Vigil@nce: Apache httpd 1.3, integer overflow of mod_proxy
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
On a 64 bit processor, an attacker can generate an overflow in
mod_proxy, in order to generate a denial of service, and
eventually to execute code.
Severity: 2/4
Consequences: user access/rights, denial of service of service
Provenance: intranet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 27/01/2010
IMPACTED PRODUCTS
– Apache httpd
DESCRIPTION OF THE VULNERABILITY
The mod_proxy module can be enabled on Apache httpd 1.3, in order
to proxy web data.
On a 64 bit processor (such as amd64), an integer (int) is stored
on 4 bytes, and a long on 8 bytes, whereas on a 32 bit processor,
they are both stored on 4 bytes.
The ap_proxy_send_fb() function of the modules/proxy/proxy_util.c
file converts ("cast") a long to an int. However, if mod_proxy
receives a chunk fragment with a long size, this conversion
generates a memory corruption.
On a 64 bit processor, an attacker can therefore generate an
overflow in mod_proxy, in order to generate a denial of service,
and eventually to execute code.
CHARACTERISTICS
Identifiers: BID-37966, CVE-2010-0010, VIGILANCE-VUL-9383
http://vigilance.fr/vulnerability/Apache-httpd-1-3-integer-overflow-of-mod-proxy-9383