ID CVE-2004-0940
Summary Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error.
References
Vulnerable Configurations
  • Apache Software Foundation Apache HTTP Server 1.3
    cpe:2.3:a:apache:http_server:1.3
  • Apache Software Foundation Apache HTTP Server 1.3.1
    cpe:2.3:a:apache:http_server:1.3.1
  • Apache Software Foundation Apache HTTP Server 1.3.11
    cpe:2.3:a:apache:http_server:1.3.11
  • Apache Software Foundation Apache HTTP Server 1.3.12
    cpe:2.3:a:apache:http_server:1.3.12
  • Apache Software Foundation Apache HTTP Server 1.3.14
    cpe:2.3:a:apache:http_server:1.3.14
  • Apache Software Foundation Apache HTTP Server 1.3.17
    cpe:2.3:a:apache:http_server:1.3.17
  • Apache Software Foundation Apache HTTP Server 1.3.18
    cpe:2.3:a:apache:http_server:1.3.18
  • Apache Software Foundation Apache HTTP Server 1.3.19
    cpe:2.3:a:apache:http_server:1.3.19
  • Apache Software Foundation Apache HTTP Server 1.3.20
    cpe:2.3:a:apache:http_server:1.3.20
  • Apache Software Foundation Apache HTTP Server 1.3.22
    cpe:2.3:a:apache:http_server:1.3.22
  • Apache Software Foundation Apache HTTP Server 1.3.23
    cpe:2.3:a:apache:http_server:1.3.23
  • Apache Software Foundation Apache HTTP Server 1.3.24
    cpe:2.3:a:apache:http_server:1.3.24
  • Apache Software Foundation Apache HTTP Server 1.3.25
    cpe:2.3:a:apache:http_server:1.3.25
  • Apache Software Foundation Apache HTTP Server 1.3.26
    cpe:2.3:a:apache:http_server:1.3.26
  • Apache Software Foundation Apache HTTP Server 1.3.27
    cpe:2.3:a:apache:http_server:1.3.27
  • Apache Software Foundation Apache HTTP Server 1.3.28
    cpe:2.3:a:apache:http_server:1.3.28
  • Apache Software Foundation Apache HTTP Server 1.3.29
    cpe:2.3:a:apache:http_server:1.3.29
  • Apache Software Foundation Apache HTTP Server 1.3.3
    cpe:2.3:a:apache:http_server:1.3.3
  • Apache Software Foundation Apache HTTP Server 1.3.31
    cpe:2.3:a:apache:http_server:1.3.31
  • Apache Software Foundation Apache HTTP Server 1.3.32
    cpe:2.3:a:apache:http_server:1.3.32
  • Apache Software Foundation Apache HTTP Server 1.3.4
    cpe:2.3:a:apache:http_server:1.3.4
  • Apache Software Foundation Apache HTTP Server 1.3.6
    cpe:2.3:a:apache:http_server:1.3.6
  • cpe:2.3:a:apache:http_server:1.3.7:-:dev
    cpe:2.3:a:apache:http_server:1.3.7:-:dev
  • Apache Software Foundation Apache HTTP Server 1.3.9
    cpe:2.3:a:apache:http_server:1.3.9
  • OpenPKG 2.0
    cpe:2.3:a:openpkg:openpkg:2.0
  • OpenPKG 2.1
    cpe:2.3:a:openpkg:openpkg:2.1
  • OpenPKG 2.2
    cpe:2.3:a:openpkg:openpkg:2.2
  • cpe:2.3:a:openpkg:openpkg:current
    cpe:2.3:a:openpkg:openpkg:current
  • HP-UX 11.00
    cpe:2.3:o:hp:hp-ux:11.00
  • HP-UX 11.11
    cpe:2.3:o:hp:hp-ux:11.11
  • HP-UX 11i v1.5
    cpe:2.3:o:hp:hp-ux:11.20
  • HP-UX 11i v1.6
    cpe:2.3:o:hp:hp-ux:11.22
  • Slackware Linux 10.0
