Because Apache is complex, coding errors are possible. Fortunately, Apache is mature enough that this is not a frequent occurrence, and occasionally, overlooked errors are found and fixed. This chapter covers some basics of Apache’s vulnerabilities and recent known security problems. (From Hardening Apache by Tony Mobily, Apress, 2004, ISBN: 1590593782.)
I will now show you three practical examples of vulnerabilities. They are only examples, because new problems are discovered on an ongoing basis. The first two (CAN-2002-0392 and CAN-2001-0925) are dangerous, and can cause unauthorized access to information and remote command execution. The last one, CAN-1999-1199, is a more “classic” DOS attack. For each vulnerability, I will show how I gained information about it, and how I tested it on my own Apache installation (whenever possible).
The bug takes advantage of a problem in the way Apache treats chunked transfers. How chunked transfers works is outlined in RFC 2616 (http://www.ietf.org/rfc/rfc2616.txt), which reads:
The chunked encoding modifies the body of a message in order to transfer it as a series of chunks, each with its own size indicator, followed by an OPTIONAL trailer containing entity-header fields.
Apache fails to calculate the size of the buffer needed to store the chunk’s information. Therefore, a malicious user can make a request that corrupts the server’s memory or crashes the server itself, and in some cases execute arbitrary code on the system.
The CONFIRM: field points to a piece of information on the Internet that officially confirms the existence of that vulnerability. In this case, it points to the “Security bulletin” published directly by the Apache Group, where you can read:
While testing for Oracle vulnerabilities, Mark Litchfield discovered a denial of service attack for Apache on Windows. Investigation by the Apache Software Foundation showed that this issue has a wider scope, which on some platforms results in a denial of service vulnerability, while on some other platforms presents a potential remote exploit vulnerability.
The next point reads like this:
VULNWATCH:20020617 [VulnWatch] Apache httpd: vulnerability with chunked encoding
VulnWatch (http://www.vulnwatch.org) is a web site that aims to be a “nondiscussion, non-patch, all-vulnerability announcement list supported and run by a community of volunteer moderators distributed around the world.” VulnWatch sent a copy of the Apache security bulletin to its subscribers. The archived message can be found at http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0110.html. The string after the colon is the date (20020617), which represents June 17, 2002.
The third line reads:
ISS:20020617 Remote Compromise Vulnerability in Apache HTTP Server
Internet Security Systems (ISS, http://www.iss.net) is a company that provides security products. X-Force is their team of researchers, who keep a database of vulnerabilities compatible with CVE in their naming convention. From the link http://xforce.iss.net/xforce/search.php, you can search their database. For information on this bug, search for 20020617 and read ISS’s own documentation about this security issue.
NOTE Some of the reporting organizations (like ISS) have vested interests in security matters, and some do not publish information until after they’ve made it available to their paying customers. This can potentially create a conflict of interest, and a disservice to the Internet community as a whole.
There are many more entries about this bug on CVE. In particular, the issue was also discussed on BUGTRAQ:
BUGTRAQ:20020619 Remote Apache 1.3.x Exploit
BUGTRAQ is a moderated mailing list focused on computer security. You can see its archive here: http://www.securityfocus.com/archive/1. The exploit was posted on July 19, 2001. You will need to browse the list’s archives to find the message. You may want to test the exploit if you are using BSD and you would like to test your system’s security.
The problem was fixed in Apache 1.3.26 and Apache 2.0.37.
This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.