[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security Advisory - Apache HTTP Server 2.2.29 / 2.4.12 NULL Pointer dereference in protocol.c



-=[Advanced Information Security Corporation]=-


Advisory for Apache Http Server 2.2.29 / 2.4.12  NULL Pointer Dereference

 Author: Nicholas Lemonias
 Advisory Date: 14/4/2015
 Email: lem.nikolas (at) gmail (dot) com

 Introduction
 ==========
 During a source-code audit of the Apache HTTPD 2.2.29 / 2.4.12 release
 implementation for linux; conducted internally by the Advanced
 Information Security
 Group, instances of insecure function use were observed, which could
 possibly lead to attacks.

 Software Overview
 ===============

 The Apache HTTP Server Project is an effort to develop and maintain an
 open-source HTTP server for modern operating systems including UNIX
 and Windows NT. The goal of this project is to provide a secure,
 efficient and extensible server that provides HTTP services in sync
 with the current HTTP standards.

 Apache httpd was launched in 1995, has been the most popular web
 server on the Internet since April 1996.

  Affected code
 ===============
 * protocol.c --- routines which directly communicate with the client.
 *
 * Code originally by Rob McCool; much redone by Robert S. Thau
 * and the Apache Software Foundation.


 PoC 1 - Code Snippet [CWE-476]
 ==============================
 (..\httpd-2.2.29\server\protocol.c:1286)
 (..\httpd-2.4.12\server\protocol.c:1286)

..

AP_CORE_DECLARE_NONSTD(apr_status_t) ap_content_length_filter(
    ap_filter_t *f,
    apr_bucket_brigade *b)
{
    request_rec *r = f->r;
    struct content_length_ctx *ctx;
    apr_bucket *e;
    int eos = 0;
    apr_read_type_e eblock = APR_NONBLOCK_READ;

    ctx = f->ctx;
    if (!ctx) {
        f->ctx = ctx = apr_palloc(r->pool, sizeof(*ctx));
        ctx->data_sent = 0;
    }

Description: Code at line 1286 is vulnerable to a Null Pointer
Dereference security issue,  where (request_rec *r = f->r;).  The
filter is used to compute the Content-Length, but it also computes the
number of bytes sent to the client.
.....................................................................................................
The filter will always run through all of the buckets in all brigades.
The (request_rec *r = f->r;) is user-controllable and can be set to
NULL using a supplied parameter. The issue stems from the lack of any
control metrics on the return value of (f) ~ line 1286 (to ensure that
is non-NULL.)


 [1] CWE Mitre. (2015) CWE - Null Pointer Dereference - 476  [Online]
 Available at: https://cwe.mitre.org/data/definitions/476.html
 [Last Accessed 14 April, 2015]