Bug 750935 (CVE-2011-4415) - CVE-2011-4415 httpd: SetEnvIf resource exhaustion
Summary: CVE-2011-4415 httpd: SetEnvIf resource exhaustion
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2011-4415
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20111102,reported=2...
Depends On:
Blocks: 750936
TreeView+ depends on / blocked
 
Reported: 2011-11-02 21:14 UTC by Vincent Danen
Modified: 2019-06-08 18:57 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-22 14:44:09 UTC


Attachments (Terms of Use)

Description Vincent Danen 2011-11-02 21:14:55 UTC
It was reported [1] that an integer overflow was found in Apache in the ap_pregsub() function called from mod-setenvif.  When a header field is mangled using SetEnvIf, the new environment variable data can be multiples of the size of the submitted header field.  This would cause ap_pregsub() to overflow the length value in buffer size calculations, leading to the subsequent allocation call of a too-small buffer.  Filling this buffer with user-supplied data will lead to a buffer overflow.

Depending on the input data, this can lead to excessive allocation of server memory (resulting in killed processes due to out-of-memory conditions), invalid memory access when copying large amounts of data (which can lead to a termination of the httpd process), or possibly allowing the execution of arbitrary code.

To trigger this flaw, mod_setenvif must be enabled (the default) and the attacker needs to be able to place a crafted .htaccess file on the server (which, in most cases, would require local access to the file system or some web interface that allows for writing arbitrary files to the local file system, such as for custom .htaccess files).

There is currently no upstream fix, however to work around the problem, disable mod_setenvif.

[1] http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/

Comment 1 Vincent Danen 2011-11-02 21:19:47 UTC
Created httpd tracking bugs for this issue

Affects: fedora-all [bug 750937]

Comment 3 Vincent Danen 2011-11-08 15:24:19 UTC
MITRE has assigned an additional CVE to this issue (CVE-2011-4415), the description of both CVEs are as follows:


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3607 to
the following vulnerability:

Name: CVE-2011-3607
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607
Assigned: 20110921
Reference: http://archives.neohapsis.com/archives/fulldisclosure/2011-11/0023.html
Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/
Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html
Reference: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811422
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=750935
Reference: http://www.securityfocus.com/bid/50494
Reference: http://www.osvdb.org/76744
Reference: http://securitytracker.com/id?1026267
Reference: http://secunia.com/advisories/45793
Reference: http://xforce.iss.net/xforce/xfdb/71093

Integer overflow in the ap_pregsub function in server/util.c in the
Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when
the mod_setenvif module is enabled, allows local users to gain
privileges via a .htaccess file with a crafted SetEnvIf directive, in
conjunction with a crafted HTTP request header, leading to a
heap-based buffer overflow.


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4415 to
the following vulnerability:

Name: CVE-2011-4415
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4415
Assigned: 20111108
Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/
Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html
Reference: http://www.gossamer-threads.com/lists/apache/dev/403775

The ap_pregsub function in server/util.c in the Apache HTTP Server
2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif
module is enabled, does not restrict the size of values of environment
variables, which allows local users to cause a denial of service
(memory consumption or NULL pointer dereference) via a .htaccess file
with a crafted SetEnvIf directive, in conjunction with a crafted HTTP
request header, related to (1) the "len +=" statement and (2) the
apr_pcalloc function call, a different vulnerability than
CVE-2011-3607.

Comment 4 Tomas Hoger 2011-11-08 15:33:00 UTC
Upstream fix adding check for integer overflow:
  http://svn.apache.org/viewvc?view=revision&revision=1198940

It does not add any protection against memory consumption / CVE-2011-4415 issue.

Comment 6 Tomas Hoger 2011-12-01 13:25:36 UTC
(In reply to comment #4)
> Upstream fix adding check for integer overflow:
>   http://svn.apache.org/viewvc?view=revision&revision=1198940

This fix is only for trunk and is not applicable to 2.2.x and older httpd versions without further changes.  It's currently unclear if the fix is going to be backported to older httpd branches:
  http://thread.gmane.org/gmane.comp.apache.devel/46260

> It does not add any protection against memory consumption / CVE-2011-4415
> issue.

Upstream discussion on whether resource consumption issues triggered by bad .htaccess configuration should (or can) be handled as security or not:
  http://thread.gmane.org/gmane.comp.apache.devel/46339

Comment 7 Tomas Hoger 2011-12-21 12:53:26 UTC
(In reply to comment #6)
> > It does not add any protection against memory consumption / CVE-2011-4415
> > issue.
> 
> Upstream discussion on whether resource consumption issues triggered by bad
> .htaccess configuration should (or can) be handled as security or not:
>   http://thread.gmane.org/gmane.comp.apache.devel/46339

Upstream consensus is that any resource consumption issues triggered by bad .htaccess configuration are not considered security:
  http://thread.gmane.org/gmane.comp.apache.devel/46339/focus=46768

Comment 9 Tomas Hoger 2012-01-12 10:32:50 UTC
CVE-2011-3607 was split to a separate bug #769844.

Comment 18 Vincent Danen 2012-01-27 20:43:19 UTC
The upstream security team does not consider this to be a flaw:

http://thread.gmane.org/gmane.comp.apache.devel/46339/focus=46783

Statement:

The ASF Security Team does not consider resource exhaustion caused by .htaccess files to be a security defect.  The Red Hat Security Response Team agrees with their assessment and so does not consider this to be a security flaw.


Note You need to log in before you can comment on or make changes to this bug.