search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Some implementations of mod_dav contain a format string vulnerability in "ap_log_rerror()" function

Vulnerability Note VU#849993

Original Release Date: 2003-02-18 | Last Revised: 2003-07-24

Overview

A vulnerability in some implementations of mod_dav may permit a remote attacker to gain unauthorized access to a web server running mod_dav.

Description

mod_dav is a module designed to provide DAV capabilities for a web server. A format string vulnerability in some implementations may permit a remote attacker to gain unauthorized access to a web server running mod_dav.

Here is a brief primer for those unfamiliar with format string vulnerabilities:

A format string vulnerability occurs when a call to a function in the printf family is made with a format string under the control of an attacker. The most basic case arises when a programmer uses printf as follows:

printf(s);

where s comes from the attacker's input. There are a variety of attacks based on this flaw, many of which can lead to the ability to execute code with the privileges of the vulnerable program. Most of the attacks leverage the %n conversion character, which has the somewhat unusual effect of writing to memory, as opposed to most conversion characters which only read from memory. If the attacker can cause the above printf statement to be issued as follows (by providing %n as input):

printf("%n");

he can write to the stack, and by carefully choosing his input he can control what gets written, and where it goes.

David Litchfield found some problems in Oracle's 9iAS/9.0.2 implementation of mod_dav. Examination of Greg Stein's open source mod_dav (often used by Apache installations) suggested the problem may be broader than just Oracle's implementation. The following code is from the function dav_lookup_uri in the module dav_util:

if (strcasecmp(comp.scheme, scheme) != 0 ||
       comp.port != port) {
       result.err.status =
HTTP_BAD_GATEWAY;
       
result.err.desc = ap_psprintf(r->pool,
                                     "Destination URI refers to different "
                                     "scheme or port (%s://hostname:%d)\"
                                     "(want: %s://hostname:%d)",
                                     
comp.scheme ? comp.scheme : scheme,
                                     comp.port ? comp.port : port,
                                     scheme, port);


You can see that in at least one case, result.err.desc gets filled in with values under the control of the caller. Specifically, comp.scheme, comp.port, scheme, and port, can be influenced by an intruder. The result variable is returned to the function dav_method_copymove in the module mod_dav as "lookup":

lookup = dav_lookup_uri(dest, r);
   if (lookup.rnew == NULL) {
2:       if (
lookup.err.status == HTTP_BAD_REQUEST) {
           /* This supplies additional information for the default message. */
           ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, r,
1:                          
lookup.err.desc);
           return
HTTP_BAD_REQUEST;
       }


You can see that on the line labeled "1:" if lookup.err.desc could be influenced by an intruder, a format string vulnerability would exist. However, that section of code only gets executed if lookup.err.status is HTTP_BAD_REQUEST and the dav_lookup_uri function sets err.status to be HTTP_BAD_GATEWAY, so this code doesn't get executed.

Based on these observations, we concluded that a format string vulnerability does not exist in the open source mod_dav. However, we believe that it would be more "correct" to include an explicit format string specifier in all calls to ap_log_error (and indeed any functions that ultimately use the printf family or other var_args-like functions). We recommended to Greg Stein that this change be made, though we see no immediate security concern -- just a future problem waiting to happen. Oracle is vulnerable because they allow the user to gain control of the format string through a minor change to their implementation of the mod_dav routines. Other vendors may have made similar changes.

Based on our recommendations, Greg Stein made the following change to revision 1.91 of mod_dav.c:

Code a bit more defensively. If dav_lookup_uri() ever placed user input into lookup.err.desc for the HTTP_BAD_REQUEST case, then we could have problems (via a format string attack). This change frees us from *future* worries.

Until you apply a patch from Oracle, you may consider disabling mod_dav functionality on Oracle 9iAS/9.0.2. If you are making use of another implementation of mod_dav, you may wish to make the changes to the source yourself. Here is an example:
-    ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, r,
+    ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, r, "%s",

Impact

A remote attacker may be able to gain privileged access to a web server running mod_dav.

Solution

Apply a vendor patch.

You may wish to disable mod_dav until a patch can be applied.

Vendor Information

849993
Expand all

Oracle Corporation

Updated:  February 14, 2003

Status

  Vulnerable

Vendor Statement

See http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc.

Notified:  September 25, 2002 Updated:  July 24, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Not Vulnerable

Vendor Statement

Cray, Inc. does not distribute Apache with any of its operating systems.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  September 25, 2002 Updated:  September 27, 2002

Status

  Not Vulnerable

Vendor Statement

IBM is not vulnerable to the above mentioned issues with the Apache "mod_dav" module. While we do provide Open Source packeges through the AIX Linux Toolbox, "mod_dav" is not one of them.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Updated:  November 06, 2002

Status

  Not Vulnerable

Vendor Statement

We've reviewed this and are not vulnerable as we are not using mod_dav.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  September 25, 2002 Updated:  September 26, 2002

Status

  Not Vulnerable

Vendor Statement

We do not include apache 2.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  September 25, 2002 Updated:  November 06, 2002

Status

  Not Vulnerable

Vendor Statement

Openwall GNU/*/Linux is not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Notified:  September 25, 2002 Updated:  February 18, 2003

Status

  Not Vulnerable

Vendor Statement

Red Hat products are not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Xerox Corporation

Notified:  September 25, 2002 Updated:  May 30, 2003

Status

  Not Vulnerable

Vendor Statement

A response to this vulnerability is available from our web site: http://www.xerox.com/security.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

3Com

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems Inc.

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Computer Associates

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc.

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

At the time of writing this document, Hewlett Packard is currently investigating the potential impact to the new HP's released Operating System software products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intel

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lachman

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Software

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lucent Technologies

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Multinet

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Appliance

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux)

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO UnixWare)

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisphere Networks

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Inc.

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wirex

Notified:  September 25, 2002 Updated:  September 25, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was discovered by David Litchfield of Next Generation Security Software Ltd . The CERT/CC thanks both Next Generation Security Software Ltd and Oracle for providing information upon which this document is based.

This document was written by Ian A Finlay and Shawn V. Hernan.

Other Information

CVE IDs: CVE-2002-0842
Severity Metric: 28.13
Date Public: 2003-02-11
Date First Published: 2003-02-18
Date Last Updated: 2003-07-24 12:42 UTC
Document Revision: 36

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.