Check Point Advisories

Apache Server mod_rewrite Module LDAP Scheme Handling Buffer Overflow (CVE-2006-3747)

Check Point Reference: CPAI-2006-229
Date Published: 30 Sep 2009
Severity: High
Last Updated: Wednesday 30 September, 2009
Source:
Industry Reference:CVE-2006-3747
Protection Provided by:

Security Gateway
R81, R80, R77, R75
Who is Vulnerable?
Vulnerability Description The Apache HTTP server is the most popular web server in use on the Internet. Over two-thirds of web hosts on the Internet run the application in order to serve content. The server is capable of being utilized with numerous different options and configurations, with a wide variety of plug-in modules which are loaded at run-time to extend its functionality. There exists a buffer overflow vulnerability in the mod_rewrite module of Apache HTTP Server. The vulnerability is caused by an error which occurs during the processing of LDAP scheme URLs. A remote anonymous attacker may exploit this vulnerability to execute arbitrary code in the context of the web server. In an attack case where code injection is not successful, the behaviour of the target server depends on the memory layout of the target system and the system platforms. On Linux platforms, the target server may exhibit no abnormal behaviour. However, on Windows platform, the target HTTP server instance may terminate abnormally. As the ApacheManager.exe process is monitoring the HTTP server service instances, the HTTP server service will be resumed automatically. If an attacker sends a crafted HTTP request to the server continuously, a permanent denial of service may ensue. In a more sophisticated attack where exploitation results in successful code injection, the behaviour of the target host is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the HTTP server process. On Windows platform, an attack may exploit this vulnerability to compromise the entire system.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75

  1. In the IPS tab, click Protections and find the Apache Server mod_rewrite Module LDAP Scheme Handling Buffer Overflow protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  Apache Server Protection Violation.
Attack Information:  Apache Server mod_rewrite module LDAP scheme handling buffer overflow

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK