Advisory Text :  

Folks,

Following information/research provided by Alexander Klink, a new

release is out, fixing a low priority security issue as detailed
below.
The release is on the primary Apache-SSL ftp server and should
hit the
mirrors over the next few hours, according to their schedules.

See http://www.apache-ssl.org for mirrors.

Advisory follows:

============================================
||| Security Advisory AKLINK-SA-2008-005 |||
||| CVE-2008-0555 (CVE candidate) |||
============================================

Apache-SSL memory disclosure
============================

Date released: 02.04.2008
Date reported: 17.01.2008
$Revision: 1.1 $

by Alexander Klink
Cynops GmbH
a.klink (at) cynops (dot) de [email concealed]
https://www.cynops.de/advisories/CVE-2008-0555.txt
(S/MIME signed:
https://www.cynops.de/advisories/CVE-2008-0555-signed.txt)

https://www.klink.name/security/aklink-sa-2008-005-apache-ssl.txt

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0555

Vendor: Adam & Ben Laurie
Product: Apache-SSL
Website: http://www.apache-ssl.org
Vulnerability: memory disclosure, potential privilege escalation
in web
applications
Class: remote
Status: patched
Severity: low
Releases known to be affected: apache_1.3.34+ssl_1.57
Releases known NOT to be affected: apache_1.3.41+ssl_1.59

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++
Background:

Apache-SSL is a secure Webserver, based on Apache and
SSLeay/OpenSSL.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++
Overview:

Apache-SSL provides environment variables that are filled with
(client) certificate data. If the subject of a client
certificate
contains special characters, parts of these variables can be
overwritten
or be filled with other parts of memory.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++
Technical details:

The certificate DN as returned by the OpenSSL X509_NAME_online
is
passed into the following function:

static void ExpandCert(pool *p,table *pEnv,char *szPrefix, char
*szDN,
char *szCert)
{
char buf[HUGE_STRING_LEN];
char *s,*t;
/* Expand a X509_oneline entry into it's base components and
register
them as environment variables. Needed if you want to pass

certificate
information to CGI's. The naming convention SHOULD be
fairly
compatible
with CGI's written for stronghold's certificate info - Q
*/
/* FIXME - strtok() and strcspn() may cause problems on some

systems - Q */

ap_table_setn(pEnv,szDN,ap_pstrdup(p,szCert));

ap_cpystrn(buf,szCert,sizeof buf);
for(s=strtok(buf,"/") ; s != NULL ;
s=strtok(NULL,"/"))
{
int n=strcspn(s,"=");
s[n]='�';
StrUpper(s);
t=ap_pstrcat(p,szPrefix,s,NULL);
ap_table_setn(pEnv,t,ap_pstrdup(p,s+n+1));
}
}

The function assumes that the relative distinguished name does
not
contain a '/'. If a / is contained in for example the common
name,
strcspn(s,"=") returns the size of s, so s+n+1 points
beyond the
current token.
Furthermore, environment variables can be overwritten by
including '/'
and '='. For example, to overwrite the OPENSSL_S_CLIENT_DN_OU
variable,
one could use a certificate with a CN of "/OU=Fake
OU".
If an application relies on this information to distinguish
certificates
into different authorization classes, it can be fooled this way.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++
Communication:

* 17.01.2008: Reported the bug to Ben Laurie
* 17.01.2008: Ben replies and acknowledges the bug
* 01.02.2008: Checking back with Ben on the status
* 01.02.2008: Ben replies that he'll be looking into a patch over
the
weekend
* 06.02.2008: Ben sends patch and asks for help with testing it
* 07.02.2008: Reply with test results (still a small problem
unrelated to
the original issue)
* 09.02.2008: Ben sends updated patch
* 11.02.2008: Told Ben that patch works fine
* 18.02.2008: Requested update
* 18.02.2008: Ben replies that he'll deal with it in the next
week or so
* 27.02.2008: Requested update
* 27.02.2008: Patch for Apache 1.3.41 is ready, but release is
normally
managed by Adam Laurie, who is on holiday till
March, 11th
* 28.02.2008: Agreed to wait for Adam to return
* 12.03.2008: Ben informs Adam of the new release
* 25.03.2008: Requested update
* 25.03.2008: Ben replies, they are waiting for an updated
advisory from me
* 25.03.2008: Sent out updated advisory
* 27.03.2008: Adam says sorry for the delays and that he will try
to work
on this while he is at "a conference in
Amsterdam"
* 01.04.2008: Coordination with Adam and Ben on a release

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++
Solution:

Upgrade to apache_1.3.41+ssl_1.59.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++
Credits:

- Alexander Klink, Cynops GmbH (discovery)

cheers,
Adam
--
Adam Laurie Tel: +44 (0) 1304 814800
The Bunker Secure Hosting Ltd. Fax: +44 (0) 1304 814899
Ash Radar Station
Marshborough Road
Sandwich mailto:adam (at) algroup.co
(dot) uk [email concealed]
Kent
CT13 0PL
UNITED KINGDOM PGP key on keyservers