FreeBSD : apache -- mod_rewrite buffer overflow vulnerability (dc8c08c7-1e7c-11db-88cf-000c6ec775d9)

High Nessus Plugin ID 22118

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 4.9

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The Apache Software Foundation and The Apache HTTP Server Project reports :

An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.

Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team.

This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics :

- The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)

- The RewriteRule flags do NOT include any of the following flags:
Forbidden (F), Gone (G), or NoEscape (NE).

Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally.

The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the responsible reporting of this vulnerability.

Solution

Update the affected packages.

See Also

https://marc.info/?l=apache-httpd-announce&m=115409818602955

http://www.nessus.org/u?3cac6d85

Plugin Details

Severity: High

ID: 22118

File Name: freebsd_pkg_dc8c08c71e7c11db88cf000c6ec775d9.nasl

Version: 1.18

Type: local

Published: 2006/07/29

Updated: 2019/08/02

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 4.9

CVSS v2.0

Base Score: 7.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:apache, p-cpe:/a:freebsd:freebsd:apache+ipv6, p-cpe:/a:freebsd:freebsd:apache+mod_perl, p-cpe:/a:freebsd:freebsd:apache+mod_ssl, p-cpe:/a:freebsd:freebsd:apache+mod_ssl+ipv6, p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel, p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel+ipv6, p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel+mod_deflate, p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_accel+mod_deflate+ipv6, p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_deflate, p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_deflate+ipv6, p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp, p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_accel, p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_accel+ipv6, p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_accel+mod_deflate+ipv6, p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_deflate, p-cpe:/a:freebsd:freebsd:apache+mod_ssl+mod_snmp+mod_deflate+ipv6, p-cpe:/a:freebsd:freebsd:apache+ssl, p-cpe:/a:freebsd:freebsd:apache_fp, p-cpe:/a:freebsd:freebsd:ru-apache, p-cpe:/a:freebsd:freebsd:ru-apache+mod_ssl, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2006/07/28

Vulnerability Publication Date: 2006/07/27

Exploitable With

Core Impact

Metasploit (Apache Module mod_rewrite LDAP Protocol Buffer Overflow)

Reference Information

CVE: CVE-2006-3747

CERT: 395412

CWE: 189