests could lead to an integer overflow in mod_proxy. Attackers could exploit that to crash Apache or potentially cause execution of arbitrary code. (CVE-2010-0010) The problem only affects 64bit architectures." ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2010-0010/" ); script_set_attribute(attribute:"solution", value:"Apply YOU patch number 12609."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2010/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"apache-1.3.29-71.28")) flag++; if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"apache-devel-1.3.29-71.28")) flag++; if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"apache-doc-1.3.29-71.28")) flag++; if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"apache-example-pages-1.3.29-71.28")) flag++; if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"mod_ssl-2.8.16-71.28")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");
Oval
accepted | 2013-07-22T04:03:15.186-04:00 | ||||||||||||||||
class | vulnerability | ||||||||||||||||
contributors |
| ||||||||||||||||
definition_extensions |
| ||||||||||||||||
description | Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow. | ||||||||||||||||
family | windows | ||||||||||||||||
id | oval:org.mitre.oval:def:7923 | ||||||||||||||||
status | accepted | ||||||||||||||||
submitted | 2010-03-04T17:30:00.000-05:00 | ||||||||||||||||
title | Apache 1.3 mod_proxy HTTP Chunked Encoding Integer Overflow Vulnerability | ||||||||||||||||
version | 14 |
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 37966 CVE(CAN) ID: CVE-2010-0010 Apache HTTP Server是一款流行的Web服务器。 Apache服务器的mod_proxy模块在执行字符类型转换时存在最终可导致堆溢出的整数溢出漏洞。以下是有漏洞的代码段: "./src/modules/proxy/proxy_util.c" long int ap_proxy_send_fb(BUFF *f, request_rec *r, cache_req *c, off_t len, int nowrite, int chunked, size_t recv_buffer_size) { ... size_t buf_size; long remaining = 0; ... for (end_of_chunk = ok = 1; ok;) { ... if (chunked) { long chunk_start = 0; n = 0; /* start of a new chunk */ if (end_of_chunk) { end_of_chunk = 0; /* get the chunk size from the stream */ chunk_start = ap_getline(buf, buf_size, f, 0); <---------------- [0] reading line from traffic (socket) if ((chunk_start <= 0) || ((size_t)chunk_start + 1 >= buf_size) || !ap_isxdigit(*buf)) { n = -1; } /* parse the chunk size */ else { remaining = ap_get_chunk_size(buf); <---------------- [1] convert readed data to 'long' size! if (remaining == 0) { /* Last chunk indicated, get footers */ ... ... } } else if (remaining < 0) { n = -1; ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, r, "proxy: remote protocol error, invalid chunk size"); } } } /* read the chunk */ if (remaining > 0) { n = ap_bread(f, buf, MIN((int)buf_size, (int)remaining)); <------------- [2] convert 'long' to 'int' !!!! if (n > -1) { remaining -= n; end_of_chunk = (remaining == 0); } } ... ... } 服务器在读取HTTP头时,如果是分块连接,在[0]处会等待并从套接字读取块大小的数据,在[1]处将所接收到的数据转换为long类型;如果存在正值的块大小,[2]处直接将long类型转换为int类型,这在amd64架构上可能触发整数溢出。 Apache 1.3.x 厂商补丁: Apache Group ------------ 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.apache.org |
id | SSV:19019 |
last seen | 2017-11-19 |
modified | 2010-01-29 |
published | 2010-01-29 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-19019 |
title | Apache mod_proxy模块HTTP分块编码整数溢出漏洞 |
Statements
contributor | Joshua Bressers |
lastmodified | 2010-02-03 |
organization | Red Hat |
statement | This issue does not affect the Apache HTTP Server versions 2 and greater. This flaw does not affect any supported versions of Red Hat Enterprise Linux. This flaw does affect Red Hat Network Proxy and Red Hat Network Satellite. While those products do not use this feature, we are tracking the issue with the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0010 |
References
- http://site.pi3.com.pl/adv/mod_proxy.txt
- http://blog.pi3.com.pl/?p=69
- http://httpd.apache.org/dev/dist/CHANGES_1.3.42
- http://secunia.com/advisories/38319
- http://www.vupen.com/english/advisories/2010/0240
- http://packetstormsecurity.org/1001-exploits/modproxy-overflow.txt
- http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0589.html
- http://www.securityfocus.com/bid/37966
- http://www.securitytracker.com/id?1023533
- http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00006.html
- http://secunia.com/advisories/39656
- http://www.vupen.com/english/advisories/2010/1001
- http://marc.info/?l=bugtraq&m=130497311408250&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/55941
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7923
- http://www.securityfocus.com/archive/1/509185/100/0/threaded
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/reb7c64aeea604bf948467d9d1cab8ff23fa7d002be1964bcc275aae7%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r2295080a257bad27ea68ca0af12fc715577f9e84801eae116a33107e%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rad2acee3ab838b52c04a0698b1728a9a43467bf365bd481c993c535d%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E