ID CVE-2010-0425
Summary modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7, when running on Windows, does not ensure that request processing is complete before calling isapi_unload for an ISAPI .dll module, which allows remote attackers to execute arbitrary code via unspecified vectors related to a crafted request, a reset packet, and "orphaned callback pointers."
References
Vulnerable Configurations
  • Apache Software Foundation Apache HTTP Server 2.3.0
    cpe:2.3:a:apache:http_server:2.3.0
  • Apache Software Foundation Apache HTTP Server 2.3.1
    cpe:2.3:a:apache:http_server:2.3.1
  • Apache Software Foundation Apache HTTP Server 2.3.2
    cpe:2.3:a:apache:http_server:2.3.2
  • Apache Software Foundation Apache HTTP Server 2.3.3
    cpe:2.3:a:apache:http_server:2.3.3
  • Apache Software Foundation Apache HTTP Server 2.3.4
    cpe:2.3:a:apache:http_server:2.3.4
  • Apache Software Foundation Apache HTTP Server 2.3.5
    cpe:2.3:a:apache:http_server:2.3.5
  • Apache Software Foundation Apache HTTP Server 2.3.6
    cpe:2.3:a:apache:http_server:2.3.6
  • Microsoft Windows
    cpe:2.3:o:microsoft:windows
  • Apache Software Foundation Apache HTTP Server 2.0.9a
    cpe:2.3:a:apache:http_server:2.0.9
  • Apache Software Foundation Apache HTTP Server 2.0.28
    cpe:2.3:a:apache:http_server:2.0.28
  • Apache Software Foundation Apache HTTP Server 2.0.28 Beta
    cpe:2.3:a:apache:http_server:2.0.28:beta
  • Apache Software Foundation Apache HTTP Server 2.0.32
    cpe:2.3:a:apache:http_server:2.0.32
  • Apache Software Foundation Apache HTTP Server 2.0.32 Beta
    cpe:2.3:a:apache:http_server:2.0.32:beta
  • Apache Software Foundation Apache HTTP Server 2.0.34 Beta
    cpe:2.3:a:apache:http_server:2.0.34:beta
  • Apache Software Foundation Apache HTTP Server 2.0.35
    cpe:2.3:a:apache:http_server:2.0.35
  • Apache Software Foundation Apache HTTP Server 2.0.36
    cpe:2.3:a:apache:http_server:2.0.36
  • Apache Software Foundation Apache HTTP Server 2.0.37
    cpe:2.3:a:apache:http_server:2.0.37
  • Apache Software Foundation Apache HTTP Server 2.0.38
    cpe:2.3:a:apache:http_server:2.0.38
  • Apache Software Foundation Apache HTTP Server 2.0.39
    cpe:2.3:a:apache:http_server:2.0.39
  • Apache Software Foundation Apache HTTP Server 2.0.40
    cpe:2.3:a:apache:http_server:2.0.40
  • Apache Software Foundation Apache HTTP Server 2.0.41
    cpe:2.3:a:apache:http_server:2.0.41
  • Apache Software Foundation Apache HTTP Server 2.0.42
    cpe:2.3:a:apache:http_server:2.0.42
  • Apache Software Foundation Apache HTTP Server 2.0.43
    cpe:2.3:a:apache:http_server:2.0.43
  • Apache Software Foundation Apache HTTP Server 2.0.44
    cpe:2.3:a:apache:http_server:2.0.44
  • Apache Software Foundation Apache HTTP Server 2.0.45
    cpe:2.3:a:apache:http_server:2.0.45
  • Apache Software Foundation Apache HTTP Server 2.0.46
    cpe:2.3:a:apache:http_server:2.0.46
  • Apache Software Foundation Apache HTTP Server 2.0.47
    cpe:2.3:a:apache:http_server:2.0.47
  • Apache Software Foundation Apache HTTP Server 2.0.48
    cpe:2.3:a:apache:http_server:2.0.48
  • Apache Software Foundation Apache HTTP Server 2.0.49
    cpe:2.3:a:apache:http_server:2.0.49
  • Apache Software Foundation Apache HTTP Server 2.0.50
    cpe:2.3:a:apache:http_server:2.0.50
  • Apache Software Foundation Apache HTTP Server 2.0.51
    cpe:2.3:a:apache:http_server:2.0.51
  • Apache Software Foundation Apache HTTP Server 2.0.52
    cpe:2.3:a:apache:http_server:2.0.52
  • Apache Software Foundation Apache HTTP Server 2.0.53
    cpe:2.3:a:apache:http_server:2.0.53
  • Apache Software Foundation Apache HTTP Server 2.0.54
    cpe:2.3:a:apache:http_server:2.0.54
  • Apache Software Foundation Apache HTTP Server 2.0.55
    cpe:2.3:a:apache:http_server:2.0.55
  • Apache Software Foundation Apache HTTP Server 2.0.56
    cpe:2.3:a:apache:http_server:2.0.56
  • Apache Software Foundation Apache HTTP Server 2.0.57
