Home arrow Apache arrow Page 3 - Common Attacks in Apache

Apache Vulnerabilities: Practical Examples - Apache

Because Apache is complex, coding errors are possible. Fortunately, Apache is mature enough that this is not a frequent occurrence, and occasionally, overlooked errors are found and fixed. This chapter covers some basics of Apache’s vulnerabilities and recent known security problems. (From Hardening Apache by Tony Mobily, Apress, 2004, ISBN: 1590593782.)

TABLE OF CONTENTS:
  1. Common Attacks in Apache
  2. Types of Attacks
  3. Apache Vulnerabilities: Practical Examples
  4. Directory Displayed
  5. Common Attacks
  6. SSL Buffer Overflow
By: Apress Publishing
Rating: starstarstarstarstar / 14
September 13, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

I will now show you three practical examples of vulnerabilities. They are only examples, because new problems are discovered on an ongoing basis. The first two (CAN-2002-0392 and CAN-2001-0925) are dangerous, and can cause unauthorized access to information and remote command execution. The last one, CAN-1999-1199, is a more “classic” DOS attack. For each vulnerability, I will show how I gained information about it, and how I tested it on my own Apache installation (whenever possible).

CAN-2002-0392: Apache Chunked Encoding Vulnerability

This vulnerability is listed on the page http://www.apacheweek.com/
features/security-13
. The same issue is found in the list of Apache 2.0’s problems: http://www.apacheweek.com/features/security-20.

The bug takes advantage of a problem in the way Apache treats chunked transfers. How chunked transfers works is outlined in RFC 2616 (http://www.ietf.org/rfc/rfc2616.txt), which reads:

The chunked encoding modifies the body of a message in order to transfer it as a series of chunks, each with its own size indicator, followed by an OPTIONAL trailer containing entity-header fields.

Apache fails to calculate the size of the buffer needed to store the chunk’s information. Therefore, a malicious user can make a request that corrupts the server’s memory or crashes the server itself, and in some cases execute arbitrary code on the system.

More information about this vulnerability is available at http://cve.mitre
.org/cgi-bin/cvename.cgi?name=CAN-2002-0392
.

The first line reads:

CONFIRM:http://httpd.apache.org/info/security_bulletin_
20020617.txt

The CONFIRM: field points to a piece of information on the Internet that officially confirms the existence of that vulnerability. In this case, it points to the “Security bulletin” published directly by the Apache Group, where you can read:

While testing for Oracle vulnerabilities, Mark Litchfield discovered a denial of service attack for Apache on Windows. Investigation by the Apache Software Foundation showed that this issue has a wider scope, which on some plat forms results in a denial of service vulnerability, while on some other platforms presents a potential remote exploit vulnerability.

The next point reads like this:

VULNWATCH:20020617 [VulnWatch] Apache httpd: vulnerability with chunked encoding

VulnWatch (http://www.vulnwatch.org) is a web site that aims to be a “nondiscussion, non-patch, all-vulnerability announcement list supported and run by a community of volunteer moderators distributed around the world.” VulnWatch sent a copy of the Apache security bulletin to its subscribers. The archived message can be found at http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0110.html. The string after the colon is the date (20020617), which represents June 17, 2002.

The third line reads:

ISS:20020617 Remote Compromise Vulnerability in Apache HTTP Server

Internet Security Systems (ISS, http://www.iss.net) is a company that provides security products. X-Force is their team of researchers, who keep a database of vulnerabilities compatible with CVE in their naming convention. From the link http://xforce.iss.net/xforce/search.php, you can search their database. For information on this bug, search for 20020617 and read ISS’s own documentation about this security issue.

NOTE Some of the reporting organizations (like ISS) have vested interests in security matters, and some do not publish information until after they’ve made it available to their paying customers. This can potentially create a conflict of interest, and a disservice to the Internet community as a whole.

There are many more entries about this bug on CVE. In particular, the issue was also discussed on BUGTRAQ:

BUGTRAQ:20020619 Remote Apache 1.3.x Exploit

BUGTRAQ is a moderated mailing list focused on computer security. You can see its archive here: http://www.securityfocus.com/archive/1. The exploit was posted on July 19, 2001. You will need to browse the list’s archives to find the message. You may want to test the exploit if you are using BSD and you would like to test your system’s security.

The problem was fixed in Apache 1.3.26 and Apache 2.0.37.

This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.



 
 
>>> More Apache Articles          >>> More By Apress Publishing
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

APACHE ARTICLES

- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: