CRIME Counterpane Security Vulnerability Alert, Apache Data Chunking Stack Overflow, V-20020620-001

From: brvarin@private
Date: Fri Jun 21 2002 - 08:40:44 PDT

  • Next message: Tom Tintera: "RE: CRIME EarthLink Password Security Story"

    I know you've probably heard about the latest Apache warning but the latest
    news is that the exploit code is already out. Patch, patch, and
    re-patch.....
    
    Summary:
    The open source Apache Web server (Versions 1.x up to and including 1.3.24;
    2.x up to and including 2.0.36 and 2.0.36-dev) contains a vulnerability in
    the code that handles data transfer between clients and servers [1,2]. 1.x
    versions contain an exploitable stack overflow, allowing an attacker to
    execute malicious code with the access privileges of the Web server.  2.x
    Apache servers are subject to denial-of-service attacks.
    
    The Apache Web server is bundled with a variety of operating systems and
    commercial applications, including IBM's AIX Toolbox for Linux
    Applications,
    RedHat Linux, SGI IRIX, and Oracle.  The most up-to-date compendium of
    vendor updates is available through CERT [2].
    
    Because exploit code is already in circulation, Counterpane recommends
    testing and installing the appropriate upgrades for your operating system
    and version of Apache as quickly as possible.  Source and binary code for
    1.3.26 and 2.0.39 are available from
    http://www.apache.org/dist/httpd/#apache20.
    
    Technical Details:
    Chunk transfer encoding is a mechanism provided within HTTP/1.1 that allows
    a Web browser to transmit data in pieces of negotiated size. This permits
    the Web server to allocate memory buffers more efficiently, especially when
    the amount of data to be transferred is unknown.
    
    Apache versions 1.3.24 and earlier fail to detect improperly chunked data,
    which may trigger a stack overflow, and may lead to malicious code being
    executed with the privileges of the httpd daemon.  Apache versions 2.0.36
    and earlier detect incorrectly chunked data, and the child process handling
    the Web connection terminates.  Since restarting child processes is a
    resource-intensive action, this leads to a denial-of-service condition.
    
    Proof of concept and/or exploit code for the root compromise has been
    published and tested on Windows and OpenBSD hosts [6].  In the same alert,
    ISS reported that exploit code is in circulation for Solaris versions 6-8,
    FreeBSD and Linux.  However, those exploits remain uncaptured and untested.
    
    
    On a UNIX server running Apache 1.3.24, an attempt to exploit the
    vulnerability produces this log message in its error_log:
    
    [Mon Jun 17 16:12:25 2002] [notice] child pid 21452 exit signal
    Segmentation
    fault (11)
    
    (Your timestamps and process IDs will vary.)  Apache running on Win32
    servers produces no error messages when the vulnerability is triggered [7].
    
    Countermeasures:
    Counterpane recommends that Apache Web server administrators test the
    appropriate upgrade for their host operating systems.  Once the new version
    is verified, install it as quickly as possible, especially on publicly
    visible servers.
    
    References:
    [1] Apache HTTP Security Bulletin
    http://httpd.apache.org/info/security_bulletin_20020617.txt
    [2] CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability
    http://www.cert.org/advisories/CA-2002-17.html
    [3] Apache 1.3.26 Released
    http://www.apache.org/dist/httpd/Announcement.html
    [3] ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server,
    posted to bugtraq@private
    http://online.securityfocus.com/archive/1/277249/2002-06-17/2002-06-23/0
    [4] Posting from GOBBLES on bugtraq@private, including sample
    exploit
    http://online.securityfocus.com/archive/1/277830/2002-06-17/2002-06-23/0
    
    [6] Apache HTTP Exploit in Circulation
    http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20524
    [7] Joe Testa posting to bugtraq@private
    http://online.securityfocus.com/archive/1/277738/2002-06-17/2002-06-23/0
    
    Counterpane Internet Security is happy to answer any questions you may have
    regarding this report, and we thank you for your continued support.
    
    Counterpane Customer Service: 1-888-710-8171
    
    DISCLAIMER:
    The information contained within this Security Alert is provided for
    informational purposes and without warranty. Counterpane recommends
    consulting your security policy when responding to this or any
    security-related event. Counterpane also recommends testing any
    vendor-recommended countermeasures prior to their deployment in a
    production
    environment.
    



    This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 10:20:10 PDT