Bug 29425 - apache reads out parts of hd or memory on format string exploit
Summary: apache reads out parts of hd or memory on format string exploit
Status: RESOLVED DUPLICATE of bug 28376
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: All (show other bugs)
Version: 2.0.49
Hardware: PC Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL: http://pan-data.dyndns.org
Keywords:
Depends on:
Blocks:
 
Reported: 2004-06-07 13:53 UTC by Volker Hoffmann
Modified: 2004-11-16 19:05 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Volker Hoffmann 2004-06-07 13:53:46 UTC
When apache is receiving a format string exploit (longer than 8190 bytes), it
writes out the string plus some informations at the end of the log file. These
additional informations are obviously gathered from hd or memory (???).

access_log:

...
...
...
...
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90nt:
Tuesday, June 01, 2004 7:41 AM\r\n> >> >> >Subject: New CCOUNT version 1.19
released.\r\n> >> >> >\r\n> >> >> >\r\n> >> >> >> Dear CCOUNT user,\r\n> >> >>
>>\r\n> >> >> >> we're proud to announce a new CCOUNT\r\n> >version\r\n> >> >>
>1.19.\r\n> >> >> >> This release contains some bugfixes and a\r\n> >few\r\n> >>
>> >improvements.\r\n> >> >> >>\r\n> >> >> >> Please find the complete list of
changes\r\n> >at\r\n> >> >> >>\r\n> >> >> >>\r\n> >> >>\r\n> >>\r\n>
>>>http://pan-data.dyndns.org/ccount/inst/changelog.txt\r\n> >> >> >>\r\n> >> >>
>> You can find some additional informations\r\n> >and\r\n> >> >> >the\r\n> >>
>> >> downloads at\r\n> >> >> >>\r\n> >> >> >>
http://pan-data.dyndns.org/ccount/\r\n> >> >> >>\r\n> >> >> >> If you want to
unsubscribe from CCOUNT\r\n> >> >> >newsletter,\r\n> >> >> >> please reply this
mail with subject\r\n> >> >> >\"ccount-unsubscribe\".\r\n> >> >> >>\r\n> >> >>
>> Thanks for using CCOUNT,\r\n> >> >> >> The CCOUNT Team\r\n> >> >> >\r\n> >>
>> >\r\n> >> >\r\n> >\r\n> >\r\n>\r\n" 414 250 -

As you can see, it not only shows all these x90\x90\x90\..., but also some
informations (starting with nt:Tuesday, June 01, 2004 7:41 AM\r\....). In this
case, it's an email which has been send out on June, 01 2004. If this contains
confidential informations, these are visible for others by just looking in the
apache logs.

Volker
Comment 1 Joe Orton 2004-06-07 15:58:45 UTC

*** This bug has been marked as a duplicate of 28376 ***