Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Vulnerability: Apache HTTP Server Remote Compromise

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation Vulnerability: Apache HTTP Server Remote Compromise

    ISS X-Force has discovered a serious vulnerability in the default version of Apache HTTP Server. Apache is the most popular Web server and is used on over half of all Web servers on the Internet. It may be possible for remote attackers to exploit this vulnerability to compromise Apache Web servers. Successful exploitation may lead to modified Web content, denial of service, or further compromise.



    Affected Versions:

    Apache 1.x

    Note: Many commercial Web Application Servers such as Oracle 9ias and IBM Websphere use Apache HTTP Server to process HTTP requests. Additional products that bundle Apache HTTP Server for Windows may be affected.

    Description:

    The Apache HTTP Server is maintained by the Apache Software Foundation.
    Apache is an extremely popular open-source Web server. Netcraft (http://www.netcraft.com) reports that as of May 2002, Apache accounts for over 63% of all active Web sites. Apache’s installed base is larger than all other Web servers combined.

    The Apache Project is an open-source and volunteer collaboration aimed to create and maintain a free, feature-rich, powerful, and secure Web server implementation. Apache is well regarded as the best, freely available Web server.

    Apache contains a flawed mechanism meant to calculate the size of "chunked" encoding. Chunked encoding is part of the HTTP Protocol Specification used for accepting data from Web users. When data is sent from the user, the Web server needs to allocate a memory buffer of a certain size to hold the submitted data. When the size of the data being submitted is unknown, the client or Web browser will communicate with the server by creating "chunks" of data of a negotiated size.

    The Apache HTTP Server has a software flaw that misinterprets the size of incoming data chunks. This error may lead to a signal race, heap overflow, and to exploitation of malicious code.

    X-Force has verified that this issue is exploitable on Apache for Windows (Win32) version 1.3.24. Apache 1.x for Unix contains the same source code, but X-Force believes that successful exploitation on most Unix platforms is unlikely.

    Recommendations:

    Internet Scanner X-Press Update 6.12 includes a check, ApacheChunkedEncodingBo, to detect installations of Apache HTTP Server for Win32. XPU 6.12 is available from the ISS Download Center at: http://www.iss.net/download. For questions about downloading and installing this XPU, email support@iss.net.

    Detection support for this attack will be included in future X-Press Updates for RealSecure Network Sensor 6.x and 7.0. These XPUs will be available from the ISS Download Center, and this alert will be updated when these updates become available.

    ISS X-Force has developed a patch for this issue. Follow the instructions below, or contact your vendor for assistance:

    To apply a source code patch to your Apache package:

    1. Locate your source directory and navigate into the "main" sub- directory.
    2. Verify that "http_protocol.c" is present in the current directory.
    3. To update your http_protocol.c file, create a file named "apache_patch.diff", containing the following text:

    - --- http_protocol.c.vuln Fri Jun 14 16:12:50 2002
    +++ http_protocol.c Fri Jun 14 16:13:47 2002
    @@ -2171,7 +2171,7 @@

    /* Otherwise, we are in the midst of reading a chunk of data */

    - - len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining;
    + len_to_read = (r->remaining > (unsigned int)bufsiz) ? bufsiz : r->
    remaining;

    len_read = ap_bread(r->connection->client, buffer, len_to_read);
    if (len_read

    Source: http://www.xatrix.org/article1624.html

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    110
    most of us probably run apache on linux/unix boxes anyway, so we are mainly safe then?

    regards,
    mark.
    \'hi, welcome to *****. if you would like to speak to an operator, please hang up now.\'
    * click *

  3. #3
    Banned
    Join Date
    Jul 2001
    Posts
    1,100
    Greetings All:

    Do you know what? This is a giant cluster-**** of a thing! Apache says that they have no fix yet, and that ISS released the report without contacting them first, and on top of it all, that ISS's supplied "fix" doesn't work.

    What in the hell is that?

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    689

    Post

    Originally posted here by secretagent
    most of us probably run apache on linux/unix boxes anyway, so we are mainly safe then?

    regards,
    mark.
    I saw nothing in the article that suggested that the vulnerability was OS specific, however the patch did look OS specific. My question is if Apache 2.x would be affected by this? If not then I suggest an upgrade if you are truly worried about it.
    Wine maketh merry: but money answereth all things.
    --Ecclesiastes 10:19

  5. #5
    The Iceman Cometh
    Join Date
    Aug 2001
    Posts
    1,209

    Re: Vulnerability: Apache HTTP Server Remote Compromise

    Originally posted here by ThePreacher


    I saw nothing in the article that suggested that the vulnerability was OS specific, however the patch did look OS specific. My question is if Apache 2.x would be affected by this? If not then I suggest an upgrade if you are truly worried about it.
    I may have read this wrong:

    Originally posted here by s0nIc
    Affected Versions:

    Apache 1.x

    Note: Many commercial Web Application Servers such as Oracle 9ias and IBM Websphere use Apache HTTP Server to process HTTP requests. Additional products that bundle Apache HTTP Server for Windows may be affected.

