Apache logging vulnerability?

Printable View

October 4th, 2007, 03:38 PM
skiddieleet

Apache logging vulnerability?

Here's a little background. A long time ago I was going through my apache access_log and noticed a few entries where someone was trying to do some sort of exploit, and basically they were sending a ton of data in the GET request. That's normal and happens all the time. The weird thing was that at the end of the data I would see PHP code from my site. At the time I didn't know what to think of it, I just knew it wasn't good. Thinking about it now, it seems like it was most likely a heap overflow and the log buffer was overflowing into memory containing PHP code. When I first started this post I was thinking there may have been a way to replace the php code with your own, which is definitely not good and would allow you to do any number of things. Thinking about it now though, I'm thinking it's just code hanging around in memory from previous requests where the memory has been freed, but not overwritten. So when I started this post I was excited and thought it would be cool to try and replace the code, but now I'm not so sure that would do anything, but it still seems bad.

Anyways, I think this was apache 2.0.54 or 2.0.55, but I'm not sure. Is anyone running either of these with PHP? If so, can you check your logs and let me know if you see anything like this? I'd like to figure out which version it was and download it just to mess with it further. This was on a Linux machine, so I'm not sure the same thing would happen on a Windows machine. I'm running the 2.2 line now and I've never noticed anything like this. Thank you.
October 4th, 2007, 04:52 PM
SirDice

I do recall some issues with the logger some time ago.. I'll see if I can dig something up..

Damn.. That was quick.. This looks like a prime candidate...

http://www.securityfocus.com/bid/9930
October 4th, 2007, 06:35 PM
skiddieleet

I'm not sure if that's it or not. I was just thinking you could do something like:

Code:

GET /index.php?OVERFLOWOVERFLOWOVERFLOWOVERFLOWOVERFLOW<?php session_start(); $_SESSION['username']='admin';...

I wanted to try it out. Maybe I'll just randomly install Apache and try things until it works on a version. We'll see :). Thanks.
October 4th, 2007, 07:25 PM
nebulus200

Have you tried sending the data in your logs to your webserver to see what happens?
October 4th, 2007, 08:10 PM
skiddieleet

Nope. I don't have the data. I'll probably just try installing older versions of Apache and throwing long strings of data at it until I get results.
October 4th, 2007, 10:45 PM
nebulus200

Ahh you said:

Quote:

they were sending a ton of data in the GET request.

If that is the case then the data sent should be in the log file...or at least part of it...I'm assuming was maybe actually a POST (in which case it wouldn't)?
October 5th, 2007, 03:36 PM
skiddieleet

It was in my log file, but years ago. I've reinstalled the OS and installed different apache httpd versions since then. For some reason though, something recently made me think of it. I'm hoping it works on windows too because I just installed some new virtualization software that I can install the apache server into, test it, then completely wipe all traces of the installation with. Pretty cool software. Thanks.