[UNIX] Remote Compromise Vulnerability in Apache HTTP Server (Chunked Encoding)

From: support@securiteam.com
Date: 06/17/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 17 Jun 2002 21:34:47 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Remote Compromise Vulnerability in Apache HTTP Server (Chunked Encoding)
------------------------------------------------------------------------

SUMMARY

ISS X-Force and Mark Litchfield have both discovered a serious
vulnerability in the default version of Apache HTTP Server. Apache is the
most popular Web server and is used on over half of all Web servers on the
Internet. It may be possible for remote attackers to exploit this
vulnerability to compromise Apache Web servers. Successful exploitation
may lead to modified Web content, denial of service, or further
compromise.

DETAILS

Vulnerable systems:
Apache 1.3 all versions including 1.3.24, Apache 2 all versions up to
2.0.39

Versions of the Apache web server up to and including 1.3.24 and 2.0 up to
and including 2.0.36 and 2.0.36-dev versions contain a bug in the routines
which deal with invalid requests which are encoded using chunked encoding.
This bug can be triggered remotely by sending a carefully crafted invalid
request. This functionality is enabled by default.

In most cases the outcome of the invalid request is that the child process
dealing with the request will terminate. At the least, this could help a
remote attacker launch a denial of service attack as the parent process
will eventually have to replace the terminated child process and starting
new children uses non-trivial amounts of resources.

On the Windows and Netware platforms, Apache runs one multithreaded child
process to service requests. The teardown and subsequent setup time to
replace the lost child process presents a significant interruption of
service. As the Windows and Netware ports create a new process and reread
the configuration, rather than fork a child process, this delay is much
more pronounced than on other platforms.

In Apache 2.0 the error condition is correctly detected, so it will not
allow an attacker to execute arbitrary code on the server. However
platforms could be using a multithreaded model of multiple concurrent
requests per child process (although the default preference remains
multiple processes with a single thread and request per process, and most
multithreaded models continue to create multiple child processes). Using
any multithreaded model, all concurrent requests currently served by the
affected child process will be lost.

In Apache 1.3 the issue causes a stack overflow. Due to the nature of the
overflow on 32-bit UNIX platforms this will cause a segmentation violation
and the child will terminate. However on 64-bit platforms the overflow
can be controlled and so for platforms that store return addresses on the
stack it is likely that it is further exploitable. This could allow
arbitrary code to be run on the server as the user the Apache children are
set to run as.

We have been made aware that Apache 1.3 on Windows is exploitable in this
way.

Vendor status:
The Apache Software Foundation are currently working on new releases that
fix this issue, please see <http://httpd.apache.org/>
http://httpd.apache.org/ for updated versions.

ADDITIONAL INFORMATION

The information has been provided by <mailto:mjc@apache.org> Mark J Cox.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages