Date: 18 June 2002
References: ESB-2002.285 ESB-2002.288 ESB-2002.289 ESB-2002.291 ESB-2002.293 ESB-2002.295 ESB-2002.297 ESB-2002.298 ESB-2002.301 ESB-2002.311
ESB-2002.320 ESB-2002.323 ESB-2002.328 ESB-2002.330 ESB-2002.334 ESB-2002.337 ESB-2002.341 ESB-2002.351 ESB-2002.358 ESB-2002.421 ESB-2002.498
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-2002.04 AUSCERT Advisory
Remote Compromise Vulnerability in Apache HTTP Server
18 June 2002
Last Revised: --
- ---------------------------------------------------------------------------
AusCERT has recently become aware of a new vulnerability in versions of
the Apache web server up to and including 1.3.24 and 2.0 up to and
including 2.0.36 and 2.0.36-dev. The vulnerability is enabled in the
default configuration of the Apache Web Server.
This vulnerability may allow remote users to cause a denial of service or
gain system privileges. The vulnerability is not limited to Windows but
also affects Unix and Netware environments. A further risk due to
exploitation of this vulnerability is that of web page defacement.
AusCERT has not received reports of the vulnerability being actively
exploited.
AusCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
Independently, both the ISS X-force team [4.1] and Mark Litchfield of Next
Generation Security Software [4.2] have discovered these holes and released
advisories concerning this vulnerability. The flaw is caused by the
routines that deal with chunked encoding and their inability to handle
invalid requests. Exploitation of this vulnerability could lead to system
compromise, denial of service and potentially web page defacement.
2. Impact
The Apache Web Server the most popular web server, with 63% of the
market share (according to Netcraft - http://www.netcraft.com, as of
May 2002). The affected versions are Apache 1.x and Apache for
Windows versions 2.0 up to and including 2.0.36 and 2.0.36-dev. Take
note that many commercial application servers on Windows and Unix
platforms such as IBM Websphere and Oracle incorporate the Apache
HTTP engine to process web requests.
Exploiting this vulnerability has the potential of causing a denial
of service (DoS) against the web server or an overflow that will
allow the execution of malicious code on the system. These two
outcomes are possible on both Windows and Unix platforms. At this
time, the DoS vulnerabilities have been confirmed on most versions of
Apache and stack overflow attacks have been confirmed on version
1.3.24 of Apache for Windows. Overflow attacks are possible on all
platforms but may be more difficult to achieve on certain platforms
such as Unix.
Further technical details of this vulnerability are included in the ISS
X-force Security Advisory [4.1] and the posting found on the VulnWatch
mailing list describing the findings of Mark Litchfield [4.2]. Caution
according to the official Apache security bulletin on this issue [4.4]
the patch provided by ISS does NOT correct this vulnerability.
3. Solution
The Apache Server Project [4.3] has released a security bulletin [4.4]
and a patch for this vulnerability. The patched Apache module is available
in the CVS tree at the following link:
http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_protocol.c.
AusCERT recommends that sites prevent the exploitation of the vulnerability
by immediately upgrading and applying the patches available as described
above.
4. Further Information
Further technical details of this vulnerability are included in the ISS
X-force Security Advisory [4.1] and the posting found on the VulnWatch
mailing list describing the findings of Mark Litchfield [4.2].
[4.1] ISS Security Advisory - Remote Compromise Vulnerability in Apache
HTTP Server
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502
[4.2] Apache httpd: vulnerability with chunked encoding
http://cert.uni-stuttgart.de/archive/vulnwatch/2002/06/msg00021.html
[4.3] Apache HTTP Server Project
http://httpd.apache.org
[4.4] Apache Security Bulletin 20020617
http://httpd.apache.org/info/security_bulletin_20020617.txt
- ---------------------------------------------------------------------------
AusCERT would like to thank the Canadian Computer Emergency Response Team
(CanCERT) (http://www.cancert.ca) for allowing use of their materials in
assembling the information contained in this advisory.
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained in
this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AusCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT
Advisories, and other computer security information.
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPQ8jSSh9+71yA2DNAQH0+gP/UmgOFCAeT4Vj8j8vXSqZgyEB24IIYqe5
P1oOoH7yuUoAaH6rLIvxqJaVGoli0Y3Q1bqRKI80j8io/VmVeYtIF5cFcV4JzFYd
Qxcwu4Gdb+hlBa13PYKBRFPXFAv5jnFW7leQce5orB186JsEWlDLgudQw2/nBldM
wpmIgd/4hug=
=YiLC
-----END PGP SIGNATURE-----
|