5
CVSSv2

CVE-2017-15710

Published: 26/03/2018 Updated: 15/08/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 446
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache http server 2.4.1

apache http server 2.4.2

apache http server 2.4.3

apache http server 2.4.4

apache http server 2.4.6

apache http server 2.4.7

apache http server 2.4.9

apache http server 2.4.10

apache http server 2.4.12

apache http server 2.4.16

apache http server 2.4.17

apache http server 2.4.18

apache http server 2.4.20

apache http server 2.4.23

apache http server 2.4.25

apache http server 2.4.26

apache http server 2.4.27

apache http server 2.4.28

apache http server 2.4.29

debian debian linux 7.0

debian debian linux 8.0

debian debian linux 9.0

canonical ubuntu linux 12.04

canonical ubuntu linux 14.04

canonical ubuntu linux 16.04

canonical ubuntu linux 17.10

canonical ubuntu linux 18.04

netapp santricity cloud connector -

netapp storage automation store -

netapp storagegrid -

netapp clustered data ontap -

redhat enterprise linux 6.0

redhat enterprise linux 7.0

redhat enterprise linux 7.4

redhat enterprise linux 7.5

redhat enterprise linux 7.6

Vendor Advisories

Synopsis Moderate: httpd security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for httpd is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System ...
Several security issues were fixed in Apache ...
In Apache httpd 2023 to 2065, 220 to 2234, and 240 to 2429, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials If the header value is not present in the charset conversion table, a fallback mechanism is used to trunc ...
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2429 security update Type/Severity Security Advisory: Important Topic An update is now available for JBoss Core Services on RHEL 6 and RHEL 7Red Hat Product Security has rated this update as having a security impact of Important A Common ...
Several security issues were fixed in the Apache HTTP Server ...
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2429 SP1 security update Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services Pack Apache Server 2429 Service Pack 1 packages for Microsoft Windows and Oracle Solaris are now availableRed Hat Product Security has ...
Several security issues were fixed in the Apache HTTP Server ...
In Apache httpd 2023 to 2065, 220 to 2234, and 240 to 2429, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials If the header value is not present in the charset conversion table, a fallback mechanism is used to trunc ...
IBM Security SiteProtector System has addressed the following vulnerabilities in Apache HTTP Server ...
Several vulnerabilities have been found in the Apache HTTPD server CVE-2017-15710 Alex Nichols and Jakob Hirsch reported that mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, could cause an out of bound write if supplied with a crafted Accept-Language header This could potentially be used for a Denial of Service attack ...
Synopsis Moderate: httpd24 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for httpd24-httpd, httpd24-nghttp2, and httpd24-curl is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of ...
Arch Linux Security Advisory ASA-201804-4 ========================================= Severity: Medium Date : 2018-04-04 CVE-ID : CVE-2017-15710 CVE-2017-15715 CVE-2018-1283 CVE-2018-1301 CVE-2018-1302 CVE-2018-1303 CVE-2018-1312 Package : apache Type : multiple issues Remote : Yes Link : securityarchlinuxorg/AVG-664 ...
Summary In Apache httpd, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a q ...
Use-after-free on HTTP/2 stream shutdownWhen an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2430 could have written a NULL pointer potentially to an already freed memory The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team ...
Symantec Network Protection products using affected versions of Apache httpd are susceptible to multiple security vulnerabilities A remote attacker can obtain sensitive information, bypass intended security restrictions, modify session information in CGI applications, replay authenticated HTTP requests, and cause denial of service ...
Oracle Solaris Third Party Bulletin - April 2018 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical ...
Tenablesc leverages third-party software to help provide underlying functionality Three separate third-party components (OpenSSL, Apache HTTP Server, SimpleSAMLphp) were found to contain vulnerabilities, and updated versions have been made available by the providers Out of caution and in line with good practice, Tenable opted to upgrade the bun ...

Github Repositories

medium difficulty my ass

DevGuru Writeup Credits: Zayotic [ Task 1 ] - usertxt First run an n̶m̶a̶p̶ rustscan* scan Scan Output: PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 61 OpenSSH 76p1 Ubuntu 4 (Ubuntu Linux; protocol 20) | ssh-hostkey: -- snip -- 80/tcp open http syn-ack ttl 61 Apache httpd 2429 ((Ubuntu)) |_http-generator: DevGuru | http-gi

Slackbot to automate ad-hoc scanning and reporting in InsightVM.

InsightVM Slack Bot InsightVM_slackbot Slackbot to automate ad-hoc scanning and reporting in insightvm In Slack, simply send a message like @insightvm_bot scan 1921811 and see the bot schedule the scan, run it, and report back the results You can also just set up a direct chat with the bot if you don't want to spam your channel Use the same syntax to schedule a s

medium difficulty my ass

DevGuru Writeup Credits: Zayotic [ Task 1 ] - usertxt First run an nmap scan ᵃⁿᵍʳʸ ᵐᵃⁿ ʷᵃⁿᵗ ᵐᵉ ᵗᵒ ᵘˢᵉ ⁿᵐᵃᵖ Scan Output: PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 61 OpenSSH 76p1 Ubuntu 4 (Ubuntu Linux; protocol 20) | ssh-hostkey: -- snip -- 80/tcp open http syn-ack ttl 61 Apache httpd

Red-Team-vs-Blue-Team NETWORK TOPOLOGY RED TEAM Penetration Test EXPLOITATION Discover target IP: To discover the target ip: netdiscover -r p1 p2 19216811 is the gateway ip, from Hyper-V 1921681100 is the ELK server 1921681105 is the target machine Service and version scan: nmap -sV -v 1921681105 Port 22 – SSH - with OpenSSH 76p1 Port 80 – HTTP - with

References