Vigil@nce: Apache httpd, denial of service via mod_proxy_ftp
September 2009 by Vigil@nce
A malicious FTP server can stop the mod_proxy_ftp module of Apache
httpd.
– Severity: 2/4
– Consequences: denial of service of service
– Provenance: internet server
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: unique source (2/5)
– Diffusion of the vulnerable configuration: medium (2/3)
– Creation date: 03/09/2009
IMPACTED PRODUCTS
– Apache httpd
DESCRIPTION OF THE VULNERABILITY
The Apache server contains a "mod_proxy_ftp" module which can be
used to manage FTP requests in proxy mode ("ProxyRequests On" in
the configuration file).
The PASV and EPSV (RFC 2428) commands ask the FTP server the
reserve a port to transfer data in passive mode. The server then
answers:
PASV : 227 Entering Passive Mode. IP1,IP2,IP3,IP4,port1,port2
EPSV : 229 Entering Extended Passive Mode (|||port|)
The proxy has to parse these lines in order to extract the port
number.
However, if the FTP server only returns the code 227 or 229 (not
followed by a space), the ap_proxy_ftp_handler() function of the
modules/proxy/[mod_]proxy_ftp.c file dereferences a NULL pointer.
A malicious FTP server can therefore invite the victim to connect
(via an image on a web page for example), in order to stop the
mod_proxy_ftp module of Apache httpd.
CHARACTERISTICS
– Identifiers: BID-36260, VIGILANCE-VUL-8994
Pointed by: VIGILANCE-VUL-9000
– Url: http://vigilance.fr/vulnerability/Apache-httpd-denial-of-service-via-mod-proxy-ftp-8994