Bug 73934 - httpd mod_ssl BufferOverflow
Summary: httpd mod_ssl BufferOverflow
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: apache
Version: 7.3
Hardware: noarch
OS: Linux
high
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-09-13 14:47 UTC by Need Real Name
Modified: 2007-03-27 03:56 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2002-09-13 18:56:11 UTC
Embargoed:

Attachments (Terms of Use)

Description Need Real Name 2002-09-13 18:56:03 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Description of problem:
I am using RedHat 7.3 with Apache 1.3.23. Someone used the program "bugtraq.c"
to explore an modSSL buffer overflow to get access to a shell. The attack
creates a file named "/tmp/.bugtraq.c" and compiles it using gcc. The program
is started with another computer ip address as argument. All computer files
that the user "apache" can read are exposed.
The program attacks the following Linux distributions:

Red-Hat: Apache 1.3.6,1.3.9,1.3.12,1.3.19,1.3.20,1.3.22,1.3.23,1.3.26
SuSe: Apache 1.3.12,1.3.17,1.3.19,1.3.20,1.3.23
Mandrake: 1.3.14,1.3.19
Slakware: Apache 1.3.26

Regards
Fernando Nunes
Portugal



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Execute the program /tmp/.bugtraq or a simplified version of it.

Actual Results:  The shell scripts included in the program are executed using
the owner of the http process in the target machine

Additional info:
Comment 1 Mark J. Cox 2002-09-17 09:31:39 UTC 
This vulnerability is in OpenSSL and was fixed by our update; see
http://rhn.redhat.com/errata/RHSA-2002-155.html and the replacement
http://rhn.redhat.com/errata/RHSA-2002-160.html
Note You need to log in before you can comment on or make changes to this bug.