    But it doesn't mention either Linux or Unix being affected... It does mention Windows, but not *nix specifically. Though, as you said, it doesn't say that they're not affected...

    AJ

  6. #6
    Banned
    Join Date
    Jul 2001
    Posts
    1,100
    Greetings:

    Yes, ALL versions of Apache, including 2.0 are effected, as are ALL OS's.

    It's like, what in the hell do you do? Apache Developers better damn well be staying up late coding, that's all I have to say........

  7. #7
    Senior Member
    Join Date
    Oct 2001
    Posts
    689

    Post

    Originally posted here by JP
    Greetings:

    Yes, ALL versions of Apache, including 2.0 are effected, as are ALL OS's.

    It's like, what in the hell do you do? Apache Developers better damn well be staying up late coding, that's all I have to say........
    Damn guys at apache dont have a patch yet, it affects all versions and ISS released details about the vulnerability to the public. I agree they had better be up fixing this.
    Wine maketh merry: but money answereth all things.
    --Ecclesiastes 10:19

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    Some more info from Apache about "Apache httpd: vulnerability with chunked encoding" problem.

    (my) Source: bugtraq@securityfocus.com / Mark J Cox <mjc@apache.org>
    The same info are posted at http://httpd.apache.org


    Date: June 17, 2002
    Product: Apache Web Server
    Versions: Apache 1.3 all versions including 1.3.24, Apache 2 all versions
    up to 2.0.39

    Introduction:

    While testing for Oracle vulnerabilities, Mark Litchfield discovered a
    denial of service attack for Apache on Windows. Investigation by the
    Apache Software Foundation showed that this issue has a wider scope, which
    on some platforms results in a denial of service vulnerability, while on
    some other platforms presents a potential a remote exploit vulnerability.

    We were also notified today by ISS that they had published the same issue
    which has forced the early release of this advisory.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2002-0392 to this issue.

    Description:

    Versions of the Apache web server up to and including 1.3.24 and 2.0 up to
    and including 2.0.36 and 2.0.36-dev versions contain a bug in the routines
    which deal with invalid requests which are encoded using chunked encoding.
    This bug can be triggered remotely by sending a carefully crafted invalid
    request. This functionality is enabled by default.

    In most cases the outcome of the invalid request is that the child process
    dealing with the request will terminate. At the least, this could help a
    remote attacker launch a denial of service attack as the parent process
    will eventually have to replace the terminated child process and starting
    new children uses non-trivial amounts of resources.

    On the Windows and Netware platforms, Apache runs one multithreaded child
    process to service requests. The teardown and subsequent setup time to
    replace the lost child process presents a significant interruption of
    service. As the Windows and Netware ports create a new process and reread
    the configuration, rather than fork a child process, this delay is much
    more pronounced than on other platforms.

    In Apache 2.0 the error condition is correctly detected, so it will not
    allow an attacker to execure arbitrary code on the server. However
    platforms could be using a multithreaded model of multiple concurrent
    requests per child process (although the default preference remains
    multiple processes with a single thread and request per process, and most
    multithreaded models continue to create multiple child processes). Using
    any multithreaded model, all concurrent requests currently served by the
    affected child process will be lost.

    In Apache 1.3 the issue causes a stack overflow. Due to the nature of the
    overflow on 32-bit Unix platforms this will cause a segmentation violation
    and the child will terminate. However on 64-bit platforms the overflow
    can be controlled and so for platforms that store return addresses on the
    stack it is likely that it is further exploitable. This could allow
    arbitrary code to be run on the server as the user the Apache children are
    set to run as.

    We have been made aware that Apache 1.3 on Windows is exploitable in this
    way.

    Please note that the patch provided by ISS does not correct this
    vulnerability.


    The Apache Software Foundation are currently working on new releases that
    fix this issue, please see http://httpd.apache.org/ for updated
    versions.

  9. #9
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    This bug can be triggered remotely by sending a carefully crafted invalid request. This functionality is enabled by default.
    hmm i dont know bout this but if this is true then i guess we have our temp solution here guys..

    JP, AO is running on apache right??

  10. #10
    Senior Member
    Join Date
    Apr 2002
    Posts
    711
    Well, at least it should be running as "nobody" and properly sandboxed, right? I know, I know... still doesn't skirt the DoS - but hopefully Apache respawns processes fast enough that, well.. at least maybe not as bad as it could be, I guess?
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •