oss-sec mailing list archives
Re: Apache mod_dav off-by-one
From: John Helmert III <ajak () gentoo org>
Date: Wed, 10 Aug 2022 13:34:34 -0500
On Tue, Aug 09, 2022 at 02:50:34PM +0300, Evgeny Legerov wrote:
Hi, How it happens that Apache process_if_header off-by-one, which has been mentioned in The Art of Software Security Assessment (page 420), still remains unpatched? What am I missing?
Has anyone reported it upstream? Has anyone requested a CVE (seems unlikely, given the last CVE for mod_dav is one from 2013)? Upstreams don't magically know about security issues, they need to be reported to the upstream one way or another.
The code from Apache 2.4.54:
static dav_error * dav_process_if_header(request_rec *r, dav_if_header
**p_ih)
{
...
while (*list) {
/* List is the entire production (in a uri scope) */
switch (*list) {
...
case 'N':
if (list[1] == 'o' && list[2] == 't') {
if (condition != DAV_IF_COND_NORMAL) {
return dav_new_error(r->pool, HTTP_BAD_REQUEST,
DAV_ERR_IF_MULTIPLE_NOT, 0,
"Invalid \"If:\" header: "
"Multiple \"not\"
entries "
"for the same state.");
}
condition = DAV_IF_COND_NOT;
}
list += 2;
break;
It is not only out of bounds read, dav_fetch_next_token() will write
NULL byte on next iteration.
So we can be more descriptive than calling the vulnerability an "off-by-one". It's more of an OOB read/write. And if NULL is the only thing that can be written, it seems likely that the only impact is a DoS, if that.
regards, -e
Attachment:
signature.asc
Description:
Current thread:
- Apache mod_dav off-by-one Evgeny Legerov (Aug 09)
- Re: Apache mod_dav off-by-one John Helmert III (Aug 10)
