Signature Detail

HTTP: Negative Content-Length Overflow

This signature detects a negative Content-Length value. Apache Web servers 1.3.26 through 1.3.32 shipped with mod_proxy, which contains a buffer overflow vulnerability. Attackers can exploit this vulnerability by sending a negative Content-Length value to the server, enabling them to run malicious code or crash the server.

Extended Description

A remote buffer overflow vulnerability exists in Apache mod_proxy. The source of this issue is that a negative user-specified length value may be used in a memory copy operation, allowing for corruption of memory. This may triggered if a remote server returns a negative Content-Length: HTTP header field to be passed through the proxy. Exploitation will likely result in a denial of service, though there is an unconfirmed potential for execution of arbitrary code on some platforms (such as BSD implementations). Versions that have the optional AP_ENABLE_EXCEPTION_HOOK define enabled may also be exploitable on some platforms. This issue affects Apache servers 1.3.26 through 1.3.32 that have mod_proxy enabled and configured. Apache 2.0.x releases are not affected by this issue.

Affected Products

• Apache_software_foundation apache 1.3.0
• Apache_software_foundation apache 1.3.1
• Apache_software_foundation apache 1.3.11
• Apache_software_foundation apache 1.3.12
• Apache_software_foundation apache 1.3.14
• Apache_software_foundation apache 1.3.17
• Apache_software_foundation apache 1.3.18
• Apache_software_foundation apache 1.3.19
• Apache_software_foundation apache 1.3.20
• Apache_software_foundation apache 1.3.22
• Apache_software_foundation apache 1.3.23
• Apache_software_foundation apache 1.3.24
• Apache_software_foundation apache 1.3.25
• Apache_software_foundation apache 1.3.26
• Apache_software_foundation apache 1.3.27
• Apache_software_foundation apache 1.3.28
• Apache_software_foundation apache 1.3.29
• Apache_software_foundation apache 1.3.3
• Apache_software_foundation apache 1.3.31
• Apache_software_foundation apache 1.3.32
• Apache_software_foundation apache 1.3.4
• Apache_software_foundation apache 1.3.6
• Apache_software_foundation apache 1.3.7 -Dev
• Apache_software_foundation apache 1.3.9
• Hp hp-ux 11.0.0
• Hp hp-ux 11.11.0
• Hp hp-ux 11.20.0
• Hp hp-ux 11.22.0
• Hp hp-ux B.11.00
• Hp hp-ux B.11.11
• Hp hp-ux B.11.22
• Hp hp-ux_(vvos) 11.0.0 4
• Hp openvms_secure_web_server 1.1
• Hp openvms_secure_web_server 1.1.0 -1
• Hp openvms_secure_web_server 1.2.0
• Hp openvms_secure_web_server 2.1-1
• Hp virtualvault 11.0.4
• Hp virtualvault A.04.50
• Hp virtualvault A.04.60
• Hp virtualvault A.04.70
• Hp webproxy 2.0.0
• Hp webproxy 2.1.0
• Hp webproxy A.02.00
• Hp webproxy A.02.10
• Ibm http_server 1.3.26
• Ibm http_server 1.3.26 .1
• Ibm http_server 1.3.26 .2
• Ibm http_server 1.3.28
• Openbsd openbsd 3.4
• Openbsd openbsd 3.5
• Openbsd openbsd -Current
• Red_hat advanced_workstation_for_the_itanium_processor 2.1.0
• Red_hat advanced_workstation_for_the_itanium_processor 2.1.0 IA64
• Red_hat enterprise_linux_as 2.1
• Red_hat enterprise_linux_as 2.1 IA64
• Red_hat enterprise_linux_es 2.1
• Red_hat enterprise_linux_es 2.1 IA64
• Red_hat enterprise_linux_ws 2.1
• Red_hat enterprise_linux_ws 2.1 IA64
• Red_hat linux 7.3.0
• Sgi propack 2.4.0
• Slackware linux 10.0.0
• Slackware linux 8.1.0
• Slackware linux 9.0.0
• Slackware linux 9.1.0
• Sun solaris 8 Sparc
• Sun solaris 8 X86
• Sun solaris 9 Sparc
• Sun solaris 9 X86
• Trustix secure_linux 1.5.0

References

• BugTraq: 10508
• BugTraq: 49605
• BugTraq: 55551
• CVE: CVE-2006-2162
• CVE: CVE-2006-3655
• CVE: CVE-2004-0095
• CVE: CVE-2004-0492
• CVE: CVE-2012-0271
• CVE: CVE-2011-3491
• CVE: CVE-2004-0493
• URL: http://www.debian.org/security/2004/dsa-525
• URL: http://www.debian.org/security/2004/dsa-525
• URL: http://www.guninski.com/modproxy1.html