Title: Apache Mod_Security Module Heap Corruption Vulnerability
Severity: HIGH
Description:
The Apache 2 mod_security module is designed to act as an web-based intrusion detection system. It is also designed to prevent certain types of attacks by handling and parsing data.
A vulnerability has been discovered in the mod_security module when handling specific data transmitted by the Apache server. The problem occurs within sec_filter_out() function located in the mod_security.c source file.
When this function is used to handle data transmitted from a server-side script, it incorrectly assumes that the data is broken into 4 or 8 kilobyte chunks before being transmitted. As a result, when expanding the size of the data's storage buffer it explicitly reallocates the size to be 2 times as large. However, because the data is not the expected chunk sizes, the size of the data copied into the data could in fact be larger then expected. When finally copied into the buffer, sensitive heap variables such as malloc chunk pointers may be overwritten.
An attacker could ultimately exploit this condition to execute arbitrary code with the privileges of the Apache server. It should be emphasized however, that an attacker would be required to carry this attack out locally or on a server that allows the uploading of malicious scripts (which may be possible via exploitation of other vulnerabilities). The vulnerability cannot be triggered by sending a request with excessive data to the affected module.
This issue is said to affect release 1.7 and 1.7.1 of mod_security.
Affected Products:
- mod_security mod_security 1.7.0
- mod_security mod_security 1.7.1
References:
- mod_security: mod_security Home Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
