[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Apache HTTPD 2.4.12, 2.2.29 Security Audit - Advanced Information Security Corp



-=[Advanced Information Security Corp]=-

Author: Nicholas Lemonias
Advisory Date: 13/4/2015
Email: lem.nikolas (at) gmail (dot) com

Introduction
==========
During a source-code audit of the Apache HTTPD 2.2.29 release
implementation for linux; conducted internally by the Advanced
Information Security
Group, instances of insecure function use were observed, which could
possibly lead to some attacks.

Software Overview
===============


The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for modern operating systems including UNIX
and Windows NT. The goal of this project is to provide a secure,
efficient and extensible server that provides HTTP services in sync
with the current HTTP standards.

Apache httpd was launched in 1995, has been the most popular web
server on the Internet since April 1996, and celebrates its 20th
birthday as a project this February.


Module Overview
===============

*  mod_tls.c - Apache SSL/TLS module for NetWare by Mike Gardiner.
*
* This module gives Apache the ability to do SSL/TLS with a minimum amount
* of effort.  All of the SSL/TLS logic is already * on NetWare versions 5 and above and is 
* interfaced through WinSock on NetWare.


PoC 1 - Code Snippet [CWE-476]
==============================
(...\httpd-2.2.29\modules\arch\netware\mod_nw_ssl.c:1104-1130)
(...\httpd-2.4.12\modules\arch\netware\mod_nw_ssl.c:1104-1130)

Description: A Null Pointer dereference security issue has been
realized on [line 1104]   where (request_rec *r = f->r;) and precisely
at the calling of ssl_io_filter_Upgrade() function.

 User input can be supplied to the called function, and an illegal
input to be provided.

 Furthermore, it is noted that there are no security validation
controls on the state of  r->connection , or the context of
&nwssl_module or f->r.


Kind Regards,
Nicholas Lemonias