NYCPHP Meetup

ISS Advisory: Remote Compromise Vulnerability in ApacheHTTP Server

Hans Zaunere zaunere at yahoo.com
Mon Jun 17 13:15:42 EDT 2002


FYI...


> Internet Security Systems Security Advisory
> June 17, 2002
> 
> Remote Compromise Vulnerability in Apache HTTP Server
> 
> Synopsis:
> 
> ISS X-Force has discovered a serious vulnerability in the default
> version of Apache HTTP Server. Apache is the most popular Web server
> and
> is used on over half of all Web servers on the Internet. It may be
> possible for remote attackers to exploit this vulnerability to
> compromise Apache Web servers. Successful exploitation may lead to
> modified Web content, denial of service, or further compromise.
> 
> Affected Versions:
> 
> Apache 1.x
> 
> Note: Many commercial Web Application Servers such as Oracle 9ias and
> IBM Websphere use Apache HTTP Server to process HTTP requests.
> Additional products that bundle Apache HTTP Server for Windows may be
> affected.
> 
> Description:
> 
> The Apache HTTP Server is maintained by the Apache Software
> Foundation.
> Apache is an extremely popular open-source Web server. Netcraft
> (http://www.netcraft.com) reports that as of May 2002, Apache
> accounts
> for over 63% of all active Web sites. Apacheís installed base is
> larger
> than all other Web servers combined.
> 
> The Apache Project is an open-source and volunteer collaboration
> aimed
> to create and maintain a free, feature-rich, powerful, and secure Web
> server implementation. Apache is well regarded as the best, freely
> available Web server.
> 
> Apache contains a flawed mechanism meant to calculate the size of
> "chunked" encoding. Chunked encoding is part of the HTTP Protocol
> Specification used for accepting data from Web users. When data is
> sent
> from the user, the Web server needs to allocate a memory buffer of a
> certain size to hold the submitted data. When the size of the data
> being
> submitted is unknown, the client or Web browser will communicate with
> the server by creating "chunks" of data of a negotiated size.
> 
> The Apache HTTP Server has a software flaw that misinterprets the
> size
> of incoming data chunks. This error may lead to a signal race, heap
> overflow, and to exploitation of malicious code.
> 
> X-Force has verified that this issue is exploitable on Apache for
> Windows (Win32) version 1.3.24. Apache 1.x for Unix contains the same
> source code, but X-Force believes that successful exploitation on
> most
> Unix platforms is unlikely.
> 
> Recommendations:
> 
> Internet Scanner X-Press Update 6.12 includes a check,
> ApacheChunkedEncodingBo, to detect installations of Apache HTTP
> Server
> for Win32. XPU 6.12 is available from the ISS Download Center at:
> http://www.iss.net/download. For questions about downloading and
> installing this XPU, email support at iss.net.
> 
> Detection support for this attack will be included in future X-Press
> Updates for RealSecure Network Sensor 6.x and 7.0. These XPUs will be
> available from the ISS Download Center, and this alert will be
> updated
> when these updates become available.
> 
> ISS X-Force has developed a patch for this issue. Follow the
> instructions below, or contact your vendor for assistance:
> 
> To apply a source code patch to your Apache package:
> 
> 1. Locate your source directory and navigate into the "main" sub-
> directory.
> 2. Verify that "http_protocol.c" is present in the current directory.
> 3. To update your http_protocol.c file, create a file named
> "apache_patch.diff", containing the following text:
> 
> - --- http_protocol.c.vuln	Fri Jun 14 16:12:50 2002
> +++ http_protocol.c	Fri Jun 14 16:13:47 2002
> @@ -2171,7 +2171,7 @@
> 
>       /* Otherwise, we are in the midst of reading a chunk of data */
> 
> - -    len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining;
> +    len_to_read = (r->remaining > (unsigned int)bufsiz) ? bufsiz :
> r->
> remaining;
> 
>       len_read = ap_bread(r->connection->client, buffer,
> len_to_read);
>       if (len_read <= 0) {
> 
> 4. Apply the source code update using the "patch" command, or a
> similar
>     utility.
> 5. Build new binaries and reinstall.
> 
> The Apache Server Project has been notified and will make a formal
> patch
> available soon. Please refer to the Apache Server Projectís homepage
> for
> more information: http://httpd.apache.org/
> 
> Additional Information:
> 
> http://www.iss.net/security_center
> http://www.apache.org
> http://httpd.apache.org/
> 
> Credits:
> 
> This vulnerability was discovered and researched by Neel Mehta of the
> ISS X-Force.
>

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com



More information about the talk mailing list