    cpe:2.3:a:apache:http_server:2.0.57
  • Apache Software Foundation Apache HTTP Server 2.0.58
    cpe:2.3:a:apache:http_server:2.0.58
  • Apache Software Foundation HTTP Server 2.0.59
    cpe:2.3:a:apache:http_server:2.0.59
  • Apache Software Foundation Apache HTTP Server 2.0.60 dev
    cpe:2.3:a:apache:http_server:2.0.60
  • Apache Software Foundation HTTP Server 2.0.61
    cpe:2.3:a:apache:http_server:2.0.61
  • Apache Software Foundation Apache HTTP Server 2.0.63
    cpe:2.3:a:apache:http_server:2.0.63
  • Microsoft Windows
    cpe:2.3:o:microsoft:windows
  • Apache Software Foundation Apache HTTP Server
    cpe:2.3:a:apache:http_server
  • Apache Software Foundation Apache HTTP Server 2.2.0
    cpe:2.3:a:apache:http_server:2.2.0
  • Apache Software Foundation Apache HTTP Server 2.2.1
    cpe:2.3:a:apache:http_server:2.2.1
  • Apache Software Foundation Apache HTTP Server 2.2.2
    cpe:2.3:a:apache:http_server:2.2.2
  • Apache Software Foundation Apache HTTP Server 2.2.3
    cpe:2.3:a:apache:http_server:2.2.3
  • Apache Software Foundation Apache HTTP Server 2.2.4
    cpe:2.3:a:apache:http_server:2.2.4
  • Apache Software Foundation Apache HTTP Server 2.2.6
    cpe:2.3:a:apache:http_server:2.2.6
  • cpe:2.3:a:apache:http_server:2.2.7
    cpe:2.3:a:apache:http_server:2.2.7
  • Apache Software Foundation Apache HTTP Server 2.2.8
    cpe:2.3:a:apache:http_server:2.2.8
  • Apache Software Foundation Apache HTTP Server 2.2.9
    cpe:2.3:a:apache:http_server:2.2.9
  • Apache Software Foundation Apache HTTP Server 2.2.10
    cpe:2.3:a:apache:http_server:2.2.10
  • Apache Software Foundation Apache HTTP Server 2.2.11
    cpe:2.3:a:apache:http_server:2.2.11
  • Apache Software Foundation Apache HTTP Server 2.2.12
    cpe:2.3:a:apache:http_server:2.2.12
  • Apache Software Foundation Apache HTTP Server 2.2.13
    cpe:2.3:a:apache:http_server:2.2.13
  • Apache Software Foundation Apache HTTP Server 2.2.14
    cpe:2.3:a:apache:http_server:2.2.14
  • Microsoft Windows
    cpe:2.3:o:microsoft:windows
CVSS
Base: 10.0 (as of 08-03-2010 - 08:53)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Write-to-file Shellcode (Win32). CVE-2010-0425. Shellcode exploits for multiple platform
    id EDB-ID:14288
    last seen 2016-02-01
    modified 2010-07-09
    published 2010-07-09
    reporter Brett Gervasoni
    source https://www.exploit-db.com/download/14288/
    title Write-to-file Shellcode Win32
  • description Apache 2.2.14 mod_isapi Dangling Pointer Remote SYSTEM Exploit. CVE-2010-0425. Remote exploit for windows platform
    id EDB-ID:11650
    last seen 2016-02-01
    modified 2010-03-07
    published 2010-03-07
    reporter Brett Gervasoni
    source https://www.exploit-db.com/download/11650/
    title Apache 2.2.14 mod_isapi - Dangling Pointer Remote SYSTEM Exploit
metasploit via4
description This module triggers a use-after-free vulnerability in the Apache Software Foundation mod_isapi extension for versions 2.2.14 and earlier. In order to reach the vulnerable code, the target server must have an ISAPI module installed and configured. By making a request that terminates abnormally (either an aborted TCP connection or an unsatisfied chunked request), mod_isapi will unload the ISAPI extension. Later, if another request comes for that ISAPI module, previously obtained pointers will be used resulting in an access violation or potentially arbitrary code execution. Although arbitrary code execution is theoretically possible, a real-world method of invoking this consequence has not been proven. In order to do so, one would need to find a situation where a particular ISAPI module loads at an image base address that can be re-allocated by a remote attacker. Limited success was encountered using two separate ISAPI modules. In this scenario, a second ISAPI module was loaded into the same memory area as the previously unloaded module.
id MSF:AUXILIARY/DOS/HTTP/APACHE_MOD_ISAPI
last seen 2019-03-13
modified 2017-07-24
published 2010-03-08
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/apache_mod_isapi.rb
title Apache mod_isapi Dangling Pointer
nessus via4
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2010-067-01.NASL
    description New httpd packages are available for Slackware 12.0, 12.1, 12.2, 13.0, and -current to fix security issues. mod_ssl: A partial fix for the TLS renegotiation prefix injection attack by rejecting any client-initiated renegotiations. mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent when request headers indicate a request body is incoming; not a case of HTTP_INTERNAL_SERVER_ERROR. mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [This is the most serious flaw, but does not affect Linux systems]
    last seen 2019-02-21
    modified 2016-01-27
    plugin id 45007
    published 2010-03-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45007
    title Slackware 12.0 / 12.1 / 12.2 / 13.0 / current : httpd (SSA:2010-067-01)
  • NASL family Web Servers
    NASL id APACHE_2_0_64.NASL
    description According to its banner, the version of Apache 2.0.x running on the remote host is prior to 2.0.64. It is, therefore, affected by the following vulnerabilities : - An unspecified error exists in the handling of requests without a path segment. (CVE-2010-1452) - Several modules, including 'mod_deflate', are vulnerable to a denial of service attack as the server can be forced to utilize CPU time compressing a large file after client disconnect. (CVE-2009-1891) - An unspecified error exists in 'mod_proxy' related to filtration of authentication credentials. (CVE-2009-3095) - A NULL pointer dereference issue exists in 'mod_proxy_ftp' in some error handling paths. (CVE-2009-3094) - An error exists in 'mod_ssl' making the server vulnerable to the TLC renegotiation prefix injection attack. (CVE-2009-3555) - An error exists in the handling of subrequests such that the parent request headers may be corrupted. (CVE-2010-0434) - An error exists in 'mod_proxy_http' when handling excessive interim responses making it vulnerable to a denial of service attack. (CVE-2008-2364) - An error exists in 'mod_isapi' that allows the module to be unloaded too early, which leaves orphaned callback pointers. (CVE-2010-0425) - An error exists in 'mod_proxy_ftp' when wildcards are in an FTP URL, which allows for cross-site scripting attacks. (CVE-2008-2939) Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determine whether the affected modules are in use or to check for the issues themselves.
