[NEWS] Additional Details of Apache 2.x Security Flaw (Attack Vectors)

• Previous message: SecuriTeam: "[NEWS] Apache Portable Runtime Denial of Service and Arbitrary Code Execution Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 31 May 2003 12:05:42 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Additional Details of Apache 2.x Security Flaw (Attack Vectors)
------------------------------------------------------------------------

SUMMARY

Additional details have come to light regarding the
<http://www.securiteam.com/securitynews/5ZP0V0AA0Y.html> Apache Portable
Runtime Denial of Service and Arbitrary Code Execution Vulnerability, the
details below illustrate the issue affects a broader range of
products/modules than has been previously thought.

DETAILS

After additional analysis of the Apache 2.x vulnerability described in
<http://www.securiteam.com/securitynews/5ZP0V0AA0Y.html> iDEFENSE advisory
#053003 (APR vulnerability), Matthew has found additional modules
associated with Apache that are vulnerable to this exploit. Users running
any of the following:

mod_alias**
mod_dav/mod_dav_fs
mod_dir**
mod_imap**
mod_proxy
mod_rewrite*
mod_speling**
mod_ssl*
mod_usertrack*

Should upgrade to the newest APR, shipped with Apache 2.0.46. Exploits are
being tested for all of the above. Two Apache API procedures are also
vulnerable:

ap_construct_url()*
ap_construct_server()*

* This requires UseCanonicalName Off or a name-based virtual host system
for successful exploitation. Setting "UseCanonicalName On" eliminates
this. This is the default in some vendor packages.

** This requires the rare combination of UseCanonicalName Off and a
non-standard port. The default is to install with UseCanonicalName Off,
although some vendor packages modify this. Also, the Win32 installer
allows for listening on port 8080, and non-root users are usually forced
to do this on UNIX-based platforms.

It should also be noted that binary distributions might ship without
mod_ssl, preventing exploitation via this avenue. Note that in this
particular case, UseCanonical Off is the only setting required and *not*
wildcard DNS as was required by CAN-2002-0840, as the user may submit
whatever "Host" they like directly via a telnet session -- a much less
restrictive environment than an XSS exploit.

Workarounds:
* UseCanonicalName Off in the master configuration prevents many of these
issues. Mod_proxy and mod_dav/mod_dav_fs are still exploitable with this
change.

* mod_dav: Setting LimitXMLRequestBody to less than 10000 will eliminate
this flaw, in combination with the previous workarounds.

* mod_proxy: Disable HTTP proxying.

The combination of these effectively prevents exploitation of all *known*
attack vectors. Administrators are still encouraged to upgrade, as other
attack vectors may exist. This vulnerability has the (theoretical)
possibility of arbitrary code execution, making it imperative that
vulnerable systems be upgraded at the earliest opportunity.

ADDITIONAL INFORMATION

The information has been provided by <mailto:mattmurphy@kc.rr.com>
Matthew Murphy.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Apache Portable Runtime Denial of Service and Arbitrary Code Execution Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]