FreeBSD : apache -- mod_rewrite buffer overflow vulnerability (dc8c08c7-1e7c-11db-88cf-000c6ec775d9)

This script is Copyright (C) 2006-2013 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

The Apache Software Foundation and The Apache HTTP Server Project
reports :

An off-by-one flaw exists in the Rewrite module, mod_rewrite, as
shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since
2.2.0.

Depending on the manner in which Apache HTTP Server was compiled, this
software defect may result in a vulnerability which, in combination
with certain types of Rewrite rules in the web server configuration
files, could be triggered remotely. For vulnerable builds, the nature
of the vulnerability can be denial of service (crashing of web server
processes) or potentially allow arbitrary code execution. This issue
has been rated as having important security impact by the Apache HTTP
Server Security Team.

This flaw does not affect a default installation of Apache HTTP
Server. Users who do not use, or have not enabled, the Rewrite module
mod_rewrite are not affected by this issue. This issue only affects
installations using a Rewrite rule with the following characteristics
:

- The RewriteRule allows the attacker to control the initial part of
the rewritten URL (for example if the substitution URL starts with $1)

- The RewriteRule flags do NOT include any of the following flags:
Forbidden (F), Gone (G), or NoEscape (NE).

Please note that ability to exploit this issue is dependent on the
stack layout for a particular compiled version of mod_rewrite. If the
compiler used to compile Apache HTTP Server has added padding to the
stack immediately after the buffer being overwritten, it will not be
possible to exploit this issue, and Apache HTTP Server will continue
operating normally.

The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs
for the responsible reporting of this vulnerability.

See also :

http://marc.info/?l=apache-httpd-announce&m=115409818602955
http://www.nessus.org/u?e72d2d5e

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.6
(CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C)
Public Exploit Available : true

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 22118 (freebsd_pkg_dc8c08c71e7c11db88cf000c6ec775d9.nasl)

Bugtraq ID:

CVE ID: CVE-2006-3747

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now