[nycphp-talk] UPDATED Advisory: Remote Compromise Vulnerability in Apache HTTP Server
Hans Zaunere
zaunere at yahoo.com
Tue Jun 18 09:42:46 EDT 2002
Some updated info. follows. Basically, this vulnerability is only seen
as exploitable on Windows and 64bit UNICES. That said, there is a REAL
patch (not an ISS marketing tool *snicker*) from Apache at
http://www.apache.org/dist/httpd/patches/apply_to_1.3.24/
And there is an 1.3.25 release eminent. The CERT advisory follows.
But before we get to that, I'd like to quickly rant about ISS. There
has been a lot of hub-bub about ISS rushing this announcement out the
door, while Apache was expecting to make an announcement when they had
a solid patch/release ready. And on top of that, ISS pretends to have
a remedy for it. Funny how Microsoft has become a major partner with
ISS, pushing their secure IIS solutions. And it's funny how the ISS
announcement says basically "buy our [security scanner] product, and
you'll be fine!"
Frankly, it pisses me off.
Anyway, the CERT advisory is below:
>CERT Advisory CA-2002-17 Apache Web Server Chunk Handling
Vulnerability
>
> Original release date: June 17, 2002
> Last revised: --
> Source: CERT/CC
>
> A complete revision history can be found at the end of this file.
>
>Systems Affected
>
> * Web servers based on Apache code versions 1.3 through 1.3.24
> * Web servers based on Apache code versions 2.0 through 2.0.36
>
>Overview
>
> There is a remotely exploitable vulnerability in the handling of
large
> chunks of data in web servers that are based on Apache source
code.
> This vulnerability is present by default in configurations of
Apache
> web servers versions 1.3 through 1.3.24 and versions 2.0
through
> 2.0.36. The impact of this vulnerability is dependent upon
the
> software version and the hardware platform the server is running
on.
>
>I. Description
>
> Apache is a popular web server that includes support for
chunk-encoded
> data according to the HTTP 1.1 standard as described in RFC2616.
There
> is a vulnerability in the handling of certain chunk-encoded
HTTP
> requests that may allow remote attackers to execute arbitrary
code.
>
> The Apache Software Foundation has published an advisory
describing
> the details of this vulnerability. This advisory is available on
their
> web site at
>
> http://httpd.apache.org/info/security_bulletin_20020617.txt
>
>II. Impact
>
> For Apache versions 1.3 through 1.3.24 inclusive, this
vulnerability
> may allow the execution of arbitrary code by remote attackers.
Several
> sources have reported that this vulnerability can be used by
intruders
> to execute arbitrary code on Windows platforms. Additionally,
the
> Apache Software Foundation has reported that a similar attack
may
> allow the execution of arbitrary code on 64-bit UNIX systems.
>
> For Apache versions 2.0 through 2.0.36 inclusive, the
condition
> causing the vulnerability is correctly detected and causes the
child
> process to exit. Depending on a variety of factors, including
the
> threading model supported by the vulnerable system, this may lead
to a
> denial-of-service attack against the Apache web server.
>
>III. Solution
>
>Apply a patch from your vendor
>
> Apply a patch from your vendor to correct this vulnerability.
The
> CERT/CC has been informed by the Apache Software Foundation that
the
> patch provided in the ISS advisory on this topic does not
completely
> correct this vulnerability. More information about
vendor-specific
> patches can be found in the vendor section of this document.
Because
> the publication of this advisory was unexpectedly
accelerated,
> statements from all of the affected vendors were not
available at
> publication time. As additional information from vendors
becomes
> available, this document will be updated.
>
>Upgrade to the latest version
>
> The Apache Software Foundation has released two new versions of
Apache
> that correct this vulnerability. System administrators can prevent
the
> vulnerability from being exploited by upgrading to Apache
version
> 1.3.25 or 2.0.39. The new versions of Apache will be available
from
> their web site at
>
> http://httpd.apache.org/
>
>Appendix A. - Vendor Information
>
> This appendix contains information provided by vendors for
this
> advisory. As vendors report new information to the CERT/CC, we
will
> update this section and note the changes in our revision history.
If a
> particular vendor is not listed below, we have not received
their
> comments.
>
>Apache Software Foundation
>
> New versions of the Apache software are available from:
>
> http://httpd.apache.org/
>
>Conectiva Linux
>
> The Apache webserver shipped with Conectiva Linux is
vulnerable to
> this problem. New packages fixing this problem will be
announced to
> our mailing list after an official fix becomes available.
