Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Jun 2002 12:35:38 -0500
From:      "W. D." <WD@US-Webmasters.com>
To:        freebsd-questions@freebsd.org
Subject:   High Risk Apache Exploit Circulating 
Message-ID:  <5.1.0.14.2.20020621122234.043be070@us-webmasters.com>

next in thread | raw e-mail | index | archive | help
Does anyone have simple instructions to upgrade?

http://www.apache.org/dist/httpd/Announcement.html

June 21, 2002

High Risk Apache Exploit Circulating=20

By Ryan Naraine=20
The Apache Foundation has issued a
warning that exploits to its chunk
handling vulnerability are circulating
on the Internet, putting users of its
open-source server at high risk.=20

The vulnerability, which Apache now
says affects both 64-bit platforms
and 32-bit platforms alike, could
cause denial-of-service attacks or
allow a attacker to take remote
control of a server.=20

"Though we previously reported that
32-bit platforms were not remotely
exploitable, it has since been proven
(that certain conditions allowing
exploitation do exist)," Apache
warned, urging users upgrade to
versions 1.3.26 and 2.0.39 to apply
a comprehensive fix.=20

"Due to the existence of exploits
circulating in the wild for some
platforms, the risk is considered
high...All users are urged to upgrade
immediately," the Foundation said.=20

Apache updated its security bulletin
to warn that exploitation of the
chunk handling bug could lead to the
further exploitation of vulnerabilities
unrelated to Apache on the local
system, potentially allowing the
intruder root access.=20

"Note that early patches for this
issue released by ISS and others do
not address its full scope," Apache
said, referring to a patch that was
issued by the Internet Security
Systems (IIS) that did not offer a
comprehensive fix.=20

The existence of the Apache exploit
made the rounds on the popular
Bugtraq security e-mail list. Posts to
the list include this warning that the
Apache exploit tool was "./friendly,"=20
meaning anyone with basic scripting capabilities
"should be able to run it without any trouble."=20

The release of the source code for the=20
Apache exploit adds new fuel to the controversy
over how the bug announcement was handled.=20
The original warning was first reported
by the ISS, causing friction between the=20
security outfit and the Apache Foundation.=20

Apache officials were upset they weren't=20
first notified before the ISS issued its advisory
and patch, a normal procedure when bugs=20
are detected.=20

The Apache Foundation said the bug affected=20
versions of its Web server up to and
including 1.3.24 and 2.0 up to and including=20
2.0.36 and 2.0.36-dev, warning that it
could be triggered remotely by sending a=20
carefully crafted invalid request, which is
enabled by default.=20

"In most cases the outcome of the invalid=20
request is that the child process dealing with
the request will terminate. At the=20
least, this could help a remote attacker launch a
denial of service attack as the parent=20
process will eventually have to replace the
terminated child process and starting new=20
children uses non-trivial amounts of
resources," Apache said.=20

Because Apache servers on the Windows and=20
Netware platforms runs one multithreaded
child process to service requests, the=20
Foundation said the teardown and subsequent
setup time to replace the lost child=20
process presents a significant interruption of
service. "As the Windows and Netware=20
ports create a new process and reread the
configuration, rather than fork a child=20
process, this delay is much more pronounced than
on other platforms," it explained.=20

In the Apache 2.0 version, it said the error=20
condition is correctly detected and would
not allow an attacker to execute code on=20
the server. In Apache 1.3, it said the issue
causes a stack overflow.=20

The Foundation again warned that vendor=20
patches should be used to correct the
vulnerability as a matter of urgency.=20

http://www.apache.org/dist/httpd/Announcement.html

Start Here to Find It Fast!=A9 -> http://www.US-Webmasters.com/start.htm


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.2.20020621122234.043be070>