Overflow in one of Apache 1.1.1 (maybe later too)'s modules

Matt Conover (shok@COBRA.ONLINEX.NET)
Thu, 04 Sep 1997 22:05:13 -0600

Hello (sorry if this gets long or if it's known but I don't think it is):

Well this is an obvious overflow in one of apache's modules; it is
remote too.....however, luckily for the web admin's it's not installed
by default. The problem is in mod_auth_anon.c in the function
anon_authenticate_basic_user(). It contains the following lines:

char errstr[MAX_STRING_LEN];
[...]
if (sec->auth_anon_logemail) {
sprintf(errstr,"Anonymous: Passwd <%s> Accepted",
send_pw ? send_pw : "\'none\'");
[...]
} else {
if (sec->auth_anon_authorative) {
sprintf(errstr,"Anonymous: Authorative, Passwd <%s> not accepted",
send_pw ? send_pw : "\'none\'");
[...]

Now as you can see this is easy to exploit. It simple compiles the string
(password) into the buffer without any bounds checking. Whether you enter
a valid password (it expects an email address) or an invalid one it can
still be overflowed. But as you can see they need to log the email address...
here is what is needed:

1.) mod_auth_anon installed
2.) "Anonymous_LogEmail on" in access.conf

A quote from www.apache/docs in the apache modules, mod_auth_anon:
This module is contained in the mod_auth_anon.c file and is not
compiled in by default. It is only available in Apache 1.1 and later.
It allows "anonymous" user access to authenticated areas.

So if they use the same code or no bounds checking, this will be
exploitable in Apache 1.1.1 and greater. This may of in fact been fixed in
the later versions, I only have the source to 1.1.1, and I will check the
later versions later...maybe someone else would like to check (?)

Also I may have missed or left something out.......this is completely
based on the code itself....I have never used mod_auth_anon so I might be
missing something...but the apache docs say it works ftp style, meaning
you enter your email address as the password...but if you do
AVERYLONGSTRINGANDTHEYHAVEAUTHEMAILLOGONTHISWILLOVERFLOW@LBHALBHALBHA.....
and do that to a size greater than MAX_STRING_LEN it would overflow. (Feel
free to make any corrections I admit I didn't look into this for too
long)
Thanks,
[Matt Conover]
Shok (shok@onlinex.net, shok@janova.org)