1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Attack: Apache Mod Rewrite LDAP CVE-2006-3747

Attack: Apache Mod Rewrite LDAP CVE-2006-3747

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects buffer-overflow exploitation attempts in Apache Mod_Rewrite.

Additional Information

Apache mod_rewrite is a rule-based rewriting engine that rewrites requested URLs for the Apache webserver.

The mod_rewrite module is prone to an off-by-one buffer-overflow condition. This issue could possibly allow remote attackers to execute arbitrary code on a vulnerable system to gain unauthorized access.

Specifically, this issue presents itself on a system with the active configuration 'RewriteEngine on'. A remote attacker can reportedly exploit certain rewrite rules to crash the HTTPD server and potentially cause arbitrary code execution.

Reportedly, RewriteRule flags that do not include the Forbidden (F), Gone (G), or NoEscape (NE) flags expose this vulnerability. An additional condition for successful exploitation is that Rewrite rules that control or modify the beginning of the rewritten URL must be present.

An attacker may exploit this issue to trigger a denial-of-service condition. Presumably, arbitrary code execution may be possible as well. Note that 'RewriteEngine on' is typically not enabled by default in Apache HTTPD implementations.

Ubuntu Linux reported that this issue affects Apache 2.0.53, 2.0.54, and 2.0.55 on their platforms. The Apache software foundation reports that affected versions are 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0. Other versions running on different platforms may be affected as well.

Affected

  • Apache Software Foundation Apache 1.3.3, 1.3.4, 1.3.6, 1.3.7-dev, 1.3.9, 1.3.28, 1.3.29, 1.3.31, 1.3.32, 1.3.33, 1.3.34, 1.3.35-dev, 1.3.36, 1.3.37, 2.0.46, 2.0.47, 2.0.48, 2.0.49, 2.0.50, 2.0.51, 2.0.52, 2.0.53, 2.0.54, 2.0.55, 2.0.56-dev, 2.0.59, 2.2.0, 2.2.3
  • Debian Linux 3.1, 3.1 alpha, 3.1 amd64, 3.1 arm, 3.1 hppa, 3.1 ia-32, 3.1 ia-64, 3.1 m68k, 3.1 mips, 3.1 mipsel, 3.1 ppc, 3.1 s/390, 3.1 sparc
  • Gentoo Linux
  • HP HP-UX B.11.00, B.11.04, B.11.11, B.11.23
  • HP VirtualVault A.04.50, A.04.60, A.04.70, 4.7
  • HP Webproxy A.02.00, A.02.10
  • IBM Hardware Management Console (HMC) for iSeries 6.0 R1.0
  • IBM Hardware Management Console (HMC) for pSeries 6.0 R1.0
  • IBM HTTP Server 1.3.26.2, 1.3.28.1
  • IBM Websphere Application Server 6.0.2, 6.0.2.1, 6.0.2.11, 6.0.2.13, 6.0.2.3, 6.0.2.5, 6.0.2.7, 6.0.2.9, 6.1, 6.1.1, 6.1.3
  • MandrakeSoft Corporate Server 3.0, 3.0 x86_64
  • MandrakeSoft Linux Mandrake 2006.0, 2006.0 x86_64
  • MandrakeSoft Multi Network Firewall 2.0
  • OpenBSD OpenBSD 3.8, 3.9
  • OpenPKG OpenPKG 2.0, 2.1, 2.2, 2.3, 2.4, 2.5
  • rPath rPath Linux 1
  • S.u.S.E. Linux Enterprise SDK 10
  • S.u.S.E. Linux Enterprise Server 9
  • S.u.S.E. Linux Enterprise Server for S/390 9.0
  • S.u.S.E. Linux Personal 10.1, 9.2, 9.2 x86_64, 9.3, 9.3 x86_64, 10.0 OSS
  • S.u.S.E. Linux Professional 9.2, 9.2 x86_64, 9.3, 9.3 x86_64, 10.0, 10.0 OSS, 10.1
  • S.u.S.E. SUSE Linux Enterprise Server 10
  • Slackware Linux -current, 8.1, 9.0, 9.1, 10.0, 10.1, 10.2
  • Sun Solaris 10_x86, 8.0, 8.0_x86, 9.0, 9.0_x86, 10.0, 10.0_x86
  • Trustix Secure Enterprise Linux 2.0
  • Trustix Secure Linux 2.2, 3.0
  • Turbolinux Appliance Server 2.0
  • Turbolinux Home
  • Turbolinux Multimedia
  • Turbolinux Personal
  • Turbolinux Turbolinux 10 F..., FUJI
  • Turbolinux Turbolinux Desktop 10.0
  • Turbolinux Turbolinux Server 10.0, 10.0 x86
  • Ubuntu Ubuntu Linux 5.0 4 amd64, 5.0 4 i386, 5.0 4 powerpc, 5.10 amd64, 5.10 i386, 5.10 powerpc, 5.10 sparc, 6.6 LTS amd64, 6.6 LTS i386, 6.6 LTS powerpc, 6.6 LTS sparc

Response

The vendor has addressed this issue in version 2.0.53 of the 5.04 branch, in 2.0.54 of the 5.10 branch, and in 2.0.55 of the 6.06 LTS branch. Users are advised to obtain the available update.

Please see the referenced vendor advisories for more information.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube