On Wed, 2002-06-19 at 00:49, Ian C. Sison wrote: > On Tue, 18 Jun 2002, Horatio B. Bogbindero wrote: > > > On Tue, Jun 18, 2002 at 01:25:38PM +0800, Ian C. Sison wrote (wyy sez): > > > > > > Hoo-boy, looks like another round of updates for all ye sysads... > > > > > > II. Impact > > > > > > For Apache versions 1.3 through 1.3.24 inclusive, this vulnerability > > > may allow the execution of arbitrary code by remote attackers. Several > > > sources have reported that this vulnerability can be used by intruders > > > to execute arbitrary code on Windows platforms. Additionally, the > > > Apache Software Foundation has reported that a similar attack may > > > allow the execution of arbitrary code on 64-bit UNIX systems. > > > > > > > looks like we 32-bit Unix guys are immune? of course, we are not taking our > > chances right? > > > > No, 32 bit systems will core dump, and the result is effectively a DoS, > and if done correctly, will result in apache continually spawning and > respawning the httpd binary. On systems which have apache statically > linked to a lot of modules, this bring up and tear down can be costly > resource wise. > > My suggestion is security by obsolesence: use apache 1.2 ! ! !
Ian: Here's the advisory... I'm not sure if 1.2 would not be affected (I haven't tested it yet so I've got no idea if this is true) but here's what ASF had to say). Date: June 17, 2002 Product: Apache Web Server Versions: Apache 1.3 all versions including 1.3.24, Apache 2 all versions up to 2.0.36, Apache 1.2 all versions 1.2.2 onwards. Introduction: While testing for Oracle vulnerabilities, Mark Litchfield discovered a denial of service attack for Apache on Windows. Investigation by the Apache Software Foundation showed that this issue has a wider scope, which on some platforms results in a denial of service vulnerability, while on some other platforms presents a potential a remote exploit vulnerability. We were also notified today by ISS that they had published the same issue which has forced the early release of this advisory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0392 to this issue. Description: Versions of the Apache web server up to and including 1.3.24 and 2.0 up to and including 2.0.36 and 2.0.36-dev versions contain a bug in the routines which deal with invalid requests which are encoded using chunked encoding. This bug can be triggered remotely by sending a carefully crafted invalid request. This functionality is enabled by default. In most cases the outcome of the invalid request is that the child process dealing with the request will terminate. At the least, this could help a remote attacker launch a denial of service attack as the parent process will eventually have to replace the terminated child process and starting new children uses non-trivial amounts of resources. On the Windows and Netware platforms, Apache runs one multithreaded child process to service requests. The teardown and subsequent setup time to replace the lost child process presents a significant interruption of service. As the Windows and Netware ports create a new process and reread the configuration, rather than fork a child process, this delay is much more pronounced than on other platforms. In Apache 2.0 the error condition is correctly detected, so it will not allow an attacker to execure arbitrary code on the server. However platforms could be using a multithreaded model of multiple concurrent requests per child process (although the default preference remains multiple processes with a single thread and request per process, and most multithreaded models continue to create multiple child processes). Using any multithreaded model, all concurrent requests currently served by the affected child process will be lost. In Apache 1.3 the issue causes a stack overflow. Due to the nature of the overflow on 32-bit Unix platforms this will cause a segmentation violation and the child will terminate. However on 64-bit platforms the overflow can be controlled and so for platforms that store return addresses on the stack it is likely that it is further exploitable. This could allow arbitrary code to be run on the server as the user the Apache children are set to run as. We have been made aware that Apache 1.3 on Windows is exploitable in this way. Please note that the patch provided by ISS does not correct this vulnerability. The Apache Software Foundation are currently working on new releases that fix this issue, please see http://httpd.apache.org/ for updated versions. -- -->paolo Paolo Alexis Falcone [EMAIL PROTECTED] GnuPG KeyID 0xEADFF6F4 Tel# (632)6429577 Fax# (632)6429561 Mobile# +639174379283 ___________________________________________________________________ "I think ideology sucks. This world would be a much better place if people had less ideology, and a whole lot more "I do this because it's FUN and because others might find it useful, not because I got religion."" --> Linus Torvalds _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
