The 32 bit apache exploits are now circulating the Internet - if you have not been effected by this problem yet, you soon will be.
----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, June 20, 2002 9:54 PM Subject: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known > > [[ Note: this issue affects both 32-bit and 64-bit platforms; the > subject of this message emphasizes 32-bit platforms since that > is the most important information not announced in our previous > advisory. ]] > > > SUPERSEDES: http://httpd.apache.org/info/security_bulletin_20020617.txt > > Date: June 20, 2002 > Product: Apache Web Server > Versions: Apache 1.3 all versions including 1.3.24; Apache 2.0 all versions > up to 2.0.36; Apache 1.2 all versions. > > CAN-2002-0392 (mitre.org) [CERT VU#944335] > > ---------------------------------------------------------- > ------------UPDATED ADVISORY------------ > ---------------------------------------------------------- > Introduction: > > While testing for Oracle vulnerabilities, Mark Litchfield discovered a > denial of service attack for Apache on Windows. Investigation by the > Apache Software Foundation showed that this issue has a wider scope, which > on some platforms results in a denial of service vulnerability, while on > some other platforms presents a potential remote exploit vulnerability. > > This follow-up to our earlier advisory is to warn of known-exploitable > conditions related to this vulnerability on both 64-bit platforms and > 32-bit platforms alike. Though we previously reported that 32-bit > platforms were not remotely exploitable, it has since been proven by > Gobbles that certain conditions allowing exploitation do exist. > > Successful exploitation of this vulnerability can lead to the execution of > arbitrary code on the server with the permissions of the web server child > process. This can facilitate the further exploitation of vulnerabilities > unrelated to Apache on the local system, potentially allowing the intruder > root access. > > Note that early patches for this issue released by ISS and others do not > address its full scope. > > Due to the existence of exploits circulating in the wild for some platforms, > the risk is considered high. > > The Apache Software Foundation has released versions 1.3.26 and 2.0.39 > that address and fix this issue, and all users are urged to upgrade > immediately; updates can be downloaded from http://httpd.apache.org/ . > > As a reminder, we respectfully request that anyone who finds a potential > vulnerability in our software reports it to [EMAIL PROTECTED] > > ---------------------------------------------------------- > > The full text of this advisory including additional details is available > at http://httpd.apache.org/info/security_bulletin_20020620.txt . > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