    last seen 2019-02-21
    modified 2018-06-29
    plugin id 50069
    published 2010-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50069
    title Apache 2.0.x < 2.0.64 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2907-1.NASL
    description This update for apache2 fixes the following issues : - Allow disabling SNI on proxy connections using 'SetEnv proxy-disable-sni 1' in the configuration files. (bsc#1052830) - Allow ECDH again in mod_ssl, it had been incorrectly disabled with the 2.2.34 update. (bsc#1064561) Following security issue has been fixed : - CVE-2017-9798: A use-after-free in the OPTIONS command could be used by attackers to disclose memory of the apache server process, when htaccess uses incorrect Limit statement. (bsc#1058058) Additionally, references to the following security issues, fixed by the previous version-update of apache2 to Apache HTTPD 2.2.34 have been added : - CVE-2017-7668: The HTTP strict parsing introduced a bug in token list parsing, which allowed ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may have be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. (bsc#1045061) - CVE-2017-3169: mod_ssl may have de-referenced a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port allowing for DoS. (bsc#1045062) - CVE-2017-3167: Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may have lead to authentication requirements being bypassed. (bsc#1045065) - CVE-2017-7679: mod_mime could have read one byte past the end of a buffer when sending a malicious Content-Type response header. (bsc#1045060) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 104270
    published 2017-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104270
    title SUSE SLES11 Security Update : apache2 (SUSE-SU-2017:2907-1) (Optionsbleed)
  • NASL family Web Servers
    NASL id ORACLE_HTTP_SERVER_CPU_JUL_2013.NASL
    description According to its banner, the version of Oracle HTTP Server installed on the remote host is potentially affected by multiple vulnerabilities. Note that Nessus did not verify if patches or workarounds have been applied.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 69301
    published 2013-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69301
    title Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities
  • NASL family Web Servers
    NASL id APACHE_2_2_15.NASL
    description According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.15. It is, therefore, potentially affected by multiple vulnerabilities : - A TLS renegotiation prefix injection attack is possible. (CVE-2009-3555) - The 'mod_proxy_ajp' module returns the wrong status code if it encounters an error which causes the back-end server to be put into an error state. (CVE-2010-0408) - The 'mod_isapi' attempts to unload the 'ISAPI.dll' when it encounters various error states which could leave call-backs in an undefined state. (CVE-2010-0425) - A flaw in the core sub-request process code can lead to sensitive information from a request being handled by the wrong thread if a multi-threaded environment is used. (CVE-2010-0434) - Added 'mod_reqtimeout' module to mitigate Slowloris attacks. (CVE-2007-6750)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 45004
    published 2010-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45004
    title Apache 2.2.x < 2.2.15 Multiple Vulnerabilities
oval via4
accepted 2014-07-14T04:01:29.593-04:00
class vulnerability
contributors
  • name J. Daniel Brown
    organization DTCC
  • name Mike Lah
    organization The MITRE Corporation
  • name Shane Shaffer
    organization G2, Inc.
  • name Maria Mikhno
    organization ALTX-SOFT
definition_extensions
comment Apache HTTP Server 2.2.x is installed on the system
oval oval:org.mitre.oval:def:8550
description modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7, when running on Windows, does not ensure that request processing is complete before calling isapi_unload for an ISAPI .dll module, which allows remote attackers to execute arbitrary code via unspecified vectors related to a crafted request, a reset packet, and "orphaned callback pointers."
family windows
id oval:org.mitre.oval:def:8439
status accepted
submitted 2010-03-08T17:30:00.000-05:00
title Apache 'mod_isapi' Memory Corruption Vulnerability
version 11
packetstorm via4
data source https://packetstormsecurity.com/files/download/86964/pwn-isapi.cpp.txt
id PACKETSTORM:86964
last seen 2016-12-05
published 2010-03-06
reporter Brett Gervasoni
source https://packetstormsecurity.com/files/86964/Apache-2.2.14-mod_isapi-Remote-SYSTEM-Exploit.html
title Apache 2.2.14 mod_isapi Remote SYSTEM Exploit
refmap via4
aixapar
  • PM09447
  • PM12247
bid 38494
cert-vn VU#280613
confirm
misc http://www.senseofsecurity.com.au/advisories/SOS-10-002
mlist [security-announce] 20100923 VMSA-2010-0014 VMware Workstation, Player, and ACE address several security issues
sectrack 1023701
secunia
  • 38978
  • 39628
vupen
  • ADV-2010-0634
  • ADV-2010-0994
xf apache-http-modisapi-ocp-unspecified(56624)
Last major update 17-07-2013 - 12:12
Published 05-03-2010 - 14:30
Last modified 30-10-2018 - 12:25
Back to Top