Executive Summary

Summary
Title Apache mod_isapi module library unload results in orphaned callback pointers
Informations
Name VU#280613 First vendor Publication 2010-03-11
Vendor VU-CERT Last vendor Modification 2010-03-11
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#280613

Apache mod_isapi module library unload results in orphaned callback pointers

Overview

The Apache mod_isapi module can be forced to unload a specific library before the processing of a request is complete, resulting in memory corruption. This vulnerability may allow a remote attacker to execute arbitrary code.

I. Description

The Apache HTTP server running on Windows platforms contains a flaw in mod_isapi which could enable an attacker to unload ISAPI.dll before request processing is complete. An attacker can send a specially-crafted request and RESET packet to the server, resulting in ISAPI.dll being unloaded. Additional requests can result in memory corruption.

This vulnerability affects Apache httpd versions 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.10, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0, 2.0.63, 2.0.61, 2.0.59, 2.0.58, 2.0.55, 2.0.54, 2.0.53, 2.0.52, 2.0.51, 2.0.50, 2.0.49, 2.0.48, 2.0.47, 2.0.46, 2.0.45, 2.0.44, 2.0.43, 2.0.42, 2.0.40, 2.0.39, and 2.0.37.

II. Impact

A remote, unauthenticated attacker may be able to cause a denial of service condition or execute arbitrary code on the system with the privileges of the Apache process. Because the Apache service typically runs with SYSTEM privileges on Windows platforms, an attacker may be able to gain complete control of the system.

III. Solution

Apply Patch

The Apache Software Foundation has released httpd 2.2.15 and 2.0.64-dev, which address this and other issues. Updates can be found on the Apache httpd website.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apache HTTP Server ProjectVulnerable2010-03-11

References


http://httpd.apache.org/security/vulnerabilities_22.html
http://httpd.apache.org/security/vulnerabilities_20.html
http://secunia.com/advisories/38776/
http://svn.apache.org/viewvc?view=revision&revision=917875
http://svn.apache.org/viewvc?view=revision&revision=917870
https://issues.apache.org/bugzilla/show_bug.cgi?id=48359
http://www.senseofsecurity.com.au/advisories/SOS-10-002

Credit

Apache credits Brett Gervasoni of Sense of Security for reporting the issue.

This document was written by David Warren.

Other Information

Date Public:2010-03-02
Date First Published:2010-03-11
Date Last Updated:2010-03-11
CERT Advisory:03/08/2010
CVE-ID(s):CVE-2010-0425
NVD-ID(s):CVE-2010-0425
US-CERT Technical Alerts: 
Metric:0.00
Document Revision:19

Original Source

Url : http://www.kb.cert.org/vuls/id/280613

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:8439
 
Oval ID: oval:org.mitre.oval:def:8439
Title: Apache 'mod_isapi' Memory Corruption Vulnerability
Description: modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7, when running on Windows, does not ensure that request processing is complete before calling isapi_unload for an ISAPI .dll module, which allows remote attackers to execute arbitrary code via unspecified vectors related to a crafted request, a reset packet, and "orphaned callback pointers."
Family: windows Class: vulnerability
Reference(s): CVE-2010-0425
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows 7
Product(s): Apache
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 56

ExploitDB Exploits

id Description
2010-07-09 Write-to-file Shellcode (Win32)
2010-03-07 Apache 2.2.14 mod_isapi Dangling Pointer Remote SYSTEM Exploit

OpenVAS Exploits

Date Description
2010-03-04 Name : Apache Multiple Security Vulnerabilities
File : nvt/gb_apache_38494.nasl
0000-00-00 Name : Slackware Advisory SSA:2010-067-01 httpd
File : nvt/esoft_slk_ssa_2010_067_01.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
62674 Apache HTTP Server mod_isapi Module Unloading Crafted Request Remote DoS

Snort® IPS/IDS

Date Description
2014-01-10 Apache mod_isapi dangling pointer exploit attempt
RuleID : 19124 - Revision : 7 - Type : SERVER-APACHE
2014-01-10 Apache mod_isapi dangling pointer code execution attempt
RuleID : 19107 - Revision : 10 - Type : SERVER-APACHE
2014-01-10 Apache mod_isapi dangling pointer exploit attempt
RuleID : 16480 - Revision : 5 - Type : SERVER-APACHE
2014-01-10 Apache mod_isapi dangling pointer exploit attempt - public shell code
RuleID : 16479 - Revision : 5 - Type : SERVER-APACHE

Nessus® Vulnerability Scanner

Date Description
2017-10-31 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2017-2907-1.nasl - Type : ACT_GATHER_INFO
2013-08-11 Name : The remote web server may be affected by multiple vulnerabilities.
File : oracle_http_server_cpu_jul_2013.nasl - Type : ACT_GATHER_INFO
2010-10-20 Name : The remote web server is affected by multiple vulnerabilities.
File : apache_2_0_64.nasl - Type : ACT_GATHER_INFO
2010-10-20 Name : The remote web server is affected by multiple vulnerabilities
File : apache_2_2_15.nasl - Type : ACT_GATHER_INFO
2010-03-09 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2010-067-01.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 12:07:42
  • Multiple Updates