ISSalert: ISS Alert: Apache HTTP Server Exploit in Circulation

From: X-Force (xforce@iss.net)
Date: 06/20/02 

Date: Wed, 19 Jun 2002 20:59:42 -0400 (EDT)
To: alert@iss.net
From: X-Force <xforce@iss.net>

TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert
June 19, 2002

Apache HTTP Server Exploit in Circulation

Synopsis:

ISS X-Force has learned that a functional remote Apache HTTP Server
exploit has been released. This exploit may have been in used in the
underground for some time. Apache is the most popular Web server and is
used on over half of all Web servers on the Internet. It may be possible
for remote attackers to exploit this vulnerability to compromise Apache
Web servers. Successful exploitation may lead to modified Web content,
denial of service, or further compromise.

Affected Versions:

Apache 1.3.x versions up to and including 1.3.24
Apache 2.x versions up to and including 2.0.36

Note: Many commercial Web Application Servers such as Oracle 9ias and
IBM Websphere use Apache HTTP Server to process HTTP requests.
Additional products that bundle Apache HTTP Server may be affected.

Description:

The Apache HTTP Server is maintained by the Apache Software Foundation.
Apache is an extremely popular open-source Web server. Netcraft
(http://www.netcraft.com) reports that as of May 2002, Apache accounts
for over 63% of all active Web sites. Apache’s installed base is larger
than all other Web servers combined.

The Apache Project is an open-source and volunteer collaboration aimed
to create and maintain a free, feature-rich, powerful, and secure Web
server implementation. Apache is well regarded as the best, freely
available Web server.

Apache contains a flawed mechanism meant to calculate the size of
"chunked" encoding. Chunked encoding is part of the HTTP Protocol
Specification used for accepting data from Web users. When data is sent
from the user, the Web server needs to allocate a memory buffer of a
certain size to hold the submitted data. When the size of the data being
submitted is unknown, the client or Web browser will communicate with
the server by creating "chunks" of data of a negotiated size.

The Apache HTTP Server has a software flaw that misinterprets the size
of incoming data chunks. This error may lead to a stack overflow, denial
of service, and/or, the potential to execute arbitrary commands.

X-Force has verified that this issue is exploitable on Apache HTTP
Server version 1.3.24 for Windows (Win32) as well as Apache HTTP Server
version 1.3.24 for OpenBSD. It has been reported that exploit code has
been developed for the following operating systems and platforms:

Sun Solaris 6-8 (Sparc/x86)
FreeBSD 4.3-4.5 (x86)
OpenBSD 2.6-3.1 (x86)
Linux (GNU) 2.4 (x86)

Recommendations:

Internet Scanner X-Press Update 6.13 includes an updated version of the
ApacheChunkedEncodingBo check to detect all vulnerable installations of
Apache HTTP Server. XPU 6.13 will be available from the ISS Download
Center at: http://www.iss.net/download, 2002.

Detection support for this attack is included in X-Press Updates for
RealSecure Network Sensor 6.x and 7.0. XPU 4.4 for RealSecure 6.x
includes the HTTP_IIS_ASP_Chunked_Overflow signature to detect
exploitation attempts.

XPU 20.1 for RealSecure 7.0 includes two signatures:
HTTP_Field_With_Binary
HTTP_Fields_With_Binary

When detecting known exploits, the event information field for these
signatures will display suspicious information similar to the following:
AAAAAAAAAAAAAAAA...j.Rj.j....h/shh/bin..1.PR..PQRP.;...

These XPUs will be available from the ISS Download Center at:
http://www.iss.net/download.

For questions about downloading and installing XPUs, email
support@iss.net.

The patch provided by ISS X-Force on June 17, 2002 blocks all known
attempts to compromise known vulnerable platforms. Refer to the
Recommendations section of "Remote Compromise Vulnerability in Apache
HTTP Server" available at:
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502.

X-Force recommends users of Apache version 1.3.x upgrade to 1.3.26 and
users of Apache version 2.0 upgrade to version 2.0.39. These upgrades
address the vulnerability described in this advisory. Please refer to
the Apache Server Project's homepage for more information:
http://httpd.apache.org/

Additional Information:

http://www.iss.net/security_center
http://www.apache.org
http://httpd.apache.org/

______

About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
worldwide.

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforce@iss.net for
permission.

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php

Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPREo4jRfJiV99eG9AQGo5wP+L9vx5ax8aBv825z4H/pXprg1nXnG3x4K
QHEb2pSlyqN2NGxC5uTYR7LVFvbKEokQ2RKNnHHPE7Fp94Y3mmi7YtwlXh20SCa0
2YvIhlCDSKzdmb396kw0O21DMKGtuaxFerk+vTkqSw0elr/KJv4eq4KPcpzz1gK3
mwCLksRJ+FM=
=epLS
-----END PGP SIGNATURE-----

Quantcast