Hello everyone.


I have seen similar posts to this suject on here lately, but i dont think this addon has been posted yet. If so, my apologies, let me know and i will remove this post.


I found this today on my "exploit" lists, marked as new

David Mirza Ahmad
Symantec

0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
Sabbe Dhamma Anatta
["05.30.03.txt" (TEXT/plain)]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



iDEFENSE Security Advisory 05.30.03:

http://www.idefense.com/advisory/05.30.03.txt

Apache Portable Runtime Denial of Service and Arbitrary Code

Execution Vulnerability

May 30, 2003



I. BACKGROUND



The Apache Software Foundation's HTTP Server Project is an effort to

develop and maintain an open-source web server for modern OS'

including Unix and Microsoft Corp.'s Windows. More information is

available at http://httpd.apache.org/ .



The Apache Portable Runtime (APR) provides a free library of C data

structures and routines, forming a system portability layer to as

many OS' as possible. More information is available at

http://apr.apache.org/ .



mod_dav is an open-source Apache module that provides Distributed

Authoring and Versioning (DAV) capabilities to the Apache HTTP

Server. More information is available at

http://www.webdav.org/mod_dav/ .



II. DESCRIPTION



Passing an overly long string to the apr_psprintf() APR library

function that is used by the Apache HTTP Server could cause an

application to reference memory that should have already been

returned to the heap allocation pool. Arbitrary code execution

remains a possibility but has not been substantiated at the time of

publication of this report. Considering the strict conditions

necessary for successful code execution, it would be feasible but

difficult to develop an exploit capable of functioning outside of a

lab environment.



III. ANALYSIS



The remote denial of service aspect of this vulnerability can be

exploited if a remote attacker is able to pass large strings to the

vulnerable function, as is the case in the mod_dav attack vector,

where a specially crafted XML object request of approximately 12250

bytes crashed HTTP Server running on a non-Windows OS; approximately

20000 characters crashed it on a Windows OS.



IV. DETECTION



Applications that rely on older versions of APR are vulnerable. A

list of such projects is available at

http://apr.apache.org/projects.html#open_source . Both the Windows

and Unix implementations of Apache HTTP Server 2.0.37 through 2.0.45

inclusive are vulnerable.



V. WORKAROUND



The following patch should mitigate this vulnerability:



- - --- srclib/apr/memory/unix/apr_pools.c 7 Mar 2003 12:12:43 -0000

1.195

+++ srclib/apr/memory/unix/apr_pools.c 8 May 2003 20:11:14 -0000

@@ -976,7 +976,7 @@



if (ps->got_a_new_node) {

active->next = ps->free;

- - - ps->free = node;

+ ps->free = active;

}



ps->got_a_new_node = 1;





VI. VENDOR FIX



Apache HTTP Server 2.0.46, which contains updates for APR, can be

downloaded at http://httpd.apache.org/download.cgi .



VII. CVE INFORMATION



The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project

has assigned the identification number CAN-2003-0245 to this issue.



VIII. DISCLOSURE TIMELINE



03/19/2003 Issue disclosed to iDEFENSE

04/08/2003 iDEFENSE Labs initial research complete

04/09/2003 security@apache.org contacted

04/09/2003 Response from Lars Eilebrecht and Bill Rowe of Apache

04/11/2003 Response from Ian Holsman of Apache

05/08/2003 Response from Mark Cox of Apache

05/08/2003 Initial Research and patch Submitted to

iDEFENSE by Joe Orton of Apache

05/09/2003 Apache patch verified by iDEFENSE Labs

05/12/2003 vendor-sec list notified

05/26/2003 iDEFENSE clients notified

05/30/2003 Coordinated Public Disclosure





Get paid for security research

http://www.idefense.com/contributor.html



Subscribe to iDEFENSE Advisories:

send email to listserv@idefense.com, subject line: "subscribe"





About iDEFENSE:



iDEFENSE is a global security intelligence company that proactively

monitors sources throughout the world from technical

vulnerabilities and hacker profiling to the global spread of viruses

and other malicious code. Our security intelligence services provide

decision-makers, frontline security professionals and network

administrators with timely access to actionable intelligence

and decision support on cyber-related threats. For more information,

visit http://www.idefense.com .





-----BEGIN PGP SIGNATURE-----

Version: PGP 8.0



iQA/AwUBPtfBkvrkky7kqW5PEQLpoACfZbcO/qJ0WbCRGj/oKXFFImvgpTYAn0UB

OFmhMmVLLiDuaGPQtTcbGnJN

=Icpc

-----END PGP SIGNATURE-----
This was taken from HERE!

Get 2.0.46 ASAP.

Cheers.