| -----BEGIN PGP SIGNED MESSAGE----- |
| |
| |
| SUPERSEDES: http://httpd.apache.org/info/security_bulletin_20020617.txt |
| |
| Date: June 20, 2002 |
| Product: Apache Web Server |
| Versions: Apache 1.3 all versions including 1.3.24; Apache 2.0 all versions |
| up to 2.0.36; Apache 1.2 all versions. |
| |
| CVE-2002-0392 (mitre.org) [CERT VU#944335] |
| |
| - ---------------------------------------------------------- |
| ------------UPDATED ADVISORY------------ |
| - ---------------------------------------------------------- |
| Introduction: |
| |
| While testing for Oracle vulnerabilities, Mark Litchfield discovered a |
| denial of service attack for Apache on Windows. Investigation by the |
| Apache Software Foundation showed that this issue has a wider scope, which |
| on some platforms results in a denial of service vulnerability, while on |
| some other platforms presents a potential remote exploit vulnerability. |
| |
| This follow-up to our earlier advisory is to warn of known-exploitable |
| conditions related to this vulnerability on both 64-bit platforms and |
| 32-bit platforms alike. Though we previously reported that 32-bit |
| platforms were not remotely exploitable, it has since been proven by |
| Gobbles that certain conditions allowing exploitation do exist. |
| |
| Successful exploitation of this vulnerability can lead to the execution of |
| arbitrary code on the server with the permissions of the web server child |
| process. This can facilitate the further exploitation of vulnerabilities |
| unrelated to Apache on the local system, potentially allowing the intruder |
| root access. |
| |
| Note that early patches for this issue released by ISS and others do not |
| address its full scope. |
| |
| Due to the existence of exploits circulating in the wild for some platforms, |
| the risk is considered high. |
| |
| The Apache Software Foundation has released versions 1.3.26 and 2.0.39 |
| that address and fix this issue, and all users are urged to upgrade |
| immediately. |
| |
| As a reminder, we respectfully request that anyone who finds a potential |
| vulnerability in our software reports it to security@apache.org. |
| |
| |
| - ---------------------------------------------------------- |
| Full Description: |
| |
| Versions of the Apache web server up to and including 1.3.24 and 2.0 |
| up to and including 2.0.36 contain a bug in the routines that deal with |
| requests encoded using chunked encoding. This bug can be triggered |
| remotely, and this functionality is enabled by default. |
| |
| In most cases the outcome of the invalid request is that the child process |
| dealing with the request will terminate. At the least, this could help a |
| remote attacker launch a denial of service attack as the parent process |
| will eventually have to replace the terminated child process, and starting |
| new children uses non-trivial amounts of resources. |
| |
| On the Windows and Netware platforms, Apache runs one multithreaded child |
| process to service requests. The teardown and subsequent setup time to |
| replace the lost child process presents a significant interruption of |
| service. As the Windows and Netware ports create a new process and reread |
| the configuration, rather than fork a child process, this delay is much |
| more pronounced than on other platforms. |
| |
| In Apache 2.0, the error condition is correctly detected, so it will not |
| allow an attacker to execute arbitrary code on the server. However, |
| platforms could be using a multithreaded model with multiple concurrent |
| requests per child process (although the default preference remains |
| multiple processes with a single thread and request per process, and most |
| multithreaded models continue to create multiple child processes). Using |
| any multithreaded model, all concurrent requests currently served by the |
| affected child process will be lost. |
| |
| In Apache 1.3, the issue should cause a stack overflow. Due to the nature |
| of the overflow on 32-bit Unix platforms, this should cause a segmentation |
| violation and cause the child to terminate. However, some 32-bit platforms |
| are indeed exploitable due to quirks in their implementation. 64-bit |
| platforms are also likely to be exploitable due to a data type conversion |
| that occurs within Apache. We have been made aware that Apache 1.3 on |
| Windows is exploitable in a similar way as well. |
| |
| |
| -----BEGIN PGP SIGNATURE----- |
| Version: PGP 6.5.8 |
| |
| iQEVAwUBPRK8ztc6kLhrup1dAQEfzQf+NbNSVtg+nrcipH2DEnsLCbd0odjwHAZM |
| gBpJPShl5D+AFhxu3gNiMkOtnQs+LkyCQinYJErVNXUzK5das9VyBdtGswsXsKs0 |
| N/stacgdMg8fxenyK0CDhlUl3QLaVSit08Hwads0yYbeIEAKoLx/n7AvGr2CvDnh |
| fStxMvaiJgqadeq3udRSyy1UMl+hrxy2xMGZ3ducPMi5Bt/riZh+NJuEKazHosDY |
| 98wEvGQWPMWoYOWxI1Y45slu+QVrkbrgnkKvMDT6WHBDzD/we3I6ulHjoaBjMEF0 |
| 7m2bEBFL902SE4UDf1n2DxLFZHR8VMSFwUhqkPRNLxVbV42yxJwa2Q== |
| =vV/N |
| -----END PGP SIGNATURE----- |