>
>Cray, Inc.
>
> Cray, Inc. does not distribute Apache with any of its
operating
> systems.
>
>IBM Corporation
>
> IBM makes the Apache Server availble for AIX customers as a
software
> package under the AIX-Linux Affinity initiative. This
package is
> included on the AIX Toolbox for Linux Applications CD, and
can be
> downloaded via the IBM Linux Affinity website. The currently
available
> version of Apache Server is susceptible to the vulnerability
described
> here. We will update our Apache Server offering shortly to
version
> 1.3.23, including the patch for this vulnerability; this update
will
> be made available for downloading by accessing this URL:
>
>
http://www-1.ibm.com/servers/aix/products/aixos/linux/download.
> html
>
> and following the instructions presented there.
>
> Please note that Apache Server, and all Linux Affinity
software, is
> offered on an "as-is" basis. IBM does not own the source code for
this
> software, nor has it developed and fully tested this code. IBM
does
> not support these software packages.
>
>Lotus
>
> We have verified that the Lotus Domino web server is not
vulnerable to
> this type of problem. Also, we do not ship Apache code with any
Lotus
> products.
>
>Microsoft Corporation
>
> Microsoft does not ship the Apache web server.
>
>Network Appliance
>
> NetApp systems are not vulnerable to this problem.
>
>RedHat Inc.
>
> Red Hat distributes Apache 1.3 versions in all Red Hat
Linux
> distributions, and as part of Stronghold. However we do not
distribute
> Apache for Windows. We are currently investigating the issue and
will
> work on producing errata packages when an official fix for the
problem
> is made available. When these updates are complete they
will be
> available from the URL below. At the same time users of the Red
Hat
> Network will be able to update their systems using the 'up2date'
tool.
>
> http://rhn.redhat.com/errata/RHSA-2002-103.html
>
>Unisphere Networks
>
> The Unisphere Networks SDX-300 Service Deployment System (aka.
SSC)
> uses Apache 1.3.24. We are releasing Version 3.0 using Apache
1.3.25
> soon, and will be issuing a patch release for SSC Version 2.0.3 in
the
> very near future.
>
_________________________________________________________________
>
> The CERT/CC thanks Mark Litchfield for reporting this
vulnerability to
> the Apache Software Foundation, and Mark Cox for reporting
this
> vulnerability to the CERT/CC.
>
_________________________________________________________________
>
> Author: Cory F. Cohen
>
______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2002-17.html
>
______________________________________________________________________
>
>CERT/CC Contact Information
>
> Email: cert at cert.org
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT/CC personnel answer the hotline 08:00-17:00
EST(GMT-5) /
> EDT(GMT-4) Monday through Friday; they are on call for
emergencies
> during other hours, on U.S. holidays, and on weekends.
>
>Using encryption
>
> We strongly urge you to encrypt sensitive information sent by
email.
> Our public PGP key is available from
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for
more
> information.
>
>Getting security information
>
> CERT publications and other security information are available
from
> our web site
> http://www.cert.org/
>
> To subscribe to the CERT mailing list for advisories and
bulletins,
> send email to majordomo at cert.org. Please include in the body of
your
> message
>
> subscribe cert-advisory
>
> * "CERT" and "CERT Coordination Center" are registered in the
U.S.
> Patent and Trademark Office.
>
______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the
Software
> Engineering Institute is furnished on an "as is" basis.
Carnegie
> Mellon University makes no warranties of any kind, either
expressed or
> implied as to any matter including, but not limited to,
warranty of
> fitness for a particular purpose or merchantability,
exclusivity or
> results obtained from use of the material. Carnegie Mellon
University
> does not make any warranty of any kind with respect to freedom
from
> patent, trademark, or copyright infringement.
>
_________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2002 Carnegie Mellon University.
>
> Revision History
>June 17, 2002: Initial release
--- Hans Zaunere <zaunere at yahoo.com> wrote:
>
> FYI...
>
>
> > Internet Security Systems Security Advisory
> > June 17, 2002
> >
> > Remote Compromise Vulnerability in Apache HTTP Server
> >
> > Synopsis:
> >
> > ISS X-Force has discovered a serious vulnerability in the default
> > version of Apache HTTP Server. Apache is the most popular Web
> server
> > and
> > is used on over half of all Web servers on the Internet. It may be
> > possible for remote attackers to exploit this vulnerability to
> > compromise Apache Web servers. Successful exploitation may lead to
> > modified Web content, denial of service, or further compromise.
