Vulnerabilities > CVE-2010-0010 - Numeric Errors vulnerability in Apache Http Server

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

apache

CWE-189

nessus

NVD

Published: 2010-02-02

Updated: 2023-11-07

Summary

Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Http Server 1.3.38 Apache Http Server 1.3.23 Apache Http Server 1.3.27 Apache Http Server 1.3.10 Apache Http Server 1.0.5 Apache Http Server 0.8.11 Apache Http Server 1.3.33 Apache Http Server 1.3.36 Apache Http Server 1.3.1 Apache Http Server 1.3.25 Apache Http Server 1.3.28 Apache Http Server 1.3.19 Apache Http Server 1.3.40 Apache Http Server 1.3.31 Apache Http Server 1.3.24 Apache Http Server 1.3.20 Apache Http Server 1.3.35 Apache Http Server 1.1 Apache Http Server 1.3.2 Apache Http Server 1.3.34 Apache Http Server 1.3.4 Apache Http Server 1.2.5 Apache Http Server 1.3.13 Apache Http Server 1.0 Apache Http Server 1.2.4 Apache Http Server 1.3.39 Apache Http Server 1.3.30 Apache Http Server 1.3.18 Apache Http Server 1.0.3 Apache Http Server 1.3.0 Apache Http Server 1.3 Apache Http Server 1.3.12 Apache Http Server 1.3.3 Apache Http Server 1.3.17 Apache Http Server 0.8.14 Apache Http Server 1.3.26 Apache Http Server - Apache Http Server 1.0.2 Apache Http Server 1.1.1 Apache Http Server 1.2 Apache Http Server 1.2.0 Apache Http Server 1.2.1 Apache Http Server 1.2.2 Apache Http Server 1.2.6 Apache Http Server 1.2.9 Apache Http Server 1.3.1.1 Apache Http Server 1.3.5 Apache Http Server 1.3.6 Apache Http Server 1.3.7 Apache Http Server 1.3.8 Apache Http Server 1.3.9 Apache Http Server 1.3.11 Apache Http Server 1.3.14 Apache Http Server 1.3.15 Apache Http Server 1.3.16 Apache Http Server 1.3.22 Apache Http Server 1.3.29 Apache Http Server 1.3.32 Apache Http Server 1.3.37 Apache Http Server 1.3.41	60

Common Weakness Enumeration (CWE)

CWE-189 - Numeric Errors

Nessus

NASL family	Web Servers
NASL id	APACHE_1_3_42.NASL
description	According to its banner, the version of Apache 1.3.x running on the remote host is prior 1.3.42. It is, therefore, potentially affected by an integer overflow vulnerability in the mod_proxy Apache module. A remote attacker can exploit this to cause a denial of service condition or to execute arbitrary code. Note that successful exploitation is possible only on platforms where sizeof(int) < sizeof(long), such as 64-bit architectures. Also note that version 1.3.42 is the final release of Apache 1.3.
last seen	2020-06-01
modified	2020-06-02
plugin id	44589
published	2010-02-11
reporter	This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/44589
title	Apache 1.3.x < 1.3.42 mod_proxy Integer Overflow
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(44589); script_version("1.17"); script_cvs_date("Date: 2018/11/15 20:50:25"); script_cve_id("CVE-2010-0010"); script_bugtraq_id(37966); script_xref(name:"Secunia", value:"38319"); script_name(english:"Apache 1.3.x < 1.3.42 mod_proxy Integer Overflow"); script_summary(english:"Checks the Apache version in Server response header."); script_set_attribute(attribute:"synopsis", value: "The remote web server may be affected by an integer overflow vulnerability."); script_set_attribute(attribute:"description", value: "According to its banner, the version of Apache 1.3.x running on the remote host is prior 1.3.42. It is, therefore, potentially affected by an integer overflow vulnerability in the mod_proxy Apache module. A remote attacker can exploit this to cause a denial of service condition or to execute arbitrary code. Note that successful exploitation is possible only on platforms where sizeof(int) < sizeof(long), such as 64-bit architectures. Also note that version 1.3.42 is the final release of Apache 1.3."); script_set_attribute(attribute:"see_also", value:"http://site.pi3.com.pl/adv/mod_proxy.txt" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2010/Jan/584" ); # http://web.archive.org/web/20100515000000/http://httpd.apache.org/dev/dist/CHANGES_1.3.42 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2b8a4a59" ); script_set_attribute(attribute:"solution", value: "Upgrade to Apache version 1.3.42 or later. Alternatively, disable mod_proxy." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(189); script_set_attribute(attribute:"vuln_publication_date", value: "2010/01/27"); script_set_attribute(attribute:"patch_publication_date", value: "2010/01/27"); script_set_attribute(attribute:"plugin_publication_date", value: "2010/02/11"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:http_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("apache_http_version.nasl", "proxy_use.nasl"); script_require_keys("installed_sw/Apache"); script_require_ports("Services/www", 80, 3128, 8080); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("audit.inc"); include("install_func.inc"); get_install_count(app_name:"Apache", exit_if_zero:TRUE); port = get_kb_item("Services/http_proxy"); if (!port) { if (get_port_state(3128)) port = 3128; else port = 8080; } if (!get_port_state(port)) exit(0, "Port "+port+" is not open."); install = get_single_install(app_name:"Apache", port:port, exit_if_unknown_ver:TRUE); # Check if we could get a version first, then check if it was # backported version = get_kb_item_or_exit('www/apache/'+port+'/version', exit_code:1); backported = get_kb_item_or_exit('www/apache/'+port+'/backported', exit_code:1); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "Apache"); source = get_kb_item_or_exit('www/apache/'+port+'/source', exit_code:1); # Check if the version looks like either ServerTokesn Major/Minor # was used if (version =~ '^1(\\.3)?$') exit(1, "The banner from the Apache server listening on port "+port+" - "+source+" - is not granular enough to make a determination."); if (version !~ "^\d+(\.\d+)$") exit(1, "The version of Apache listening on port " + port + " - " + version + " - is non-numeric and, therefore, cannot be used to make a determination."); if (version =~ '^1\\.3' && ver_compare(ver:version, fix:'1.3.42') == -1) { if (report_verbosity > 0) { report = '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : 1.3.42\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "Apache", port, install["version"]);

