Re[2]: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server

["bogachev igor" <drugoy_bog () mail ru>]

This question may be interesting for russian users of apache

http_protocol.c:2083
        
#ifdef RUSSIAN_APACHE
        if(r && r->ra_codep && r->ra_codep->cp_itabl_p)
          {
            ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
                        "chunked Transfer-Encoding not supported by Russian
Apache: %s", r->uri);
            return (lenp) ? HTTP_BAD_REQUEST : HTTP_LENGTH_REQUIRED;
          }
#endif

does it mean that russian apache isn't vulnerable?

copy of this message was sent to coordinator of russian_apache devolopers group
lexa () lexa ru


 
> The patch that mentioned casting bufsiz from an int to an unsigned int
> failed to do a few things:
>
> 1) There are 2 instances of the same code in http_protocol.c that need
> to be fixed, as both suffer from the same problem
> 2) The cast to unsigned int was only done in comparison, and was not
> done in assignment, which could possibly lead to problems down the road
> with the int value?
>
> I haven't checked any of this, just noticed it and was really just
> wondering "why wasn't this done?".
>
> The code that is apparently "buggy" is this:
>
> len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining;
>
> The code was mentioned to be changed to this:
>
> len_to_read = (r->remaining > (unsigned int)bufsiz) ? bufsiz :
> r->remaining;
>
> However, this doesn't assign that casted value to len_to_read, it just
> uses the cast for comparison and then passes on the possibly bogus data
> on to len_to_read.
>
> So, should the fix not be to change it to:
>
> len_to_read = (r->remaining > (unsigned int)bufsiz) ? (unsigned
> int)bufsiz : r->remaining;
>
> Also, like I mentioned, there are two places where this happens in
> http_protocol.c, one at line 2062, and the other (the one mentioned in
> the patch) at 2174.
>
> Sysop.
> ----- Original Message -----
> From: X-Force <xforce () iss net>
> To: <bugtraq () securityfocus com>
> Sent: Monday, June 17, 2002 6:57 PM
> Subject: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > Internet Security Systems Security Advisory
> > June 17, 2002
> >
> > Remote Compromise Vulnerability in Apache HTTP Server
> >
> > Synopsis:
> >
> > ISS X-Force has discovered a serious vulnerability in the default
> > version of Apache HTTP Server. Apache is the most popular Web server and
> > is used on over half of all Web servers on the Internet. It may be
> > possible for remote attackers to exploit this vulnerability to
> > compromise Apache Web servers. Successful exploitation may lead to
> > modified Web content, denial of service, or further compromise.
> >
> > Affected Versions:
> >
> > Apache 1.x
> >
> > Note: Many commercial Web Application Servers such as Oracle 9ias and
> > IBM Websphere use Apache HTTP Server to process HTTP requests.
> > Additional products that bundle Apache HTTP Server for Windows may be
> > affected.
> >
> > Description:
> >
> > The Apache HTTP Server is maintained by the Apache Software Foundation.
> > Apache is an extremely popular open-source Web server. Netcraft
> > (http://www.netcraft.com) reports that as of May 2002, Apache accounts
> > for over 63% of all active Web sites. Apache's installed base is larger
> > than all other Web servers combined.
> >
> > The Apache Project is an open-source and volunteer collaboration aimed
> > to create and maintain a free, feature-rich, powerful, and secure Web
> > server implementation. Apache is well regarded as the best, freely
> > available Web server.
> >
> > Apache contains a flawed mechanism meant to calculate the size of
> > "chunked" encoding. Chunked encoding is part of the HTTP Protocol
> > Specification used for accepting data from Web users. When data is sent
> > from the user, the Web server needs to allocate a memory buffer of a
> > certain size to hold the submitted data. When the size of the data being
> > submitted is unknown, the client or Web browser will communicate with
> > the server by creating "chunks" of data of a negotiated size.
> >
> > The Apache HTTP Server has a software flaw that misinterprets the size
> > of incoming data chunks. This error may lead to a signal race, heap
> > overflow, and to exploitation of malicious code.
> >
> > X-Force has verified that this issue is exploitable on Apache for
> > Windows (Win32) version 1.3.24. Apache 1.x for Unix contains the same
> > source code, but X-Force believes that successful exploitation on most
> > Unix platforms is unlikely.
> >
> > Recommendations:
> >
> > Internet Scanner X-Press Update 6.12 includes a check,
> > ApacheChunkedEncodingBo, to detect installations of Apache HTTP Server
> > for Win32. XPU 6.12 is available from the ISS Download Center at:
> > http://www.iss.net/download. For questions about downloading and
> > installing this XPU, email support () iss net.
> >
> > Detection support for this attack will be included in future X-Press
> > Updates for RealSecure Network Sensor 6.x and 7.0. These XPUs will be
> > available from the ISS Download Center, and this alert will be updated
> > when these updates become available.
> >
> > ISS X-Force has developed a patch for this issue. Follow the
> > instructions below, or contact your vendor for assistance:
> >
> > To apply a source code patch to your Apache package:
> >
> > 1. Locate your source directory and navigate into the "main" sub-
> > directory.
> > 2. Verify that "http_protocol.c" is present in the current directory.
> > 3. To update your http_protocol.c file, create a file named
> > "apache_patch.diff", containing the following text:
> >
> > - --- http_protocol.c.vuln Fri Jun 14 16:12:50 2002
> > +++ http_protocol.c Fri Jun 14 16:13:47 2002
> > @@ -2171,7 +2171,7 @@
> >
> >      /* Otherwise, we are in the midst of reading a chunk of data */
> >
> > - -    len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining;
> > +    len_to_read = (r->remaining > (unsigned int)bufsiz) ? bufsiz : r->
> > remaining;
> >
> >      len_read = ap_bread(r->connection->client, buffer, len_to_read);
> >      if (len_read <= 0) {
>
>
>
>
> > 4. Apply the source code update using the "patch" command, or a similar
> >    utility.
> > 5. Build new binaries and reinstall.
> >
> > The Apache Server Project has been notified and will make a formal patch
> > available soon. Please refer to the Apache Server Project's homepage for
> > more information: http://httpd.apache.org/
> >
> > Additional Information:
> >
> > http://www.iss.net/security_center
> > http://www.apache.org
> > http://httpd.apache.org/
> >
> > Credits:
> >
> > This vulnerability was discovered and researched by Neel Mehta of the
> > ISS X-Force.
> >
> >
> > ______
> >
> > About Internet Security Systems (ISS)
> > Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
> > pioneer and world leader in software and services that protect critical
> > online resources from an ever-changing spectrum of threats and misuse.
> > Internet Security Systems is headquartered in Atlanta, GA, with
> > additional operations throughout the Americas, Asia, Australia, Europe
> > and the Middle East.
> >
> > Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved
> > worldwide.
> >
> > Permission is hereby granted for the electronic redistribution of this
> > document. It is not to be edited or altered in any way without the
> > express written consent of the Internet Security Systems X-Force. If you
> > wish to reprint the whole or any part of this document in any other
> > medium excluding electronic media, please email xforce () iss net for
> > permission.
> >
> > Disclaimer: The information within this paper may change without notice.
> > Use of this information constitutes acceptance for use in an AS IS
> > condition. There are NO warranties, implied or otherwise, with regard to
> > this information or its use. Any use of this information is at the
> > user's risk. In no event shall the author/distributor (Internet Security
> > Systems X-Force) be held liable for any damages whatsoever arising out
> > of or in connection with the use or spread of this information.
> >
> > X-Force PGP Key available on MIT's PGP key server and PGP.com's key
> > server, as well as at http://www.iss.net/security_center/sensitive.php
> >
> > Please send suggestions, updates, and comments to: X-Force
> > xforce () iss net of Internet Security Systems, Inc.
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: 2.6.2
> >
> > iQCVAwUBPQ4GqzRfJiV99eG9AQHAAQQArA9Xso3VW2fdkUYjyu/mjzji6d13ekEw
> > o13+G231veDDNdA6dy3QB5JxrspUehzIIvp2Ceo5ZjegBZVEJW0VnnOJ8FsnY6Uj
> > wArq9Je2r2X55AYOWIVCFtlfcKtON68couPaMumldWcLBQ+ktJCY7oygydXFfs19
> > 6iBtJDMKucs=
> > =eZeq
> > -----END PGP SIGNATURE-----



-----------------------------------------------
Молоток: от Фаберже до неглиже
http://r.mail.ru/cln1942/molotok.ru/