> >
> > Affected Versions:
> >
> > Apache 1.x
> >
> > Note: Many commercial Web Application Servers such as Oracle 9ias
> and
> > IBM Websphere use Apache HTTP Server to process HTTP requests.
> > Additional products that bundle Apache HTTP Server for Windows may
> be
> > affected.
> >
> > Description:
> >
> > The Apache HTTP Server is maintained by the Apache Software
> > Foundation.
> > Apache is an extremely popular open-source Web server. Netcraft
> > (http://www.netcraft.com) reports that as of May 2002, Apache
> > accounts
> > for over 63% of all active Web sites. Apacheís installed base is
> > larger
> > than all other Web servers combined.
> >
> > The Apache Project is an open-source and volunteer collaboration
> > aimed
> > to create and maintain a free, feature-rich, powerful, and secure
> Web
> > server implementation. Apache is well regarded as the best, freely
> > available Web server.
> >
> > Apache contains a flawed mechanism meant to calculate the size of
> > "chunked" encoding. Chunked encoding is part of the HTTP Protocol
> > Specification used for accepting data from Web users. When data is
> > sent
> > from the user, the Web server needs to allocate a memory buffer of
> a
> > certain size to hold the submitted data. When the size of the data
> > being
> > submitted is unknown, the client or Web browser will communicate
> with
> > the server by creating "chunks" of data of a negotiated size.
> >
> > The Apache HTTP Server has a software flaw that misinterprets the
> > size
> > of incoming data chunks. This error may lead to a signal race, heap
> > overflow, and to exploitation of malicious code.
> >
> > X-Force has verified that this issue is exploitable on Apache for
> > Windows (Win32) version 1.3.24. Apache 1.x for Unix contains the
> same
> > source code, but X-Force believes that successful exploitation on
> > most
> > Unix platforms is unlikely.
> >
> > Recommendations:
> >
> > Internet Scanner X-Press Update 6.12 includes a check,
> > ApacheChunkedEncodingBo, to detect installations of Apache HTTP
> > Server
> > for Win32. XPU 6.12 is available from the ISS Download Center at:
> > http://www.iss.net/download. For questions about downloading and
> > installing this XPU, email support at iss.net.
> >
> > Detection support for this attack will be included in future
> X-Press
> > Updates for RealSecure Network Sensor 6.x and 7.0. These XPUs will
> be
> > available from the ISS Download Center, and this alert will be
> > updated
> > when these updates become available.
> >
> > ISS X-Force has developed a patch for this issue. Follow the
> > instructions below, or contact your vendor for assistance:
> >
> > To apply a source code patch to your Apache package:
> >
> > 1. Locate your source directory and navigate into the "main" sub-
> > directory.
> > 2. Verify that "http_protocol.c" is present in the current
> directory.
> > 3. To update your http_protocol.c file, create a file named
> > "apache_patch.diff", containing the following text:
> >
> > - --- http_protocol.c.vuln Fri Jun 14 16:12:50 2002
> > +++ http_protocol.c Fri Jun 14 16:13:47 2002
> > @@ -2171,7 +2171,7 @@
> >
> > /* Otherwise, we are in the midst of reading a chunk of data
> */
> >
> > - - len_to_read = (r->remaining > bufsiz) ? bufsiz :
> r->remaining;
> > + len_to_read = (r->remaining > (unsigned int)bufsiz) ? bufsiz :
> > r->
> > remaining;
> >
> > len_read = ap_bread(r->connection->client, buffer,
> > len_to_read);
> > if (len_read <= 0) {
> >
> > 4. Apply the source code update using the "patch" command, or a
> > similar
> > utility.
> > 5. Build new binaries and reinstall.
> >
> > The Apache Server Project has been notified and will make a formal
> > patch
> > available soon. Please refer to the Apache Server Projectís
> homepage
> > for
> > more information: http://httpd.apache.org/
> >
> > Additional Information:
> >
> > http://www.iss.net/security_center
> > http://www.apache.org
> > http://httpd.apache.org/
> >
> > Credits:
> >
> > This vulnerability was discovered and researched by Neel Mehta of
> the
> > ISS X-Force.
> >
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
>
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
More information about the talk
mailing list