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_CAE01D7B110D11DF955A00219B0FC4D8.NASL
description	Apache ChangeLog reports : Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow.
last seen	2020-06-01
modified	2020-06-02
plugin id	44390
published	2010-02-04
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/44390
title	FreeBSD : apache -- Prevent chunk-size integer overflow on platforms where sizeof(int) < sizeof(long) (cae01d7b-110d-11df-955a-00219b0fc4d8)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2019 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(44390); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:40"); script_name(english:"FreeBSD : apache -- Prevent chunk-size integer overflow on platforms where sizeof(int) < sizeof(long) (cae01d7b-110d-11df-955a-00219b0fc4d8)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Apache ChangeLog reports : Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow." ); # http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0010 script_set_attribute( attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2010-0010" ); script_set_attribute( attribute:"see_also", value:"http://www.security-database.com/detail.php?alert=CVE-2010-0010" ); # http://security-tracker.debian.org/tracker/CVE-2010-0010 script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2010-0010" ); # http://www.vupen.com/english/Reference-CVE-2010-0010.php script_set_attribute( attribute:"see_also", value:"https://www.ovh.co.uk/mail/" ); # https://vuxml.freebsd.org/freebsd/cae01d7b-110d-11df-955a-00219b0fc4d8.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?967e9e0d" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel+mod_deflate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel+mod_deflate+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_deflate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_deflate+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_accel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_accel+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_deflate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_deflate+ipv6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache+ssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:apache_fp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ru-apache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ru-apache+mod_ssl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/06/30"); script_set_attribute(attribute:"patch_publication_date", value:"2010/02/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/04"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"apache<1.3.42")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_perl<1.3.42")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+ipv6<1.3.42")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache_fp>=0")) flag++; if (pkg_test(save_report:TRUE, pkg:"ru-apache<1.3.42+30.23")) flag++; if (pkg_test(save_report:TRUE, pkg:"ru-apache+mod_ssl<1.3.42")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+ssl<1.3.42.1.57_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+ipv6<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_accel<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_accel+ipv6<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_accel+mod_deflate<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_accel+mod_deflate+ipv6<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_deflate<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_deflate+ipv6<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_snmp<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_snmp+mod_accel<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_snmp+mod_accel+ipv6<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_snmp+mod_deflate<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_snmp+mod_deflate+ipv6<1.3.41+2.8.27_2")) flag++; if (pkg_test(save_report:TRUE, pkg:"apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6<1.3.41+2.8.27_2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	SuSE Local Security Checks
NASL id	SUSE9_12609.NASL
description	Specially crafted requests could lead to an integer overflow in mod_proxy. Attackers could exploit that to crash Apache or potentially cause execution of arbitrary code. (CVE-2010-0010) The problem only affects 64bit architectures.
last seen	2020-06-01
modified	2020-06-02
plugin id	58228
published	2012-04-23
reporter	This script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/58228
title	SuSE9 Security Update : Apache (YOU Patch Number 12609)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(58228); script_version("1.4"); script_cvs_date("Date: 2019/10/25 13:36:37"); script_cve_id("CVE-2010-0010"); script_name(english:"SuSE9 Security Update : Apache (YOU Patch Number 12609)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 9 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Specially crafted requests could lead to an integer overflow in mod_proxy. Attackers could exploit that to crash Apache or potentially cause execution of arbitrary code. (CVE-2010-0010) The problem only affects 64bit architectures." ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2010-0010/" ); script_set_attribute(attribute:"solution", value:"Apply YOU patch number 12609."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2010/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"apache-1.3.29-71.28")) flag++; if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"apache-devel-1.3.29-71.28")) flag++; if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"apache-doc-1.3.29-71.28")) flag++; if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"apache-example-pages-1.3.29-71.28")) flag++; if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"mod_ssl-2.8.16-71.28")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else exit(0, "The host is not affected.");

