http://localhost/re/ldap://local/dn?attributes?scope?filter?extensions?ext

Apache ExploitsApache Exploitshttp://localhost/re/ldap://local/dn?attributes?scope?filter?

extensions

Apache ExploitsApache Exploits

http://.../ldap://local/dn?attributes?scope?filter?extensions?ext

static char *escape_absolute_uri(char *, unsigned int) {…if (!strncasecmp(uri, "ldap", 4)) { int c = 0; char *token[5]; token[0] = cp = apr_pstrdup(p, cp); while (*cp && c < 5) { if (*cp == '?') { token[++c] = cp + 1; *cp = '\0'; } ++cp; }

Apache Exploit CodeApache Exploit Code

if (!strncasecmp(uri, "ldap", 4)) { int c = 0; char *token[5]; token[0] = cp = apr_pstrdup(p, cp); while (*cp && c < 5) { if (*cp == '?') { token[++c] = cp + 1; *cp = '\0'; } ++cp; }

Apache Exploit CodeApache Exploit Code

Disassembled CodeDisassembled Code

loop: jge     end_loop mov     ecx, [ebp-18h] mov    [ebp+ecx*4-14h], eax jmp     loopend_loop:  push    offset buf_over! (00409a38)

Disassembled CodeDisassembled Code

Binary VariableBinary Variable

Binary Variable ExampleBinary Variable Example

InstrumentationInstrumentation

Community LearningCommunity Learning

ApacheApache

Central Management

System

ApacheApache ApacheApache

……

Constrains Constrains Constrains

Patch (Manual)Patch (Manual)- application of failure oblivious - application of failure oblivious computingcomputing

Apache Exploit After Apache Exploit After PatchingPatchinghttp://localhost/re/ldap://local/dn?attributes?scope?filter?

extensions?ext

SummarySummaryImplemented preliminary binary

variable learning (BVL)Applied BVL to Apache (exploit)Found valid constraintsThe (manual) patch can prevent

the exploit