CVE-2019-10097 Exploitation Attempt

calendar Aug 21, 2020  ยท
Share on: linkedin copy

Detects Stack Buffer Overflow and Null Pointer Dereference vulnerability in RemoteIPProxyProtocol Module.

Sigma rule (View on GitHub)

 1title: CVE-2019-10097 Exploitation Attempt
 2id: 7483816d-84fd-46b6-9a3e-8c3829aa70c6
 3status: experimental
 4description: Detects Stack Buffer Overflow and Null Pointer Dereference vulnerability in RemoteIPProxyProtocol Module.
 5references:
 6  - https://hackerone.com/reports/674540
 7author: Loginsoft Research Unit 
 8date: 2020/06/17
 9logsource:
10 product: apache
11 category: webserver
12detection:
13  keywords:
14    # vulnerable error messages
15    - 'RemoteIPProxyProtocol: unknown family * in header'
16    - 'RemoteIPProxyProtocol: internal error: unknown version'
17    # fixed error messages
18    - 'RemoteIPProxyProtocol: unsupported protocol'
19    - 'RemoteIPProxyProtocol protocol header length too long'
20    - 'RemoteIPProxyProtocol header too long, got * expected'
21  condition: keywords
22level: medium```

References

  • Internet Bug Bounty disclosed on HackerOne: mod_remoteip stack...

    Versions Affected: httpd 2.4.32 to 2.4.39 Summary: When mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY v1 or PROXY v2 header could trigger a stack buffer overflow or NULL pointer deference. This was assigned CVE-2019-10097 and triaged by the Apache security team as a "Moderate" severity vulnerability, fixed in...


    Read More
to-top