Oval

accepted

2013-07-22T04:03:15.186-04:00

class

vulnerability

contributors

name J. Daniel Brown
organization DTCC
name Matt Hansbury
organization The MITRE Corporation
name Matt Hansbury
organization The MITRE Corporation
name Maria Kedovskaya
organization ALTX-SOFT

definition_extensions

comment	Apache HTTP Server 1.3.x is installed on the system
oval	oval:org.mitre.oval:def:8565

description

family

windows

oval:org.mitre.oval:def:7923

status

accepted

submitted

2010-03-04T17:30:00.000-05:00

title

Apache 1.3 mod_proxy HTTP Chunked Encoding Integer Overflow Vulnerability

version

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 37966 CVE(CAN) ID: CVE-2010-0010 Apache HTTP Server是一款流行的Web服务器。 Apache服务器的mod_proxy模块在执行字符类型转换时存在最终可导致堆溢出的整数溢出漏洞。以下是有漏洞的代码段： "./src/modules/proxy/proxy_util.c" long int ap_proxy_send_fb(BUFF f, request_rec r, cache_req c, off_t len, int nowrite, int chunked, size_t recv_buffer_size) { ... size_t buf_size; long remaining = 0; ... for (end_of_chunk = ok = 1; ok;) { ... if (chunked) { long chunk_start = 0; n = 0; / start of a new chunk / if (end_of_chunk) { end_of_chunk = 0; / get the chunk size from the stream / chunk_start = ap_getline(buf, buf_size, f, 0); <---------------- [0] reading line from traffic (socket) if ((chunk_start <= 0) \|\| ((size_t)chunk_start + 1 >= buf_size) \|\| !ap_isxdigit(buf)) { n = -1; } /* parse the chunk size / else { remaining = ap_get_chunk_size(buf); <---------------- [1] convert readed data to 'long' size! if (remaining == 0) { / Last chunk indicated, get footers / ... ... } } else if (remaining < 0) { n = -1; ap_log_rerror(APLOG_MARK, APLOG_DEBUG\|APLOG_NOERRNO, r, "proxy: remote protocol error, invalid chunk size"); } } } / read the chunk */ if (remaining > 0) { n = ap_bread(f, buf, MIN((int)buf_size, (int)remaining)); <------------- [2] convert 'long' to 'int' !!!! if (n > -1) { remaining -= n; end_of_chunk = (remaining == 0); } } ... ... } 服务器在读取HTTP头时，如果是分块连接，在[0]处会等待并从套接字读取块大小的数据，在[1]处将所接收到的数据转换为long类型；如果存在正值的块大小，[2]处直接将long类型转换为int类型，这在amd64架构上可能触发整数溢出。 Apache 1.3.x 厂商补丁： Apache Group ------------ 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://www.apache.org
id	SSV:19019
last seen	2017-11-19
modified	2010-01-29
published	2010-01-29
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-19019
title	Apache mod_proxy模块HTTP分块编码整数溢出漏洞

Statements

contributor	Joshua Bressers
lastmodified	2010-02-03
organization	Red Hat
statement	This issue does not affect the Apache HTTP Server versions 2 and greater. This flaw does not affect any supported versions of Red Hat Enterprise Linux. This flaw does affect Red Hat Network Proxy and Red Hat Network Satellite. While those products do not use this feature, we are tracking the issue with the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0010

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Oval

Seebug

Statements

References