From owner-freebsd-security Thu Oct 3 21:14:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C74B037B401 for ; Thu, 3 Oct 2002 21:14:28 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DAD243E6A for ; Thu, 3 Oct 2002 21:14:28 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g944EQvO015156 for ; Fri, 4 Oct 2002 00:14:26 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20021004001325.0397c618@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Fri, 04 Oct 2002 00:15:16 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: Fwd: iDEFENSE Security Advisory 10.03.2002: Apache 1.3.x shared memory scoreboard vulnerabilities Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: By Sentex Communications (obsidian/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FYI for those of you not on bugtraq. ---Mike >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >From: "David Endler" >To: bugtraq@securityfocus.com >Date: Thu, 3 Oct 2002 12:47:54 -0400 >Subject: iDEFENSE Security Advisory 10.03.2002: Apache 1.3.x shared memory= =20 >scoreboard vulnerabilities >Reply-To: dendler@idefense.com >X-Spam-Status: No, hits=3D-5.1 required=3D5.0 tests=3DPGP_SIGNATURE= version=3D2.11 >X-Virus-Scanned: By Sentex Communications (avscan1/20020517) > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >iDEFENSE Security Advisory 10.03.2002 >Apache 1.3.x shared memory scoreboard vulnerabilities > >16:00 GMT, October 3, 2002 > > >I. BACKGROUND > >The Apache Software Foundation's HTTP Server is an effort to develop >and maintain an open-source HTTP server for modern operating systems >including Unix and Windows NT. The goal of this project is to provide >a secure, efficient and extensible server that provides HTTP services >in sync with the current HTTP standards. More details about it are >available at http://httpd.apache.org . > >II. DESCRIPTION > >Apache HTTP Server contains a vulnerability in its shared memory >scoreboard. Attackers who can execute commands under the Apache UID >can either send a (SIGUSR1) signal to any process as root, in most >cases killing the process, or launch a local denial of service (DoS) >attack. > >III. ANALYSIS > >Exploitation requires execute permission under the Apache UID. This >can be obtained by any local user with a legitimate Apache scripting >resource (ie: PHP, Perl), exploiting a vulnerability in web-based >applications written in the above example languages, or through the >use of some other local/remote Apache exploit. > >Once such a status is attained, the attacker can then attach to the >httpd daemon's 'scoreboard', which is stored in a shared memory >segment owned by Apache. The attacker can then cause a DoS condition >on the system by continuously filling the table with null values and >causing the server to spawn new children. > >The attacker also has the ability to send any process a SIGUSR1 >signal as root. This is accomplished by continuously overwriting the >parent[].pid and parent[].last_rtime segments within the scoreboard >to the pid of the target process and a time in the past. When the >target pid receives the signal SIGUSR1, it will react according to >how it is designed to manage the signal. According to the man page >(man 7 signal), if the signal is un-handled then the default action >is to terminate: > > ... > SIGUSR1 30,10,16 A User-defined signal 1 > ... > The letters in the "Action" column have the following meanings: > > A Default action is to terminate the process. > ... > >iDEFENSE successfully terminated arbitrary processes, including those >that "kicked" people off the system. > >IV. DETECTION > >Apache HTTP Server 1.3.x, running on all applicable Unix platforms, >is affected. > >V. VENDOR FIX/RESPONSE > >Apache HTTP Server 1.3.27 fixes this problem. It should be available >on October 3 at http://www.apache.org/dist/httpd/ . > >VI. CVE INFORMATION > >The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project >has assigned the identification number CAN-2002-0839 to this issue. > >VII. DISCLOSURE TIMELINE > >8/27/2002 Issue disclosed to iDEFENSE >9/18/2002 Vendor notified at security@apache.org >9/18/2002 iDEFENSE clients notified >9/19/2002 Response received from Mark J Cox (mark@awe.com) >10/3/2002 Coordinated public disclosure > >VIII. CREDIT > >zen-parse (zen-parse@gmx.net) disclosed this issue to iDEFENSE. > > >Get paid for security research >http://www.idefense.com/contributor.html > >Subscribe to iDEFENSE Advisories: >send email to listserv@idefense.com, subject line: "subscribe" > > >About iDEFENSE: > >iDEFENSE is a global security intelligence company that proactively >monitors sources throughout the world =97 from technical >vulnerabilities and hacker profiling to the global spread of viruses >and other malicious code. iALERT, our security intelligence service, >provides decision-makers, frontline security professionals and >network administrators with timely access to actionable intelligence >and decision support on cyber-related threats. For more information, >visit http://www.idefense.com. > > >- -dave > >David Endler, CISSP >Director, Technical Intelligence >iDEFENSE, Inc. >14151 Newbrook Drive >Suite 100 >Chantilly, VA 20151 >voice: 703-344-2632 >fax: 703-961-1071 > >dendler@idefense.com >www.idefense.com > >-----BEGIN PGP SIGNATURE----- >Version: PGP 7.1.2 >Comment: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x4B0ACC2A > >iQA/AwUBPZx0I0rdNYRLCswqEQIowQCfQT+FYR1FLTEzlf49SpJXwDnie8wAn3Kr >CncduGV6EYHqVayQE90b7Yij >=3D4T8j >-----END PGP SIGNATURE----- -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message