search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Apache mod_isapi module library unload results in orphaned callback pointers

Vulnerability Note VU#280613

Original Release Date: 2010-03-11 | Last Revised: 2010-03-11

Overview

The Apache mod_isapi module can be forced to unload a specific library before the processing of a request is complete, resulting in memory corruption. This vulnerability may allow a remote attacker to execute arbitrary code.

Description

The Apache HTTP server running on Windows platforms contains a flaw in mod_isapi which could enable an attacker to unload ISAPI.dll before request processing is complete. An attacker can send a specially-crafted request and RESET packet to the server, resulting in ISAPI.dll being unloaded. Additional requests can result in memory corruption.

This vulnerability affects Apache httpd versions 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, and 2.0.37.

Impact

A remote, unauthenticated attacker may be able to cause a denial of service condition or execute arbitrary code on the system with the privileges of the Apache process. Because the Apache service typically runs with SYSTEM privileges on Windows platforms, an attacker may be able to gain complete control of the system.

Solution

Apply Patch
The Apache Software Foundation has released httpd 2.2.15 and 2.0.64-dev, which address this and other issues. Updates can be found on the Apache httpd website.

Vendor Information

280613
 
Affected   Unknown   Unaffected

Apache HTTP Server Project

Updated:  March 11, 2010

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Apache credits Brett Gervasoni of Sense of Security for reporting the issue.

This document was written by David Warren.

Other Information

CVE IDs: CVE-2010-0425
CERT Advisory: 03/08/2010
Date Public: 2010-03-02
Date First Published: 2010-03-11
Date Last Updated: 2010-03-11 16:56 UTC
Document Revision: 19

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.