Vulnerabilities > CVE-2013-2765 - Null Pointer Dereference vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request with a large body and a crafted Content-Type header.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| description | ModSecurity Remote Null Pointer Dereference. CVE-2013-2765. Dos exploits for multiple platform |
| id | EDB-ID:25852 |
| last seen | 2016-02-03 |
| modified | 2013-05-31 |
| published | 2013-05-31 |
| reporter | Younes JAAIDI |
| source | https://www.exploit-db.com/download/25852/ |
| title | ModSecurity Remote Null Pointer Dereference |
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-641.NASL description - complete overhaul of this package, with update to 2.7.5. - ruleset update to 2.2.8-0-g0f07cbb. - new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_1 0_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf - !!! Please note that mod_unique_id is needed for mod_security2 to run! - modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object. - fixes contained for the following bugs : - CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling - [bnc#768293] multi-part bypass, minor threat - CVE-2013-1915 [bnc#813190] XML external entity vulnerability - CVE-2012-4528 [bnc#789393] rule bypass - CVE-2013-2765 [bnc#822664] NULL pointer dereference crash - new from 2.5.9 to 2.7.5, only major changes : - GPLv2 replaced by Apache License v2 - rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package. - documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form. - renamed the term last seen 2020-06-05 modified 2014-06-13 plugin id 75113 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75113 title openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1331-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2013-641. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(75113); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2009-5031", "CVE-2012-2751", "CVE-2012-4528", "CVE-2013-1915", "CVE-2013-2765"); script_name(english:"openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1331-1)"); script_summary(english:"Check for the openSUSE-2013-641 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: " - complete overhaul of this package, with update to 2.7.5. - ruleset update to 2.2.8-0-g0f07cbb. - new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_1 0_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf - !!! Please note that mod_unique_id is needed for mod_security2 to run! - modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object. - fixes contained for the following bugs : - CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling - [bnc#768293] multi-part bypass, minor threat - CVE-2013-1915 [bnc#813190] XML external entity vulnerability - CVE-2012-4528 [bnc#789393] rule bypass - CVE-2013-2765 [bnc#822664] NULL pointer dereference crash - new from 2.5.9 to 2.7.5, only major changes : - GPLv2 replaced by Apache License v2 - rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package. - documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form. - renamed the term 'Encryption' in directives that actually refer to hashes. See CHANGES file for more details. - new directive SecXmlExternalEntity, default off - byte conversion issues on s390x when logging fixed. - many small issues fixed that were discovered by a Coverity scanner - updated reference manual - wrong time calculation when logging for some timezones fixed. - replaced time-measuring mechanism with finer granularity for measured request/answer phases. (Stopwatch remains for compat.) - cookie parser memory leak fix - parsing of quoted strings in multipart Content-Disposition headers fixed. - SDBM deadlock fix - @rsub memory leak fix - cookie separator code improvements - build failure fixes - compile time option --enable-htaccess-config (set)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=768293" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=789393" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=813190" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=822664" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2013-08/msg00020.html" ); script_set_attribute( attribute:"solution", value:"Update the affected apache2-mod_security2 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_security2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_security2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_security2-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3"); script_set_attribute(attribute:"patch_publication_date", value:"2013/08/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE12\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE12.3", reference:"apache2-mod_security2-2.7.5-2.4.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"apache2-mod_security2-debuginfo-2.7.5-2.4.1") ) flag++; if ( rpm_check(release:"SUSE12.3", reference:"apache2-mod_security2-debugsource-2.7.5-2.4.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2-mod_security2 / apache2-mod_security2-debuginfo / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2013-9518.NASL description Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) and a possible memory leak. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-07-12 plugin id 67363 published 2013-07-12 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67363 title Fedora 17 : mod_security-2.7.3-2.fc17 (2013-9518) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-9518. # include("compat.inc"); if (description) { script_id(67363); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_xref(name:"FEDORA", value:"2013-9518"); script_name(english:"Fedora 17 : mod_security-2.7.3-2.fc17 (2013-9518)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) and a possible memory leak. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=967615" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-June/107810.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?56fdcc95" ); script_set_attribute( attribute:"solution", value:"Update the affected mod_security package." ); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mod_security"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:17"); script_set_attribute(attribute:"patch_publication_date", value:"2013/05/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^17([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 17.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC17", reference:"mod_security-2.7.3-2.fc17")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mod_security"); }NASL family Fedora Local Security Checks NASL id FEDORA_2013-9583.NASL description Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) and a possible memory leak. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-07-12 plugin id 67367 published 2013-07-12 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67367 title Fedora 19 : mod_security-2.7.3-2.fc19 (2013-9583) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-640.NASL description - complete overhaul of this package, with update to 2.7.5. - ruleset update to 2.2.8-0-g0f07cbb. - new configuration framework private to mod_security2: /etc/apache2/conf.d/mod_security2.conf loads /usr/share/apache2-mod_security2/rules/modsecurity_crs_1 0_setup.conf, then /etc/apache2/mod_security2.d/*.conf , as set up based on advice in /etc/apache2/conf.d/mod_security2.conf Your configuration starting point is /etc/apache2/conf.d/mod_security2.conf - !!! Please note that mod_unique_id is needed for mod_security2 to run! - modsecurity-apache_2.7.5-build_fix_pcre.diff changes erroneaous linker parameter, preventing rpath in shared object. - fixes contained for the following bugs : - CVE-2009-5031, CVE-2012-2751 [bnc#768293] request parameter handling - [bnc#768293] multi-part bypass, minor threat - CVE-2013-1915 [bnc#813190] XML external entity vulnerability - CVE-2012-4528 [bnc#789393] rule bypass - CVE-2013-2765 [bnc#822664] NULL pointer dereference crash - new from 2.5.9 to 2.7.5, only major changes : - GPLv2 replaced by Apache License v2 - rules are not part of the source tarball any longer, but maintaned upstream externally, and included in this package. - documentation was externalized to a wiki. Package contains the FAQ and the reference manual in html form. - renamed the term last seen 2020-06-05 modified 2014-06-13 plugin id 75112 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75112 title openSUSE Security Update : apache2-mod_security2 (openSUSE-SU-2013:1336-1) NASL family Fedora Local Security Checks NASL id FEDORA_2013-9519.NASL description Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) and a possible memory leak. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-07-12 plugin id 67364 published 2013-07-12 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67364 title Fedora 18 : mod_security-2.7.3-2.fc18 (2013-9519) NASL family Solaris Local Security Checks NASL id SOLARIS11_APACHE_20140731.NASL description The remote Solaris system is missing necessary patches to address security updates : - The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request with a large body and a crafted Content-Type header. (CVE-2013-2765) last seen 2020-06-01 modified 2020-06-02 plugin id 80587 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80587 title Oracle Solaris Third-Party Patch Update : apache (cve_2013_2765_denial_of) NASL family SuSE Local Security Checks NASL id SUSE_11_APACHE2-MOD_SECURITY2-130802.NASL description This update of mod_security2 fixed a NULL pointer dereference crash (CVE-2013-2765) and a memory issue (double free()). (bnc#822664) last seen 2020-06-05 modified 2013-09-05 plugin id 69787 published 2013-09-05 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69787 title SuSE 11.3 Security Update : apache2-mod_security2 (SAT Patch Number 8149) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-187.NASL description Updated apache-mod_security packages fix security vulnerability : When ModSecurity receives a request body with a size bigger than the value set by the SecRequestBodyInMemoryLimit and with a Content-Type that has no request body processor mapped to it, ModSecurity will systematically crash on every call to forceRequestBodyVariable (in phase 1) (CVE-2013-2765). last seen 2020-06-01 modified 2020-06-02 plugin id 67132 published 2013-07-03 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67132 title Mandriva Linux Security Advisory : apache-mod_security (MDVSA-2013:187) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_9DFB63B88F3611E2B34D000C2957946C.NASL description SecurityFocus reports : When ModSecurity receives a request body with a size bigger than the value set by the last seen 2020-06-01 modified 2020-06-02 plugin id 66770 published 2013-06-03 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66770 title FreeBSD : www/mod_security -- NULL pointer dereference DoS (9dfb63b8-8f36-11e2-b34d-000c2957946c) NASL family Firewalls NASL id MODSECURITY_2_7_4.NASL description According to its banner, the version of ModSecurity installed on the remote host is earlier than 2.7.4. It is, therefore, potentially affected by a denial of service vulnerability. An error exists related to handling the action last seen 2020-06-01 modified 2020-06-02 plugin id 67128 published 2013-07-02 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67128 title ModSecurity < 2.7.4 forceRequestBodyVariable Action Handling DoS
Packetstorm
| data source | https://packetstormsecurity.com/files/download/121815/modsecurity_cve_2013_2765_check.py.txt |
| id | PACKETSTORM:121815 |
| last seen | 2016-12-05 |
| published | 2013-05-29 |
| reporter | Younes JAAIDI |
| source | https://packetstormsecurity.com/files/121815/ModSecurity-Remote-Null-Pointer-Dereference.html |
| title | ModSecurity Remote Null Pointer Dereference |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 60182 CVE(CAN) ID: CVE-2013-2765 ModSecurity 2.7.4之前版本存在拒绝服务漏洞,攻击者可利用此漏洞使Apache Web服务器崩溃。此漏洞源于"forceRequestBodyVariable"操作内的处理错误,通过特制的HTTP请求可造成空指针间接引用。 0 modsecurity 2.x 厂商补丁: modsecurity ----------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://sourceforge.net/projects/mod-security/ |
| id | SSV:60823 |
| last seen | 2017-11-19 |
| modified | 2013-06-02 |
| published | 2013-06-02 |
| reporter | Root |
| title | ModSecurity 空指针间接引用远程拒绝服务漏洞(CVE-2013-2765) |
The Hacker News
| id | THN:D432F92440C3CAC9BE8F70DBE9981F6F |
| last seen | 2017-01-08 |
| modified | 2013-05-29 |
| published | 2013-05-29 |
| reporter | Mohit Kumar |
| source | http://thehackernews.com/2013/05/upgrade-modsecurity-to-version-274-for.html |
| title | Upgrade ModSecurity to version 2.7.4 for fixing Denial of Service Vulnerability |
References
- http://archives.neohapsis.com/archives/bugtraq/2013-05/0125.html
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00020.html
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00025.html
- http://lists.opensuse.org/opensuse-updates/2013-08/msg00031.html
- http://sourceforge.net/mailarchive/message.php?msg_id=30900019
- http://www.modsecurity.org/
- http://www.shookalabs.com/
- https://bugzilla.redhat.com/show_bug.cgi?id=967615
- https://github.com/shookalabs/exploits/blob/master/modsecurity_cve_2013_2765_check.py
- https://github.com/SpiderLabs/ModSecurity/commit/0840b13612a0b7ef1ce7441cf811dcfc6b463fba
- https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES