bugzilla at apache
Nov 16, 2009, 3:56 AM
Post #1 of 1
(259 views)
Permalink
|
|
[Bug 48204] New: extended patch CVE-2009-3555-2.2.patch handling request splicing in case of server initiated renegotiation
|
|
https://issues.apache.org/bugzilla/show_bug.cgi?id=48204
Summary: extended patch CVE-2009-3555-2.2.patch handling
request splicing in case of server initiated
renegotiation
Product: Apache httpd-2
Version: 2.2-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: mod_ssl
AssignedTo: bugs [at] httpd
ReportedBy: Hartmut.Keil [at] adnovum
With the patch
http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch
client initiated renegotiation has been disabled,
as a consequence of CVE-2009-3555.
But in the case of a server initiated renegotiation a MITM attacker can still
execute an arbitrary request within the victims context:
o the MITM is sending a complete HTTP request, lets say with URL /cert
and an incomplete request with URL /cert/hacked. With incomplete
is meant, that the last request header, lets say 'X-Ignore' is not
terminated.
o both request will be buffered in the function 'ssl_io_input_read(..)'
in the cbuf of the struct bio_filter_in_ctx.
o the URL of the first request is triggering mod_ssl to initiate a SSL
renegotiation
o the MITM is forwarding the SSL handshakes messages and the payload from the
victim, in the way described in
http://extendedsubset.com/Renegotiating_TLS.pdf.
o in the end the server is executing the second request /cert/hacked of the
MITM
with the headers of the victim request, especially the Cookie header
(These kind of attack has been executed by us against httpd/2.2.14 with the
CVE-2009-3555-2.2.patch.)
A simple countermeasure is to reset the buffer 'cbuf' of the decrypted data
in case of a server initiated renegotiation. See the following patch of the
method 'bio_filter_in_read(..) in ssl_engine_io.c
--- ssl_engine_io.c.patched 2009-11-16 10:57:23.416525000 +0100
+++ ssl_engine_io.c 2009-11-16 11:46:51.090262000 +0100
@@ -478,6 +478,10 @@
inctx->rc = APR_ECONNABORTED;
return -1;
}
+ /* Clear buffer with decrypted data if the server has initiated a
renegotiation. */
+ if (inctx->filter_ctx->config->reneg_state == RENEG_ALLOW) {
+ char_buffer_write(&inctx->cbuf, NULL, 0);
+ }
/* XXX: flush here only required for SSLv2;
* OpenSSL calls BIO_flush() at the appropriate times for
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd
|
