Check Point Advisories

Apache apr-util IPv6 URI Parsing (CVE-2004-0786)

Check Point Reference: CPAI-2004-176
Date Published: 8 Oct 2009
Severity: High
Last Updated: Thursday 08 October, 2009
Source:
Industry Reference:CVE-2004-0786
Protection Provided by:

Security Gateway
R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description Apache HTTP server version 2 introduced the Apache Portable Runtime (APR), which provides a middle layer between platform independent Apache code and the native operating system API. One of the functions provided by the APR utilities component is the parsing of URI strings. Having this functionality eliminates the necessity of extracting host, port, path, query info repeatedly in the modules. An input validation vulnerability exists in the way the apr-util library, a component of the Apache 2.x HTTP server, parses URI strings.. The vulnerability can be triggered by sending a crafted URL which contain a malformed IPv6 literal addresses. The vulnerability is exploitable whether or not the HTTP server is bound to an IPv4 or IPv6 address. An attacker can trigger the vulnerability to create a denial of service condition. Under some configurations or platforms, exploitation of the vulnerability could lead to remote code execution. In a simple attack case, once the attack URI is received by the target, the http child process serving the request will terminate, and the TCP connection will be closed. On Unix platform if the target Apache is using a fork on connect process model, no other client or established connection will be affected by the attack. If the target Apache is using a thread-based process model, all connections handled by the targeted child process will be terminated. In either case, the exception event is logged to httpd error log, by default /var/log/httpd/error_log. On Windows platform the Apache server will be terminated and all connections handled by the Apache server will be closed. No new connections will be accepted by Apache server until it restarted. The Apache server crash will be logged into the System Event log. In case of a more sophisticated attack against this vulnerability, arbitrary code may be injected into the application and executed. In this case, the behaviour of the attack target will depend on the nature of the injected code.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

  1. In the IPS tab, click Protections and find the Apache apr-util IPv6 URI Parsing protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  Apache Server Protection Violation.
Attack Information:  Apache apr-util IPv6 URI parsing

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK