Overview Of Common Vulnerabilities And Exposures Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Vulnerability is a programming mistake that can be used to harm or misuse a computer system. The term harm may mean allowing access and/or data modification without proper security authentication. However it not limited only to unsecure access. The term can also refer to any problematic condition in computer system that can cause one or more of the following:

A user can impersonate as any other user

A user can violate data restrictions as imposed by security access

A user can execute commands as some other user or execute commands that are not authorized.

A user can bring down the services offered and create denial of service.

Some issues can be caused by configuration mistakes. These types of errors are not programming mistakes as in case of vulnerability. These are called exposures. Exposure is not vulnerability but a mistake that can be exploited in one or more of the following ways:

A user can access information that is beyond the access level defined for him.

A user can enter the system without authentication or using improper authentication.

A user can breach the security at any level of the system.

A user can compromise the security altogether by reconfiguring the security setup.

A list of such vulnerabilities and exposures is maintained by MITRE Corporation. MITRE Corporation takes assistance from CVE editorial board it constitutes. CVE-2010-3872 is part of this list.

Any user or developer can submit an issue as a vulnerability or exposure. CVE editorial board then reviews the submission and updates the published list online. As given by CVE database CVE 2010-3872 is still in under review status. It means that this particular CVE is yet to be accepted by the CVE Editorial Board as vulnerability. CWE, Common weakness Enumeration, ID for CVE-2010-3872 is CWE-189. CWE-189 stands for numeric error that can be caused by integer overflow, stack overflow, or any other error that can be caused when handling numbers.

What is CVE-2010-3872?

CVE-2010-3872 is programming error identified by Edgar Frank in Apache's fast CGI application implementation. Fast CGI is faster version of CGI, common gate way interface. CGI provides a standard way of generating dynamic contents in a web based system. Dynamic content means the output displayed by web based system is decided at the run time conditionally based on the inputs provided by the user. For example a web page will display user preferences based on the user id of the logged in user. Generating dynamic contents meant that a program needs to be executed after the user inputs his preferences and this program will take user inputs, user id in the above case, and generate data that matches the input, in this case user preferences. The results of the program are then passed back to the browser. Apache has written HTTP server software. This HTTP server accepts browser requests over the internet and returns the results back to the users. However it can only return the static content. In order to allow scripts generating dynamic data to be executed safely at the HTTP server a CGI application was written. CGI allowed HTTP server to execute scripts that generated data at the runtime based on the user input. Every time user requested data the script would be called, executed and results would be returned to the browser. However it was soon realized that this had significant performance bottleneck. User requests came in frequently and each time the script was loaded into the memory and executed. Apache then implemented a better version of CGI called fast CGI. This fast CGI application loaded a particular number of copies of the script into the memory and every time user requested for the data the script that was already present in the memory was used to get the required data. This was significantly faster than loading the script each time. After serving the request for a particular user, a script then remains loaded in the memory in order to accept requests from other users. This project was called mod_fcgi project by Apache. However while implementing fast CGI there was a programming error, mod_fcgid release versions prior to 2.3.6, in fcgid_bucket.c, part of mod_fcgid code base, that could lead to potentially harmful results. This coding error can be exploited locally or remotely by executing untrusted CGI scripts. This defect is identified as CVE-2010-3872. The description of this CVE as found in the CVE database is:

"The apr_status_t fcgid_header_bucket_read function in fcgid_bucket.c in Apache mod_fcgid before 2.3.6 does not use bytewise pointer arithmetic in certain circumstances, which has unknown impact and attack vectors related to "untrusted FastCGI applications" and a "stack buffer overwrite."

What is the status and severity of CVE-2010-3872?

CVE review board has kept this vulnerability under review as on 27 March, 2011. The severity of CVE-2010-3872 is P2.

What is CVSS score for CVE-2010-3872?

CVSS, common vulnerability scoring system, is an open framework for standardizing the nature and impact of a vulnerability. CVSS score is identified based on three groups namely base, temporal and environmental. Each severity is evaluated in these groups to produce a numeric value in the range 0-10 and a vector that is textual representation of the score obtained. Base group gives the hidden qualities of the vulnerability, temporal group defines the qualities of the vulnerability that may change over time, and environmental qualities try to define specific environmental attributes that affect the vulnerability.

The CVSS score for CVE-2010-3872 vulnerability is 7.2. To determine a base score for any vulnerability following parameters are used:

Exploitability Matrices:

Related exploit range (Access Vector): Access vector defines how a complexity can be exploited. Three possible values for this vector are Local, Adjacent network and Network. Local means the vulnerability can only be exploited locally by using a shell account on the machine or by having physical access to the machine. Adjacent network means attacker needs access to broadcast or collision domain. Any vulnerability that can be remotely exploited falls under category Network. For CVE-2010-3872 Access Vector value is 'Local'.

Attack Complexity (Access Complexity): Access complexity tries to identify the complexity involved in exploiting the vulnerability. It has three possible values high, medium, and low. High value means attacker needs specialized access conditions. Medium access complexity means access conditions are specialized but not rare. And low access complexity means no specialized access conditions are required. For CVE-2010-3872 Attack Complexity is 'Low'. Some example of Low access complexity can be given as:

System allows anonymous or untrusted access using which attacker can access the system without any privileges.

System configurations are common and very easy to be understood and attacked.

very little knowledge or skill is required to exploit the vulnerability

very common and winnable race condition.

Level of Authentication (Authentication): This vector identifies the number of times the user must authenticate before he can exploit the vulnerability. The three possible values for the vector are multiple, single and none. Multiple indicates that the attacker needs to authenticate twice or more number times in order to gain access. Once indicates attacker needs to authenticate only once. And as for CVE-2010-3872, authentication level 'None' means no authentication is required to exploit this vulnerability.

Impact Matrices

Confidentiality Impact (ConfImpact): This vector identifies the impact on confidentiality. Confidentiality means limiting information access and disclosure to only authorized user. The three possible values for the vector are None, Partial and Complete. None suggests that there is no impact on confidentiality. The partial impact means attacker obtains substantial information however he does not have control over the information that is obtained. Complete impact means there is total information disclosure. Attacker is able all the system information. For CVE-2010-3872 this is 'Complete'.

Integrity impact (IntegImpact): This vector identifies the effect on the data of the system i.e. whether the trustworthiness of the data has been compromised or not. Three possible values for this vector are none, partial and complete. None indicates that there is no impact on the integrity of the system. Partial indicates that modification of system files or information is possible however the attacker does not have the control over what he can modify. And complete indicates that there is total loss of integrity. Attacker can modify any files on the system. For CVE-2010-3872 value of this vector is 'Complete'.

Availability Impact (AvailImpact): Availability refers to accessibility of the information i.e. whether the information is accessible in a way similar to the way before the attack. Three possible values for this vector are none, partial and complete. None means there is no impact on availability. Partial means there is reduced performance of the system or the system is available with interruptions. And complete means there is total shutdown of the resources and the particular system is completely unavailable. For CVE-2010-3872 this is 'Complete'.

As mentioned earlier this vulnerability is due to an error in the programming and especially in boundary condition. As this boundary condition exists in all the available configurations and platform the threat level of this vulnerability is independent of platform.

Technical details

First it is important to setup up apache server to work with fast CGI. To do that, allow CGI execution on Apache web server. Allow this by defining options directive inside the main server configuration file:

<Directory /usr/local/apache2/htdocs/somedir>

Options +ExecCGI


Defining ExecCGI option will all execution of cgi files present in the default cgi directory of the Apache web server. However server will still not able to identify what CGI file means. To allow server to identify a file s as a cgi file use addHandler directive which tells the server what configuration files mean, i.e. what is the extension for the cgi file. Here is an example of the addHandler directive:

AddHandler cgi-script .cgi .pl

For a program to be accessed using FastCGI protocol, the program needs to be assigned fcgid-script handler. Once a program is assigned to FastCGI protocol, fastCGI server creates fixed number of instances of this program into the memory. These instances continue to serve one request after another. These instances share the resources available on the server amongst themselves. As these resources are limited it is important that the system administrator configures number of initial instances created optimally to serve number of simultaneous requests and total available resources. A sample fast cgi application may look like this, complete details are available at Apache Module mod_fcgid:


Perl FastCGI application - /usr/local/apache/fcgi-bin/foo.pl


use CGI::Fast;

while (my $q = CGI::Fast->new) {

print("Content-Type: text/plain\n\n");

foreach $var (sort(keys(%ENV))) {

$val = $ENV{$var};

$val =~ s|\n|\\n|g;

$val =~ s|"|\\"|g;

print "${var}=\"${val}\"\n";




The configuration directive to help execute this program:


<Directory /usr/local/apache/fcgi-bin/>

SetHandler fcgid-script

Options +ExecCGI

# Customize the next two directives for your requirements.

Order allow,deny

Allow from all



Edgar Frank point out that the problematic code is present at /httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bucket.c. He could identify this issue while testing the boundary conditions of the header value in the following code. Edgar pointed out the exact location of the problem of the source when he filed the bug 49406 in ASF Bugzilla, this is bug reporting system for Apache Servers, link for this provided in the references section. The fix to the problem, as mentioned by Edgar in his bug report, requires minor code change which was duly addressed by Apache in its release 2.3.6. The problematic code and the fix are described below.

Here is the part of fcgid_bucket.c code:


static apr_status_t fcgid_header_bucket_read(apr_bucket * b,

const char **str,

apr_size_t * len,

apr_read_type_e block)


fcgid_bucket_ctx *ctx = (fcgid_bucket_ctx *) b->data;

apr_status_t rv;

apr_size_t hasread, bodysize;

FCGI_Header header;

apr_bucket *curbucket = b;


/* Initialize header */

putsize = fcgid_min(bufferlen, sizeof(header) - hasread);

memcpy(&header + hasread, buffer, putsize);

memcpy((char*)(&header) + hasread, buffer, putsize);

hasread += putsize;


return apr_bucket_read(b, str, len, APR_BLOCK_READ);



Note: Use references to get the base location of the code. From base location of Apache-SVN source navigate to /httpd/mod_fcgid/trunk/modules/fcgid/ package to view fcgid_bucket.c source file. Check references for Apache-SVN location.

Variable hasread in function fcgid_header_bucket_read is present to prevent copying the bytes in the header that have already been read. This variable is incremented after every memcpy operation. memcpy operation (red line) uses pointer addition incorrectly. hasread is of type apr_size_t hence pointer to the variable header should be typecasted to char to get the desired location. The way code was written causes problems with the size of buffer for header when variable hasread is not zero. As buffer size is determined by the putsize which is equal to the size of the header, the incorrect pointer arithmetic will result in memory usage beyond the allocated memory and as a result heap will be trashed and segment fault will occur; this may even result in server crash.

How to exploit this vulnerability?

Practically there is no exploit available as this is a boundary condition and cannot be exploited every single time under the same circumstances. Understanding of the problem mentioned in the CVE does guide towards a probable way in which this vulnerability can be exploited. An observable result will be obtained only when the value of variable hasread, refer to the code snippet above, is large enough to cause stackoverflow or bufferoverflow exception. Stackover flow occurs when program tries to use (either read or write) more memory than initially allotted for the stack, a consecutive set of memory locations.

Generic steps that can be followed to reproduce the issue are as follows:

Configure apache to work with FastCGI application.

Execute external user script using above configuration. External user script should generate some data that user wants to pass back to the browser.

Script should return dynamic content with proper header information.


Here is the list of products affected by this vulnerability.

Red Hat Fedora 14

Red Hat Fedora 13

Red Hat Fedora 12

Debian Linux 5.0 sparc

Debian Linux 5.0 s/390

Debian Linux 5.0 powerpc

Debian Linux 5.0 mipsel

Debian Linux 5.0 mips

Debian Linux 5.0 m68k

Debian Linux 5.0 ia-64

Debian Linux 5.0 ia-32

Debian Linux 5.0 hppa

Debian Linux 5.0 armel

Debian Linux 5.0 arm

Debian Linux 5.0 amd64

Debian Linux 5.0 alpha

Debian Linux 5.0

Apache Software Foundation mod_fcgid 2.3.5 

Apache Software Foundation mod_fcgid 2.3.4 

Apache Software Foundation mod_fcgid 2.3.3

The fix was address in 2.3.6 release of Apache. Upgrading software to this release should solve the problem. For other platforms please refer to the documentation of each platform to get the release version and upgrade instructions.


This exercise of identifying and understanding tends to help one understand the importance of the CVE database. End users of the system will never be able to understand the reason behind an attack carried out exploiting such vulnerability. On the other hand knowledge of such vulnerability not only helps in understanding the reason behind a possible attack but prevent the attack altogether. As in the case of CVE-2010-3872 simply upgrading to the latest version of the software will resolve the issue.