Another Apache Vulnerabily FYI
>Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:[EMAIL PROTECTED]> >List-Help: <mailto:[EMAIL PROTECTED]> >List-Unsubscribe: <mailto:[EMAIL PROTECTED]> >List-Subscribe: <mailto:[EMAIL PROTECTED]> >Delivered-To: mailing list [EMAIL PROTECTED] >Delivered-To: moderator for [EMAIL PROTECTED] >From: "David Endler" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Date: Thu, 3 Oct 2002 12:47:54 -0400 >Subject: iDEFENSE Security Advisory 10.03.2002: Apache 1.3.x shared memory >scoreboard vulnerabilities >Reply-To: [EMAIL PROTECTED] >X-Spam-Status: No, hits=-5.1 required=5.0 tests=PGP_SIGNATURE version=2.11 >X-Virus-Scanned: By Sentex Communications (avscan1/20020517) > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >iDEFENSE Security Advisory 10.03.2002 >Apache 1.3.x shared memory scoreboard vulnerabilities > >16:00 GMT, October 3, 2002 > > >I. BACKGROUND > >The Apache Software Foundation's HTTP Server is an effort to develop >and maintain an open-source HTTP server for modern operating systems >including Unix and Windows NT. The goal of this project is to provide >a secure, efficient and extensible server that provides HTTP services >in sync with the current HTTP standards. More details about it are >available at http://httpd.apache.org . > >II. DESCRIPTION > >Apache HTTP Server contains a vulnerability in its shared memory >scoreboard. Attackers who can execute commands under the Apache UID >can either send a (SIGUSR1) signal to any process as root, in most >cases killing the process, or launch a local denial of service (DoS) >attack. > >III. ANALYSIS > >Exploitation requires execute permission under the Apache UID. This >can be obtained by any local user with a legitimate Apache scripting >resource (ie: PHP, Perl), exploiting a vulnerability in web-based >applications written in the above example languages, or through the >use of some other local/remote Apache exploit. > >Once such a status is attained, the attacker can then attach to the >httpd daemon's 'scoreboard', which is stored in a shared memory >segment owned by Apache. The attacker can then cause a DoS condition >on the system by continuously filling the table with null values and >causing the server to spawn new children. > >The attacker also has the ability to send any process a SIGUSR1 >signal as root. This is accomplished by continuously overwriting the >parent[].pid and parent[].last_rtime segments within the scoreboard >to the pid of the target process and a time in the past. When the >target pid receives the signal SIGUSR1, it will react according to >how it is designed to manage the signal. According to the man page >(man 7 signal), if the signal is un-handled then the default action >is to terminate: > > ... > SIGUSR1 30,10,16 A User-defined signal 1 > ... > The letters in the "Action" column have the following meanings: > > A Default action is to terminate the process. > ... > >iDEFENSE successfully terminated arbitrary processes, including those >that "kicked" people off the system. > >IV. DETECTION > >Apache HTTP Server 1.3.x, running on all applicable Unix platforms, >is affected. > >V. VENDOR FIX/RESPONSE > >Apache HTTP Server 1.3.27 fixes this problem. It should be available >on October 3 at http://www.apache.org/dist/httpd/ . > >VI. CVE INFORMATION > >The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project >has assigned the identification number CAN-2002-0839 to this issue. > >VII. DISCLOSURE TIMELINE > >8/27/2002 Issue disclosed to iDEFENSE >9/18/2002 Vendor notified at [EMAIL PROTECTED] >9/18/2002 iDEFENSE clients notified >9/19/2002 Response received from Mark J Cox ([EMAIL PROTECTED]) >10/3/2002 Coordinated public disclosure > >VIII. CREDIT > >zen-parse ([EMAIL PROTECTED]) disclosed this issue to iDEFENSE. > > >Get paid for security research >http://www.idefense.com/contributor.html > >Subscribe to iDEFENSE Advisories: >send email to [EMAIL PROTECTED], subject line: "subscribe" > > >About iDEFENSE: > >iDEFENSE is a global security intelligence company that proactively >monitors sources throughout the world _ from technical >vulnerabilities and hacker profiling to the global spread of viruses >and other malicious code. iALERT, our security intelligence service, >provides decision-makers, frontline security professionals and >network administrators with timely access to actionable intelligence >and decision support on cyber-related threats. For more information, >visit http://www.idefense.com. > > >- -dave > >David Endler, CISSP >Director, Technical Intelligence >iDEFENSE, Inc. >14151 Newbrook Drive >Suite 100 >Chantilly, VA 20151 >voice: 703-344-2632 >fax: 703-961-1071 > >[EMAIL PROTECTED] >www.idefense.com > >-----BEGIN PGP SIGNATURE----- >Version: PGP 7.1.2 >Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A > >iQA/AwUBPZx0I0rdNYRLCswqEQIowQCfQT+FYR1FLTEzlf49SpJXwDnie8wAn3Kr >CncduGV6EYHqVayQE90b7Yij >=4T8j >-----END PGP SIGNATURE----- -- Jimmy Lim Operation & Support Team Leader Tricom _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
