OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Endler (dendler_at_idefense.com)
Date: Thu Oct 03 2002 - 11:47:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 10.03.2002
    Apache 1.3.x shared memory scoreboard vulnerabilities

    16:00 GMT, October 3, 2002

    I. BACKGROUND

    The Apache Software Foundation's HTTP Server is an effort to develop
    and maintain an open-source HTTP server for modern operating systems
    including Unix and Windows NT. The goal of this project is to provide
    a secure, efficient and extensible server that provides HTTP services
    in sync with the current HTTP standards. More details about it are
    available at http://httpd.apache.org .

    II. DESCRIPTION

    Apache HTTP Server contains a vulnerability in its shared memory
    scoreboard. Attackers who can execute commands under the Apache UID
    can either send a (SIGUSR1) signal to any process as root, in most
    cases killing the process, or launch a local denial of service (DoS)
    attack.

    III. ANALYSIS

    Exploitation requires execute permission under the Apache UID. This
    can be obtained by any local user with a legitimate Apache scripting
    resource (ie: PHP, Perl), exploiting a vulnerability in web-based
    applications written in the above example languages, or through the
    use of some other local/remote Apache exploit.

    Once such a status is attained, the attacker can then attach to the
    httpd daemon's 'scoreboard', which is stored in a shared memory
    segment owned by Apache. The attacker can then cause a DoS condition
    on the system by continuously filling the table with null values and
    causing the server to spawn new children.

    The attacker also has the ability to send any process a SIGUSR1
    signal as root. This is accomplished by continuously overwriting the
    parent[].pid and parent[].last_rtime segments within the scoreboard
    to the pid of the target process and a time in the past. When the
    target pid receives the signal SIGUSR1, it will react according to
    how it is designed to manage the signal. According to the man page
    (man 7 signal), if the signal is un-handled then the default action
    is to terminate:

         ...
         SIGUSR1 30,10,16 A User-defined signal 1
         ...
         The letters in the "Action" column have the following meanings:

         A Default action is to terminate the process.
         ...

    iDEFENSE successfully terminated arbitrary processes, including those
    that "kicked" people off the system.

    IV. DETECTION

    Apache HTTP Server 1.3.x, running on all applicable Unix platforms,
    is affected.

    V. VENDOR FIX/RESPONSE

    Apache HTTP Server 1.3.27 fixes this problem. It should be available
    on October 3 at http://www.apache.org/dist/httpd/ .

    VI. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    has assigned the identification number CAN-2002-0839 to this issue.

    VII. DISCLOSURE TIMELINE

    8/27/2002 Issue disclosed to iDEFENSE
    9/18/2002 Vendor notified at securityapache.org
    9/18/2002 iDEFENSE clients notified
    9/19/2002 Response received from Mark J Cox (markawe.com)
    10/3/2002 Coordinated public disclosure

    VIII. CREDIT

    zen-parse (zen-parsegmx.net) disclosed this issue to iDEFENSE.

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listservidefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. iALERT, our security intelligence service,
    provides decision-makers, frontline security professionals and
    network administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com.

    - -dave

    David Endler, CISSP
    Director, Technical Intelligence
    iDEFENSE, Inc.
    14151 Newbrook Drive
    Suite 100
    Chantilly, VA 20151
    voice: 703-344-2632
    fax: 703-961-1071

    dendleridefense.com
    www.idefense.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1.2
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

    iQA/AwUBPZx0I0rdNYRLCswqEQIowQCfQT+FYR1FLTEzlf49SpJXwDnie8wAn3Kr
    CncduGV6EYHqVayQE90b7Yij
    =4T8j
    -----END PGP SIGNATURE-----