Date: Fri, 04 Oct 2002 00:15:16 -0400 From: Mike Tancsa <mike@sentex.net> To: freebsd-security@freebsd.org Subject: Fwd: iDEFENSE Security Advisory 10.03.2002: Apache 1.3.x shared memory scoreboard vulnerabilities Message-ID: <5.1.1.6.0.20021004001325.0397c618@marble.sentex.ca>
next in thread | raw e-mail | index | archive | help
FYI for those of you not on bugtraq.
---Mike
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>From: "David Endler" <dendler@idefense.com>
>To: bugtraq@securityfocus.com
>Date: Thu, 3 Oct 2002 12:47:54 -0400
>Subject: iDEFENSE Security Advisory 10.03.2002: Apache 1.3.x shared memory=
=20
>scoreboard vulnerabilities
>Reply-To: dendler@idefense.com
>X-Spam-Status: No, hits=3D-5.1 required=3D5.0 tests=3DPGP_SIGNATURE=
version=3D2.11
>X-Virus-Scanned: By Sentex Communications (avscan1/20020517)
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>iDEFENSE Security Advisory 10.03.2002
>Apache 1.3.x shared memory scoreboard vulnerabilities
>
>16:00 GMT, October 3, 2002
>
>
>I. BACKGROUND
>
>The Apache Software Foundation's HTTP Server is an effort to develop
>and maintain an open-source HTTP server for modern operating systems
>including Unix and Windows NT. The goal of this project is to provide
>a secure, efficient and extensible server that provides HTTP services
>in sync with the current HTTP standards. More details about it are
>available at http://httpd.apache.org .
>
>II. DESCRIPTION
>
>Apache HTTP Server contains a vulnerability in its shared memory
>scoreboard. Attackers who can execute commands under the Apache UID
>can either send a (SIGUSR1) signal to any process as root, in most
>cases killing the process, or launch a local denial of service (DoS)
>attack.
>
>III. ANALYSIS
>
>Exploitation requires execute permission under the Apache UID. This
>can be obtained by any local user with a legitimate Apache scripting
>resource (ie: PHP, Perl), exploiting a vulnerability in web-based
>applications written in the above example languages, or through the
>use of some other local/remote Apache exploit.
>
>Once such a status is attained, the attacker can then attach to the
>httpd daemon's 'scoreboard', which is stored in a shared memory
>segment owned by Apache. The attacker can then cause a DoS condition
>on the system by continuously filling the table with null values and
>causing the server to spawn new children.
>
>The attacker also has the ability to send any process a SIGUSR1
>signal as root. This is accomplished by continuously overwriting the
>parent[].pid and parent[].last_rtime segments within the scoreboard
>to the pid of the target process and a time in the past. When the
>target pid receives the signal SIGUSR1, it will react according to
>how it is designed to manage the signal. According to the man page
>(man 7 signal), if the signal is un-handled then the default action
>is to terminate:
>
> ...
> SIGUSR1 30,10,16 A User-defined signal 1
> ...
> The letters in the "Action" column have the following meanings:
>
> A Default action is to terminate the process.
> ...
>
>iDEFENSE successfully terminated arbitrary processes, including those
>that "kicked" people off the system.
>
>IV. DETECTION
>
>Apache HTTP Server 1.3.x, running on all applicable Unix platforms,
>is affected.
>
>V. VENDOR FIX/RESPONSE
>
>Apache HTTP Server 1.3.27 fixes this problem. It should be available
>on October 3 at http://www.apache.org/dist/httpd/ .
>
>VI. CVE INFORMATION
>
>The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
>has assigned the identification number CAN-2002-0839 to this issue.
>
>VII. DISCLOSURE TIMELINE
>
>8/27/2002 Issue disclosed to iDEFENSE
>9/18/2002 Vendor notified at security@apache.org
>9/18/2002 iDEFENSE clients notified
>9/19/2002 Response received from Mark J Cox (mark@awe.com)
>10/3/2002 Coordinated public disclosure
>
>VIII. CREDIT
>
>zen-parse (zen-parse@gmx.net) disclosed this issue to iDEFENSE.
>
>
>Get paid for security research
>http://www.idefense.com/contributor.html
>
>Subscribe to iDEFENSE Advisories:
>send email to listserv@idefense.com, subject line: "subscribe"
>
>
>About iDEFENSE:
>
>iDEFENSE is a global security intelligence company that proactively
>monitors sources throughout the world =97 from technical
>vulnerabilities and hacker profiling to the global spread of viruses
>and other malicious code. iALERT, our security intelligence service,
>provides decision-makers, frontline security professionals and
>network administrators with timely access to actionable intelligence
>and decision support on cyber-related threats. For more information,
>visit http://www.idefense.com.
>
>
>- -dave
>
>David Endler, CISSP
>Director, Technical Intelligence
>iDEFENSE, Inc.
>14151 Newbrook Drive
>Suite 100
>Chantilly, VA 20151
>voice: 703-344-2632
>fax: 703-961-1071
>
>dendler@idefense.com
>www.idefense.com
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 7.1.2
>Comment: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x4B0ACC2A
>
>iQA/AwUBPZx0I0rdNYRLCswqEQIowQCfQT+FYR1FLTEzlf49SpJXwDnie8wAn3Kr
>CncduGV6EYHqVayQE90b7Yij
>=3D4T8j
>-----END PGP SIGNATURE-----
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.0.20021004001325.0397c618>