    cpe:2.3:o:slackware:slackware_linux:10.0
  • Slackware Linux 8.0
    cpe:2.3:o:slackware:slackware_linux:8.0
  • Slackware Linux 8.1
    cpe:2.3:o:slackware:slackware_linux:8.1
  • Slackware Linux 9.0
    cpe:2.3:o:slackware:slackware_linux:9.0
  • Slackware Linux 9.1
    cpe:2.3:o:slackware:slackware_linux:9.1
  • cpe:2.3:o:slackware:slackware_linux:current
    cpe:2.3:o:slackware:slackware_linux:current
  • SuSE SuSE Linux 8.0
    cpe:2.3:o:suse:suse_linux:8.0
  • SuSE SuSE Linux 8.1
    cpe:2.3:o:suse:suse_linux:8.1
  • SuSE SuSE Linux 8.2
    cpe:2.3:o:suse:suse_linux:8.2
  • SuSE SuSE Linux 9.0
    cpe:2.3:o:suse:suse_linux:9.0
  • cpe:2.3:o:suse:suse_linux:9.0:-:x86_64
    cpe:2.3:o:suse:suse_linux:9.0:-:x86_64
  • SuSE SuSE Linux 9.1
    cpe:2.3:o:suse:suse_linux:9.1
  • SuSE SuSE Linux 9.2
    cpe:2.3:o:suse:suse_linux:9.2
  • Trustix Secure Linux 1.5
    cpe:2.3:o:trustix:secure_linux:1.5
CVSS
Base: 6.9 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Apache <= 1.3.31 mod_include Local Buffer Overflow Exploit. CVE-2004-0940. Local exploit for linux platform
    id EDB-ID:587
    last seen 2016-01-31
    modified 2004-10-21
    published 2004-10-21
    reporter xCrZx
    source https://www.exploit-db.com/download/587/
    title Apache <= 1.3.31 mod_include Local Buffer Overflow Exploit
  • description Apache 1.3.x mod_include Local Buffer Overflow Vulnerability. CVE-2004-0940. Local exploit for linux platform
    id EDB-ID:24694
    last seen 2016-02-02
    modified 2004-10-18
    published 2004-10-18
    reporter xCrZx
    source https://www.exploit-db.com/download/24694/
    title Apache 1.3.x mod_include Local Buffer Overflow Vulnerability
nessus via4
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2004-305-01.NASL
    description New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix a security issue. Apache has been upgraded to version 1.3.33 which fixes a buffer overflow which may allow local users to execute arbitrary code as the apache user. The mod_ssl package has also been upgraded to version 2.8.22_1.3.33.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 18788
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18788
    title Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : apache+mod_ssl (SSA:2004-305-01)
  • NASL family Web Servers
    NASL id APACHE_MOD_INCLUDE_PRIV_ESCALATION.NASL
    description The remote web server appears to be running a version of Apache that is older than version 1.3.33. This version is vulnerable to a local buffer overflow in the get_tag() function of the module 'mod_include' when a specially crafted document with malformed server-side includes is requested though an HTTP session. Successful exploitation can lead to execution of arbitrary code with escalated privileges, but requires that server-side includes (SSI) is enabled.
