Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Mark J Cox (mjcapache.org)
Date: Mon Jun 17 2002 - 12:23:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Date: June 17, 2002
    Product: Apache Web Server
    Versions: Apache 1.3 all versions including 1.3.24, Apache 2 all versions
    up to 2.0.39


    While testing for Oracle vulnerabilities, Mark Litchfield discovered a
    denial of service attack for Apache on Windows. Investigation by the
    Apache Software Foundation showed that this issue has a wider scope, which
    on some platforms results in a denial of service vulnerability, while on
    some other platforms presents a potential a remote exploit vulnerability.

    We were also notified today by ISS that they had published the same issue
    which has forced the early release of this advisory.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2002-0392 to this issue.


    Versions of the Apache web server up to and including 1.3.24 and 2.0 up to
    and including 2.0.36 and 2.0.36-dev versions contain a bug in the routines
    which deal with invalid requests which are encoded using chunked encoding.
    This bug can be triggered remotely by sending a carefully crafted invalid
    request. This functionality is enabled by default.

    In most cases the outcome of the invalid request is that the child process
    dealing with the request will terminate. At the least, this could help a
    remote attacker launch a denial of service attack as the parent process
    will eventually have to replace the terminated child process and starting
    new children uses non-trivial amounts of resources.

    On the Windows and Netware platforms, Apache runs one multithreaded child
    process to service requests. The teardown and subsequent setup time to
    replace the lost child process presents a significant interruption of
    service. As the Windows and Netware ports create a new process and reread
    the configuration, rather than fork a child process, this delay is much
    more pronounced than on other platforms.

    In Apache 2.0 the error condition is correctly detected, so it will not
    allow an attacker to execure arbitrary code on the server. However
    platforms could be using a multithreaded model of multiple concurrent
    requests per child process (although the default preference remains
    multiple processes with a single thread and request per process, and most
    multithreaded models continue to create multiple child processes). Using
    any multithreaded model, all concurrent requests currently served by the
    affected child process will be lost.

    In Apache 1.3 the issue causes a stack overflow. Due to the nature of the
    overflow on 32-bit Unix platforms this will cause a segmentation violation
    and the child will terminate. However on 64-bit platforms the overflow
    can be controlled and so for platforms that store return addresses on the
    stack it is likely that it is further exploitable. This could allow
    arbitrary code to be run on the server as the user the Apache children are
    set to run as.

    We have been made aware that Apache 1.3 on Windows is exploitable in this

    Please note that the patch provided by ISS does not correct this

    The Apache Software Foundation are currently working on new releases that
    fix this issue, please see http://httpd.apache.org/ for updated

    - -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    - -----END PGP SIGNATURE-----

    Version: PGP 6.5.8

    -----END PGP SIGNATURE-----