NYCPHP Meetup

[nycphp-talk] UPDATED Advisory: Remote Compromise Vulnerability in Apache HTTP Server

Hans Zaunere zaunere at yahoo.com
Tue Jun 18 09:42:46 EDT 2002


Some updated info. follows.  Basically, this vulnerability is only seen
as exploitable on Windows and 64bit UNICES.  That said, there is a REAL
patch (not an ISS marketing tool *snicker*) from Apache at

http://www.apache.org/dist/httpd/patches/apply_to_1.3.24/

And there is an 1.3.25 release eminent.  The CERT advisory follows.

But before we get to that, I'd like to quickly rant about ISS.  There
has been a lot of hub-bub about ISS rushing this announcement out the
door, while Apache was expecting to make an announcement when they had
a solid patch/release ready.  And on top of that, ISS pretends to have
a remedy for it.  Funny how Microsoft has become a major partner with
ISS, pushing their secure IIS solutions.  And it's funny how the ISS
announcement says basically "buy our [security scanner] product, and
you'll be fine!"

Frankly, it pisses me off.

Anyway, the CERT advisory is below:



>CERT Advisory CA-2002-17 Apache Web Server Chunk Handling
Vulnerability
>
>    Original release date: June 17, 2002
>    Last revised: --
>    Source: CERT/CC
>
>    A complete revision history can be found at the end of this file.
>
>Systems Affected
>
>      * Web servers based on Apache code versions 1.3 through 1.3.24
>      * Web servers based on Apache code versions 2.0 through 2.0.36
>
>Overview
>
>    There is a remotely exploitable vulnerability in the handling of
large
>    chunks  of  data  in web servers that are based on Apache source
code.
>    This  vulnerability  is present by default in configurations of
Apache
>    web  servers  versions  1.3  through  1.3.24  and versions 2.0
through
>    2.0.36.  The  impact  of  this  vulnerability  is  dependent  upon
the
>    software version and the hardware platform the server is running
on.
>
>I. Description
>
>    Apache is a popular web server that includes support for
chunk-encoded
>    data according to the HTTP 1.1 standard as described in RFC2616.
There
>    is  a  vulnerability  in  the  handling  of certain chunk-encoded
HTTP
>    requests that may allow remote attackers to execute arbitrary
code.
>
>    The  Apache  Software  Foundation has published an advisory
describing
>    the details of this vulnerability. This advisory is available on
their
>    web site at
>
>           http://httpd.apache.org/info/security_bulletin_20020617.txt
>
>II. Impact
>
>    For  Apache  versions 1.3 through 1.3.24 inclusive, this
vulnerability
>    may allow the execution of arbitrary code by remote attackers.
Several
>    sources have reported that this vulnerability can be used by
intruders
>    to  execute  arbitrary  code  on  Windows platforms. Additionally,
the
>    Apache  Software  Foundation  has  reported  that a similar attack
may
>    allow the execution of arbitrary code on 64-bit UNIX systems.
>
>    For  Apache  versions  2.0  through  2.0.36  inclusive,  the
condition
>    causing  the  vulnerability is correctly detected and causes the
child
>    process  to  exit.  Depending  on  a variety of factors, including
the
>    threading model supported by the vulnerable system, this may lead
to a
>    denial-of-service attack against the Apache web server.
>
>III. Solution
>
>Apply a patch from your vendor
>
>    Apply  a  patch  from  your  vendor to correct this vulnerability.
The
>    CERT/CC  has  been informed by the Apache Software Foundation that
the
>    patch  provided  in the ISS advisory on this topic does not
completely
>    correct  this  vulnerability.  More  information about
vendor-specific
>    patches  can  be found in the vendor section of this document.
Because
>    the   publication  of  this  advisory  was  unexpectedly 
accelerated,
>    statements  from  all  of  the  affected vendors were not
available at
>    publication  time.  As  additional  information  from  vendors
becomes
>    available, this document will be updated.
>
>Upgrade to the latest version
>
>    The Apache Software Foundation has released two new versions of
Apache
>    that correct this vulnerability. System administrators can prevent
the
>    vulnerability  from  being  exploited  by  upgrading to Apache
version
>    1.3.25  or  2.0.39.  The new versions of Apache will be available
from
>    their web site at
>
>           http://httpd.apache.org/
>
>Appendix A. - Vendor Information
>
>    This  appendix  contains  information  provided  by  vendors  for
this
>    advisory.  As  vendors  report new information to the CERT/CC, we
will
>    update this section and note the changes in our revision history.
If a
>    particular  vendor  is  not  listed  below, we have not received
their
>    comments.
>
>Apache Software Foundation
>
>    New versions of the Apache software are available from:
>
>           http://httpd.apache.org/
>
>Conectiva Linux
>
>    The  Apache  webserver  shipped  with Conectiva Linux is
vulnerable to
>    this  problem.  New  packages fixing this problem will be
announced to
>    our mailing list after an official fix becomes available.
>
>Cray, Inc.
>
