ISS Advisory: Remote Compromise Vulnerability in ApacheHTTP Server
Hans Zaunere
zaunere at yahoo.com
Mon Jun 17 13:15:42 EDT 2002
FYI...
> Internet Security Systems Security Advisory
> June 17, 2002
>
> Remote Compromise Vulnerability in Apache HTTP Server
>
> Synopsis:
>
> ISS X-Force has discovered a serious vulnerability in the default
> version of Apache HTTP Server. Apache is the most popular Web server
> and
> is used on over half of all Web servers on the Internet. It may be
> possible for remote attackers to exploit this vulnerability to
> compromise Apache Web servers. Successful exploitation may lead to
> modified Web content, denial of service, or further compromise.
>
> Affected Versions:
>
> Apache 1.x
>
> Note: Many commercial Web Application Servers such as Oracle 9ias and
> IBM Websphere use Apache HTTP Server to process HTTP requests.
> Additional products that bundle Apache HTTP Server for Windows may be
> affected.
>
> Description:
>
> The Apache HTTP Server is maintained by the Apache Software
> Foundation.
> Apache is an extremely popular open-source Web server. Netcraft
> (http://www.netcraft.com) reports that as of May 2002, Apache
> accounts
> for over 63% of all active Web sites. Apacheís installed base is
> larger
> than all other Web servers combined.
>
> The Apache Project is an open-source and volunteer collaboration
> aimed
> to create and maintain a free, feature-rich, powerful, and secure Web
> server implementation. Apache is well regarded as the best, freely
> available Web server.
>
> Apache contains a flawed mechanism meant to calculate the size of
> "chunked" encoding. Chunked encoding is part of the HTTP Protocol
> Specification used for accepting data from Web users. When data is
> sent
> from the user, the Web server needs to allocate a memory buffer of a
> certain size to hold the submitted data. When the size of the data
> being
> submitted is unknown, the client or Web browser will communicate with
> the server by creating "chunks" of data of a negotiated size.
>
> The Apache HTTP Server has a software flaw that misinterprets the
> size
> of incoming data chunks. This error may lead to a signal race, heap
> overflow, and to exploitation of malicious code.
>
> X-Force has verified that this issue is exploitable on Apache for
> Windows (Win32) version 1.3.24. Apache 1.x for Unix contains the same
> source code, but X-Force believes that successful exploitation on
> most
> Unix platforms is unlikely.
>
> Recommendations:
>
> Internet Scanner X-Press Update 6.12 includes a check,
> ApacheChunkedEncodingBo, to detect installations of Apache HTTP
> Server
> for Win32. XPU 6.12 is available from the ISS Download Center at:
> http://www.iss.net/download. For questions about downloading and
> installing this XPU, email support at iss.net.
>
> Detection support for this attack will be included in future X-Press
> Updates for RealSecure Network Sensor 6.x and 7.0. These XPUs will be
> available from the ISS Download Center, and this alert will be
> updated
> when these updates become available.
>
> ISS X-Force has developed a patch for this issue. Follow the
> instructions below, or contact your vendor for assistance:
>
> To apply a source code patch to your Apache package:
>
> 1. Locate your source directory and navigate into the "main" sub-
> directory.
> 2. Verify that "http_protocol.c" is present in the current directory.
> 3. To update your http_protocol.c file, create a file named
> "apache_patch.diff", containing the following text:
>
> - --- http_protocol.c.vuln Fri Jun 14 16:12:50 2002
> +++ http_protocol.c Fri Jun 14 16:13:47 2002
> @@ -2171,7 +2171,7 @@
>
> /* Otherwise, we are in the midst of reading a chunk of data */
>
> - - len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining;
> + len_to_read = (r->remaining > (unsigned int)bufsiz) ? bufsiz :
> r->
> remaining;
>
> len_read = ap_bread(r->connection->client, buffer,
> len_to_read);
> if (len_read <= 0) {
>
> 4. Apply the source code update using the "patch" command, or a
> similar
> utility.
> 5. Build new binaries and reinstall.
>
> The Apache Server Project has been notified and will make a formal
> patch
> available soon. Please refer to the Apache Server Projectís homepage
> for
> more information: http://httpd.apache.org/
>
> Additional Information:
>
> http://www.iss.net/security_center
> http://www.apache.org
> http://httpd.apache.org/
>
> Credits:
>
> This vulnerability was discovered and researched by Neel Mehta of the
> ISS X-Force.
>
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
More information about the talk
mailing list