It was reported [1] that an integer overflow was found in Apache in the ap_pregsub() function called from mod-setenvif. When a header field is mangled using SetEnvIf, the new environment variable data can be multiples of the size of the submitted header field. This would cause ap_pregsub() to overflow the length value in buffer size calculations, leading to the subsequent allocation call of a too-small buffer. Filling this buffer with user-supplied data will lead to a buffer overflow. Depending on the input data, this can lead to excessive allocation of server memory (resulting in killed processes due to out-of-memory conditions), invalid memory access when copying large amounts of data (which can lead to a termination of the httpd process), or possibly allowing the execution of arbitrary code. To trigger this flaw, mod_setenvif must be enabled (the default) and the attacker needs to be able to place a crafted .htaccess file on the server (which, in most cases, would require local access to the file system or some web interface that allows for writing arbitrary files to the local file system, such as for custom .htaccess files). There is currently no upstream fix, however to work around the problem, disable mod_setenvif. [1] http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/
Created httpd tracking bugs for this issue Affects: fedora-all [bug 750937]
MITRE has assigned an additional CVE to this issue (CVE-2011-4415), the description of both CVEs are as follows: Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3607 to the following vulnerability: Name: CVE-2011-3607 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607 Assigned: 20110921 Reference: http://archives.neohapsis.com/archives/fulldisclosure/2011-11/0023.html Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/ Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html Reference: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/811422 Reference: https://bugzilla.redhat.com/show_bug.cgi?id=750935 Reference: http://www.securityfocus.com/bid/50494 Reference: http://www.osvdb.org/76744 Reference: http://securitytracker.com/id?1026267 Reference: http://secunia.com/advisories/45793 Reference: http://xforce.iss.net/xforce/xfdb/71093 Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4415 to the following vulnerability: Name: CVE-2011-4415 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4415 Assigned: 20111108 Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/ Reference: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/DemoExploit.html Reference: http://www.gossamer-threads.com/lists/apache/dev/403775 The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the "len +=" statement and (2) the apr_pcalloc function call, a different vulnerability than CVE-2011-3607.
Upstream fix adding check for integer overflow: http://svn.apache.org/viewvc?view=revision&revision=1198940 It does not add any protection against memory consumption / CVE-2011-4415 issue.
(In reply to comment #4) > Upstream fix adding check for integer overflow: > http://svn.apache.org/viewvc?view=revision&revision=1198940 This fix is only for trunk and is not applicable to 2.2.x and older httpd versions without further changes. It's currently unclear if the fix is going to be backported to older httpd branches: http://thread.gmane.org/gmane.comp.apache.devel/46260 > It does not add any protection against memory consumption / CVE-2011-4415 > issue. Upstream discussion on whether resource consumption issues triggered by bad .htaccess configuration should (or can) be handled as security or not: http://thread.gmane.org/gmane.comp.apache.devel/46339
(In reply to comment #6) > > It does not add any protection against memory consumption / CVE-2011-4415 > > issue. > > Upstream discussion on whether resource consumption issues triggered by bad > .htaccess configuration should (or can) be handled as security or not: > http://thread.gmane.org/gmane.comp.apache.devel/46339 Upstream consensus is that any resource consumption issues triggered by bad .htaccess configuration are not considered security: http://thread.gmane.org/gmane.comp.apache.devel/46339/focus=46768
CVE-2011-3607 was split to a separate bug #769844.
The upstream security team does not consider this to be a flaw: http://thread.gmane.org/gmane.comp.apache.devel/46339/focus=46783 Statement: The ASF Security Team does not consider resource exhaustion caused by .htaccess files to be a security defect. The Red Hat Security Response Team agrees with their assessment and so does not consider this to be a security flaw.