>    Cray,  Inc.  does  not  distribute  Apache  with  any of its
operating
>    systems.
>
>IBM Corporation
>
>    IBM  makes  the Apache Server availble for AIX customers as a
software
>    package  under  the  AIX-Linux  Affinity  initiative.  This
package is
>    included  on  the  AIX  Toolbox  for Linux Applications CD, and
can be
>    downloaded via the IBM Linux Affinity website. The currently
available
>    version of Apache Server is susceptible to the vulnerability
described
>    here.  We  will  update  our Apache Server offering shortly to
version
>    1.3.23,  including  the patch for this vulnerability; this update
will
>    be made available for downloading by accessing this URL:
>
>          
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.
>           html
>
>    and following the instructions presented there.
>
>    Please  note  that  Apache Server, and all Linux Affinity
software, is
>    offered on an "as-is" basis. IBM does not own the source code for
this
>    software,  nor  has  it developed and fully tested this code. IBM
does
>    not support these software packages.
>
>Lotus
>
>    We have verified that the Lotus Domino web server is not
vulnerable to
>    this  type of problem. Also, we do not ship Apache code with any
Lotus
>    products.
>
>Microsoft Corporation
>
>    Microsoft does not ship the Apache web server.
>
>Network Appliance
>
>    NetApp systems are not vulnerable to this problem.
>
>RedHat Inc.
>
>    Red  Hat  distributes  Apache  1.3  versions  in  all  Red  Hat 
Linux
>    distributions, and as part of Stronghold. However we do not
distribute
>    Apache  for Windows. We are currently investigating the issue and
will
>    work on producing errata packages when an official fix for the
problem
>    is  made  available.  When  these  updates  are  complete they
will be
>    available  from  the  URL below. At the same time users of the Red
Hat
>    Network will be able to update their systems using the 'up2date'
tool.
>
>           http://rhn.redhat.com/errata/RHSA-2002-103.html
>
>Unisphere Networks
>
>    The  Unisphere  Networks  SDX-300 Service Deployment System (aka.
SSC)
>    uses  Apache  1.3.24. We are releasing Version 3.0 using Apache
1.3.25
>    soon, and will be issuing a patch release for SSC Version 2.0.3 in
the
>    very near future.
>     
_________________________________________________________________
>
>    The CERT/CC thanks Mark Litchfield for reporting this
vulnerability to
>    the  Apache  Software  Foundation,  and  Mark  Cox  for reporting
this
>    vulnerability to the CERT/CC.
>     
_________________________________________________________________
>
>    Author: Cory F. Cohen
>   
______________________________________________________________________
>
>    This document is available from:
>    http://www.cert.org/advisories/CA-2002-17.html
>   
______________________________________________________________________
>
>CERT/CC Contact Information
>
>    Email: cert at cert.org
>           Phone: +1 412-268-7090 (24-hour hotline)
>           Fax: +1 412-268-6989
>           Postal address:
>           CERT Coordination Center
>           Software Engineering Institute
>           Carnegie Mellon University
>           Pittsburgh PA 15213-3890
>           U.S.A.
>
>    CERT/CC   personnel   answer  the  hotline  08:00-17:00 
EST(GMT-5)  /
>    EDT(GMT-4)  Monday  through  Friday;  they are on call for
emergencies
>    during other hours, on U.S. holidays, and on weekends.
>
>Using encryption
>
>    We  strongly  urge you to encrypt sensitive information sent by
email.
>    Our public PGP key is available from
>    http://www.cert.org/CERT_PGP.key
>
>    If  you  prefer  to  use  DES,  please  call the CERT hotline for
more
>    information.
>
>Getting security information
>
>    CERT  publications  and  other security information are available
from
>    our web site
>    http://www.cert.org/
>
>    To  subscribe  to  the CERT mailing list for advisories and
bulletins,
>    send  email  to majordomo at cert.org. Please include in the body of
your
>    message
>
>    subscribe cert-advisory
>
>    *  "CERT"  and  "CERT  Coordination Center" are registered in the
U.S.
>    Patent and Trademark Office.
>   
______________________________________________________________________
>
>    NO WARRANTY
>    Any  material furnished by Carnegie Mellon University and the
Software
>    Engineering  Institute  is  furnished  on  an  "as is" basis.
Carnegie
>    Mellon University makes no warranties of any kind, either
expressed or
>    implied  as  to  any matter including, but not limited to,
warranty of
>    fitness  for  a  particular purpose or merchantability,
exclusivity or
>    results  obtained from use of the material. Carnegie Mellon
University
>    does  not  make  any warranty of any kind with respect to freedom
from
>    patent, trademark, or copyright infringement.
>     
_________________________________________________________________
>
>    Conditions for use, disclaimers, and sponsorship information
>
>    Copyright 2002 Carnegie Mellon University.
>
>    Revision History
>June 17, 2002:  Initial release





--- Hans Zaunere <zaunere at yahoo.com> wrote:
> 
> FYI...
> 
> 
> > Internet Security Systems Security Advisory
> > June 17, 2002
> > 
> > Remote Compromise Vulnerability in Apache HTTP Server
> > 
> > Synopsis:
> > 
> > ISS X-Force has discovered a serious vulnerability in the default
> > version of Apache HTTP Server. Apache is the most popular Web
> server
> > and
> > is used on over half of all Web servers on the Internet. It may be
> > possible for remote attackers to exploit this vulnerability to
> > compromise Apache Web servers. Successful exploitation may lead to
> > modified Web content, denial of service, or further compromise.
> > 
> > Affected Versions:
> > 
> > Apache 1.x
> > 
> > Note: Many commercial Web Application Servers such as Oracle 9ias
> and
> > IBM Websphere use Apache HTTP Server to process HTTP requests.
> > Additional products that bundle Apache HTTP Server for Windows may
> be
> > affected.
> > 
> > Description:
> > 
> > The Apache HTTP Server is maintained by the Apache Software
> > Foundation.
> > Apache is an extremely popular open-source Web server. Netcraft
> > (http://www.netcraft.com) reports that as of May 2002, Apache
> > accounts
> > for over 63% of all active Web sites. Apacheís installed base is
> > larger
> > than all other Web servers combined.
> > 
> > The Apache Project is an open-source and volunteer collaboration
> > aimed
> > to create and maintain a free, feature-rich, powerful, and secure
> Web
> > server implementation. Apache is well regarded as the best, freely
> > available Web server.
> > 
> > Apache contains a flawed mechanism meant to calculate the size of
> > "chunked" encoding. Chunked encoding is part of the HTTP Protocol
> > Specification used for accepting data from Web users. When data is
> > sent
> > from the user, the Web server needs to allocate a memory buffer of
> a
> > certain size to hold the submitted data. When the size of the data
> > being
> > submitted is unknown, the client or Web browser will communicate
> with
> > the server by creating "chunks" of data of a negotiated size.
> > 
> > The Apache HTTP Server has a software flaw that misinterprets the
> > size
> > of incoming data chunks. This error may lead to a signal race, heap
> > overflow, and to exploitation of malicious code.
> > 
> > X-Force has verified that this issue is exploitable on Apache for
> > Windows (Win32) version 1.3.24. Apache 1.x for Unix contains the
> same
> > source code, but X-Force believes that successful exploitation on
> > most
> > Unix platforms is unlikely.
> > 
> > Recommendations:
> > 
> > Internet Scanner X-Press Update 6.12 includes a check,
> > ApacheChunkedEncodingBo, to detect installations of Apache HTTP
> > Server
> > for Win32. XPU 6.12 is available from the ISS Download Center at:
> > http://www.iss.net/download. For questions about downloading and
> > installing this XPU, email support at iss.net.
> > 
> > Detection support for this attack will be included in future
> X-Press
> > Updates for RealSecure Network Sensor 6.x and 7.0. These XPUs will
> be
> > available from the ISS Download Center, and this alert will be
> > updated
> > when these updates become available.
> > 
> > ISS X-Force has developed a patch for this issue. Follow the
> > instructions below, or contact your vendor for assistance:
> > 
> > To apply a source code patch to your Apache package:
> > 
> > 1. Locate your source directory and navigate into the "main" sub-
> > directory.
> > 2. Verify that "http_protocol.c" is present in the current
> directory.
> > 3. To update your http_protocol.c file, create a file named
> > "apache_patch.diff", containing the following text:
> > 
> > - --- http_protocol.c.vuln	Fri Jun 14 16:12:50 2002
> > +++ http_protocol.c	Fri Jun 14 16:13:47 2002
> > @@ -2171,7 +2171,7 @@
> > 
> >       /* Otherwise, we are in the midst of reading a chunk of data
> */
> > 
> > - -    len_to_read = (r->remaining > bufsiz) ? bufsiz :
> r->remaining;
> > +    len_to_read = (r->remaining > (unsigned int)bufsiz) ? bufsiz :
> > r->
> > remaining;
> > 
> >       len_read = ap_bread(r->connection->client, buffer,
> > len_to_read);
> >       if (len_read <= 0) {
> > 
> > 4. Apply the source code update using the "patch" command, or a
> > similar
> >     utility.
> > 5. Build new binaries and reinstall.
> > 
> > The Apache Server Project has been notified and will make a formal
> > patch
> > available soon. Please refer to the Apache Server Projectís
> homepage
> > for
> > more information: http://httpd.apache.org/
> > 
> > Additional Information:
> > 
> > http://www.iss.net/security_center
> > http://www.apache.org
> > http://httpd.apache.org/
> > 
> > Credits:
> > 
> > This vulnerability was discovered and researched by Neel Mehta of
> the
> > ISS X-Force.
> >
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
> 


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com



More information about the talk mailing list