I know you've probably heard about the latest Apache warning but the latest news is that the exploit code is already out. Patch, patch, and re-patch..... Summary: The open source Apache Web server (Versions 1.x up to and including 1.3.24; 2.x up to and including 2.0.36 and 2.0.36-dev) contains a vulnerability in the code that handles data transfer between clients and servers [1,2]. 1.x versions contain an exploitable stack overflow, allowing an attacker to execute malicious code with the access privileges of the Web server. 2.x Apache servers are subject to denial-of-service attacks. The Apache Web server is bundled with a variety of operating systems and commercial applications, including IBM's AIX Toolbox for Linux Applications, RedHat Linux, SGI IRIX, and Oracle. The most up-to-date compendium of vendor updates is available through CERT [2]. Because exploit code is already in circulation, Counterpane recommends testing and installing the appropriate upgrades for your operating system and version of Apache as quickly as possible. Source and binary code for 1.3.26 and 2.0.39 are available from http://www.apache.org/dist/httpd/#apache20. Technical Details: Chunk transfer encoding is a mechanism provided within HTTP/1.1 that allows a Web browser to transmit data in pieces of negotiated size. This permits the Web server to allocate memory buffers more efficiently, especially when the amount of data to be transferred is unknown. Apache versions 1.3.24 and earlier fail to detect improperly chunked data, which may trigger a stack overflow, and may lead to malicious code being executed with the privileges of the httpd daemon. Apache versions 2.0.36 and earlier detect incorrectly chunked data, and the child process handling the Web connection terminates. Since restarting child processes is a resource-intensive action, this leads to a denial-of-service condition. Proof of concept and/or exploit code for the root compromise has been published and tested on Windows and OpenBSD hosts [6]. In the same alert, ISS reported that exploit code is in circulation for Solaris versions 6-8, FreeBSD and Linux. However, those exploits remain uncaptured and untested. On a UNIX server running Apache 1.3.24, an attempt to exploit the vulnerability produces this log message in its error_log: [Mon Jun 17 16:12:25 2002] [notice] child pid 21452 exit signal Segmentation fault (11) (Your timestamps and process IDs will vary.) Apache running on Win32 servers produces no error messages when the vulnerability is triggered [7]. Countermeasures: Counterpane recommends that Apache Web server administrators test the appropriate upgrade for their host operating systems. Once the new version is verified, install it as quickly as possible, especially on publicly visible servers. References: [1] Apache HTTP Security Bulletin http://httpd.apache.org/info/security_bulletin_20020617.txt [2] CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability http://www.cert.org/advisories/CA-2002-17.html [3] Apache 1.3.26 Released http://www.apache.org/dist/httpd/Announcement.html [3] ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server, posted to bugtraq@private http://online.securityfocus.com/archive/1/277249/2002-06-17/2002-06-23/0 [4] Posting from GOBBLES on bugtraq@private, including sample exploit http://online.securityfocus.com/archive/1/277830/2002-06-17/2002-06-23/0 [6] Apache HTTP Exploit in Circulation http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20524 [7] Joe Testa posting to bugtraq@private http://online.securityfocus.com/archive/1/277738/2002-06-17/2002-06-23/0 Counterpane Internet Security is happy to answer any questions you may have regarding this report, and we thank you for your continued support. Counterpane Customer Service: 1-888-710-8171 DISCLAIMER: The information contained within this Security Alert is provided for informational purposes and without warranty. Counterpane recommends consulting your security policy when responding to this or any security-related event. Counterpane also recommends testing any vendor-recommended countermeasures prior to their deployment in a production environment.
This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 10:20:10 PDT