Freely subscribe to our NEWSLETTER

– Severity: 2/4
– Consequences: denial of service of service
– Provenance: internet server
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: unique source (2/5)
– Diffusion of the vulnerable configuration: medium (2/3)
– Creation date: 03/09/2009

IMPACTED PRODUCTS

– Apache httpd

DESCRIPTION OF THE VULNERABILITY

The Apache server contains a "mod_proxy_ftp" module which can be
used to manage FTP requests in proxy mode ("ProxyRequests On" in
the configuration file).

The PASV and EPSV (RFC 2428) commands ask the FTP server the
reserve a port to transfer data in passive mode. The server then
answers:
PASV : 227 Entering Passive Mode. IP1,IP2,IP3,IP4,port1,port2
EPSV : 229 Entering Extended Passive Mode (|||port|)
The proxy has to parse these lines in order to extract the port
number.

However, if the FTP server only returns the code 227 or 229 (not
followed by a space), the ap_proxy_ftp_handler() function of the
modules/proxy/[mod_]proxy_ftp.c file dereferences a NULL pointer.

A malicious FTP server can therefore invite the victim to connect
(via an image on a web page for example), in order to stop the
mod_proxy_ftp module of Apache httpd.

CHARACTERISTICS

– Identifiers: BID-36260, VIGILANCE-VUL-8994
Pointed by: VIGILANCE-VUL-9000
– Url: http://vigilance.fr/vulnerability/Apache-httpd-denial-of-service-via-mod-proxy-ftp-8994