Folks,
Following information/research provided by Alexander Klink, a new
release is out, fixing a low priority security issue as detailed below.
The release is on the primary Apache-SSL ftp server and should hit the
mirrors over the next few hours, according to their schedules.
See http://www.apache-ssl.org for mirrors.
Advisory follows:
Date released: 02.04.2008
Date reported: 17.01.2008
$Revision: 1.1 $
by Alexander Klink
Cynops GmbH
[email protected]
https://www.cynops.de/advisories/CVE-2008-0555.txt
(S/MIME signed:
https://www.cynops.de/advisories/CVE-2008-0555-signed.txt)
https://www.klink.name/security/aklink-sa-2008-005-apache-ssl.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0555
Vendor: Adam & Ben Laurie
Product: Apache-SSL
Website: http://www.apache-ssl.org
Vulnerability: memory disclosure, potential privilege escalation in web
applications
Class: remote
Status: patched
Severity: low
Releases known to be affected: apache_1.3.34+ssl_1.57
Releases known NOT to be affected: apache_1.3.41+ssl_1.59
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Background:
Apache-SSL is a secure Webserver, based on Apache and SSLeay/OpenSSL.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:
Apache-SSL provides environment variables that are filled with
(client) certificate data. If the subject of a client certificate
contains special characters, parts of these variables can be overwritten
or be filled with other parts of memory.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:
The certificate DN as returned by the OpenSSL X509_NAME_online is
passed into the following function:
static void ExpandCert(pool *p,table *pEnv,char *szPrefix, char *szDN,
char *szCert)
{
char buf[HUGE_STRING_LEN];
char *s,t;
/ Expand a X509_oneline entry into it's base components and register
them as environment variables. Needed if you want to pass
certificate
information to CGI's. The naming convention SHOULD be fairly
compatible
with CGI's written for stronghold's certificate info - Q /
/ FIXME - strtok() and strcspn() may cause problems on some
systems - Q */
ap_table_setn(pEnv,szDN,ap_pstrdup(p,szCert));
ap_cpystrn(buf,szCert,sizeof buf);
for(s=strtok(buf,"/") ; s != NULL ; s=strtok(NULL,"/"))
{
int n=strcspn(s,"=");
s[n]='\0';
StrUpper(s);
t=ap_pstrcat(p,szPrefix,s,NULL);
ap_table_setn(pEnv,t,ap_pstrdup(p,s+n+1));
}
}
The function assumes that the relative distinguished name does not
contain a '/'. If a / is contained in for example the common name,
strcspn(s,"=") returns the size of s, so s+n+1 points beyond the
current token.
Furthermore, environment variables can be overwritten by including '/'
and '='. For example, to overwrite the OPENSSL_S_CLIENT_DN_OU variable,
one could use a certificate with a CN of "/OU=Fake OU".
If an application relies on this information to distinguish certificates
into different authorization classes, it can be fooled this way.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:
Upgrade to apache_1.3.41+ssl_1.59.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credits:
Adam Laurie Tel: +44 (0) 1304 814800
The Bunker Secure Hosting Ltd. Fax: +44 (0) 1304 814899
Ash Radar Station
Marshborough Road
Sandwich mailto:[email protected]
Kent
CT13 0PL
UNITED KINGDOM PGP key on keyservers