Bug 29425

Summary: apache reads out parts of hd or memory on format string exploit
Product: Apache httpd-2 Reporter: Volker Hoffmann <vhoff>
Component: AllAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: P3    
Version: 2.0.49   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
URL: http://pan-data.dyndns.org

Description Volker Hoffmann 2004-06-07 13:53:46 UTC
When apache is receiving a format string exploit (longer than 8190 bytes), it
writes out the string plus some informations at the end of the log file. These
additional informations are obviously gathered from hd or memory (???).

access_log:

...
...
...
...
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90nt:
Tuesday, June 01, 2004 7:41 AM\r\n> >> >> >Subject: New CCOUNT version 1.19
released.\r\n> >> >> >\r\n> >> >> >\r\n> >> >> >> Dear CCOUNT user,\r\n> >> >>
>>\r\n> >> >> >> we're proud to announce a new CCOUNT\r\n> >version\r\n> >> >>
>1.19.\r\n> >> >> >> This release contains some bugfixes and a\r\n> >few\r\n> >>
>> >improvements.\r\n> >> >> >>\r\n> >> >> >> Please find the complete list of
changes\r\n> >at\r\n> >> >> >>\r\n> >> >> >>\r\n> >> >>\r\n> >>\r\n>
>>>http://pan-data.dyndns.org/ccount/inst/changelog.txt\r\n> >> >> >>\r\n> >> >>
>> You can find some additional informations\r\n> >and\r\n> >> >> >the\r\n> >>
>> >> downloads at\r\n> >> >> >>\r\n> >> >> >>
http://pan-data.dyndns.org/ccount/\r\n> >> >> >>\r\n> >> >> >> If you want to
unsubscribe from CCOUNT\r\n> >> >> >newsletter,\r\n> >> >> >> please reply this
mail with subject\r\n> >> >> >\"ccount-unsubscribe\".\r\n> >> >> >>\r\n> >> >>
>> Thanks for using CCOUNT,\r\n> >> >> >> The CCOUNT Team\r\n> >> >> >\r\n> >>
>> >\r\n> >> >\r\n> >\r\n> >\r\n>\r\n" 414 250 -

As you can see, it not only shows all these x90\x90\x90\..., but also some
informations (starting with nt:Tuesday, June 01, 2004 7:41 AM\r\....). In this
case, it's an email which has been send out on June, 01 2004. If this contains
confidential informations, these are visible for others by just looking in the
apache logs.

Volker
Comment 1 Joe Orton 2004-06-07 15:58:45 UTC

*** This bug has been marked as a duplicate of 28376 ***