Bugtraq mailing list archives
Re: Apache - all versions vulnerability in OLD procesors.
From: "Peter J. Holzer" <hjp () wsr ac at>
Date: Mon, 26 Apr 2004 09:54:32 +0200
On 2004-04-24 15:53:03 -0000, Adam Zabrocki wrote:
Apache - all versions vulnerability in OLD procesors.
Hmm, 64 bit processors are old? [...]
Aha... good, while count is bigger or equal following constant: "src/ap/ap_sha1.c" ... ... #define SHA_BLOCKSIZE 64 ... ... Hm... ok, this get's evaluated further more in ebcdic2ascii() ? "src/ap/ap_ebcdi.c" API_EXPORT(void *) ebcdic2ascii(void *dest, const void *srce, size_t count) { unsigned char *udest = dest; const unsigned char *usrce = srce; while (count-- != 0) { *udest++ = os_toascii[*usrce++]; } return dest; } Above function copies 64 bytes, structre AP_SHA1_CTX is an array of 16 elements. Take a look at structure element declaration : "src/include/ap_sha1.h" typedef unsigned long AP_LONG; /* a 32-bit quantity */ This is fine, assuming that we have 32 bits CPU, and sizeof(unsigned long) equals 4. So 4*16=64. There is no guarantee that on some archs unsigned long is going to stay 32 bit width. When it's either longer or shorter (I am not sure if long can be 16 bits long, but possibly ANSI C standart doesn't say anythin about it's length in bits).
How about looking it up? The C standard defines long as having at least 32 bits (and int and short as having at least 16 bits, and char as having at least 8 bits, just for completeness).
Ie. on 64bit platforms, depending on compiler options, and compiler it self long can be either 64 (default) or 32 bits.
Correct.
When sizeof( unsigned long )!=4 it can lead to memory corruption in function ebcdic2ascii(), which will either copy too much, copyied in this example 32 bytes more than he should and that situaction do this bug!
No. It will still copy 64 (SHA_BLOCKSIZE) bytes, but the buffer will now be 16*8 = 128 bytes long. So half of the buffer will be wasted, but no overflow will occur. hp -- _ | Peter J. Holzer | Shooting the users in the foot is bad. |_|_) | Sysadmin WSR / LUGA | Giving them a gun isn't. | | | hjp () wsr ac at | -- Gordon Schumacher, __/ | http://www.hjp.at/ | mozilla bug #84128
Attachment:
_bin
Description:
Current thread:
- Apache - all versions vulnerability in OLD procesors. Adam Zabrocki (Apr 24)
- Re: Apache - all versions vulnerability in OLD procesors. Chris Adams (Apr 26)
- Re: Apache - all versions vulnerability in OLD procesors. Chris Adams (Apr 26)
- Re: Apache - all versions vulnerability in OLD procesors. Peter J. Holzer (Apr 26)
- <Possible follow-ups>
- Re: Apache - all versions vulnerability in OLD procesors. Adam Zabrocki (Apr 27)
- Re: Apache - all versions vulnerability in OLD procesors. Peter Pentchev (Apr 28)