Apache ExploitsApache Exploitshttp://localhost/re/ldap://local/dn?attributes?scope?filter?

extenslsionshttp://localhost/re/ldap://local/dn?attributes?scope?filter?

extenslsions?ext

Apache ExploitsApache Exploits

http://.../ldap://local/dn?attributes?scope?filter?extenslsions?ext

static char *escape_absolute_uri(char *, unsigned int) {…if (!strncasecmp(uri, "ldap", 4)) { int c = 0; char *token[5]; token[0] = cp = apr_pstrdup(p, cp); while (*cp && c < 5) { if (*cp == '?') { token[++c] = cp + 1; *cp = '\0'; } ++cp; }

Apache ExploitsApache Exploits

if (!strncasecmp(uri, "ldap", 4)) { int c = 0; char *token[5]; token[0] = cp = apr_pstrdup(p, cp); while (*cp && c < 5) { if (*cp == '?') { token[++c] = cp + 1; *cp = '\0'; } ++cp; }

Apache ExploitsApache Exploits

Binary VariableBinary Variable

loop: jge     end_loop mov     ecx,dword ptr [ebp-18h] mov    dword ptr [ebp+ecx*4-14h], eax jmp     loopend_loop:  push    offset buf_over! (00409a38)

Binary VariableBinary Variable

Binary VariableBinary Variable

Binary VariableBinary Variable

Base Source

IndexIndex

Offset

Binary VariableBinary Variable

Community LearningCommunity Learning

ApacheApache

CMS

ApacheApache ApacheApache

……

Invariants Invariants

Invariants

..escape_absolute_uri(char *, unsigned int):::ENTER_4010A5

  binary_var <= 4 binary_var>= 1

Patch (Manual)Patch (Manual)

ConclusionsConclusionsImplemented preliminary binary

variable learning (BVL)Generated valid invariantsApplied BVL to Apache and its

exploitsShowed the(manual) patch can

prevent the exploit