    last seen 2019-02-21
    modified 2018-06-27
    plugin id 15554
    published 2004-10-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15554
    title Apache mod_include get_tag() Function Local Overflow
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200411-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-200411-03 (Apache 1.3: Buffer overflow vulnerability in mod_include) A possible buffer overflow exists in the get_tag() function of mod_include.c. Impact : If Server Side Includes (SSI) are enabled, a local attacker may be able to run arbitrary code with the rights of an httpd child process by making use of a specially crafted document with malformed SSI. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 15606
    published 2004-11-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15606
    title GLSA-200411-03 : Apache 1.3: Buffer overflow vulnerability in mod_include
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-134.NASL
    description A possible buffer overflow exists in the get_tag() function of mod_include, and if SSI (Server Side Includes) are enabled, a local attacker may be able to run arbitrary code with the rights of an httpd child process. This could be done with a special HTML document using malformed SSI. The updated packages have been patched to prevent this problem.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 15739
    published 2004-11-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15739
    title Mandrake Linux Security Advisory : apache (MDKSA-2004:134)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-600.NASL
    description Updated apache and mod_ssl packages that fix various minor security issues and bugs in the Apache Web server are now available for Red Hat Enterprise Linux 2.1. The Apache HTTP Server is a powerful, full-featured, efficient, and freely-available Web server. The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. A buffer overflow was discovered in the mod_include module. This flaw could allow a local user who is authorized to create server-side include (SSI) files to gain the privileges of a httpd child (user 'apache'). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0940 to this issue. The mod_digest module does not properly verify the nonce of a client response by using a AuthNonce secret. This could allow a malicious user who is able to sniff network traffic to conduct a replay attack against a website using Digest protection. Note that mod_digest implements an older version of the MD5 Digest Authentication specification, which is known not to work with modern browsers. This issue does not affect mod_auth_digest. (CVE-2003-0987). An issue has been discovered in the mod_ssl module when configured to use the 'SSLCipherSuite' directive in a directory or location context. If a particular location context has been configured to require a specific set of cipher suites, then a client is able to access that location using any cipher suite allowed by the virtual host configuration. (CVE-2004-0885). Several bugs in mod_ssl were also discovered, including : - memory leaks in SSL variable handling - possible crashes in the dbm and shmht session caches Red Hat Enterprise Linux 2.1 users of the Apache HTTP Server should upgrade to these erratum packages, which contains Apache version 1.3.27 with backported patches correcting these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 15960
    published 2004-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15960
    title RHEL 2.1 : apache, mod_ssl (RHSA-2004:600)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-594.NASL
    description Two vulnerabilities have been identified in the Apache 1.3 webserver : - CAN-2004-0940 'Crazy Einstein' has discovered a vulnerability in the 'mod_include' module, which can cause a buffer to be overflown and could lead to the execution of arbitrary code. - NO VULN ID Larry Cashdollar has discovered a potential buffer overflow in the htpasswd utility, which could be exploited when user-supplied is passed to the program via a CGI (or PHP, or ePerl, ...) program.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 15729
    published 2004-11-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15729
    title Debian DSA-594-1 : apache - buffer overflows
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD20041202.NASL
    description The remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs : - Apache - Apache2 - AppKit - Cyrus IMAP - HIToolbox - Kerberos - Postfix - PSNormalizer - QuickTime Streaming Server - Safari - Terminal These programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 15898
    published 2004-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15898
    title Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_APACHE_1333_MOD_INCLUDE.NASL
    description The following package needs to be updated: apache+ipv6
    last seen 2016-09-26
    modified 2011-10-03
    plugin id 15797
    published 2004-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15797
    title FreeBSD : apache mod_include buffer overflow vulnerability (11)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_6E6A6B8A2FDE11D9B3A20050FC56D258.NASL
    description There is a buffer overflow in a function used by mod_include that may enable a local user to gain privileges of a httpd child. Only users that are able to create SSI documents can take advantage of that vulnerability.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 37841
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37841
    title FreeBSD : apache mod_include buffer overflow vulnerability (6e6a6b8a-2fde-11d9-b3a2-0050fc56d258)
redhat via4
advisories
  • rhsa
    id RHSA-2004:600
  • rhsa
    id RHSA-2005:816
refmap via4
bid 11471
confirm
debian DSA-594
mandrake MDKSA-2004:134
openpkg OpenPKG-SA-2004.047
sectrack 1011783
secunia
  • 12898
  • 19073
sunalert 102197
vupen ADV-2006-0789
xf apache-modinclude-bo(17785)
statements via4
contributor Mark J Cox
lastmodified 2008-07-02
organization Apache
statement Fixed in Apache HTTP Server 1.3.33: http://httpd.apache.org/security/vulnerabilities_13.html
Last major update 17-10-2016 - 22:50
Published 09-02-2005 - 00:00
Last modified 10-07-2017 - 21:30
Back to Top