I will now show you three practical examples of vulnerabilities. They are only examples, because new problems are discovered on an ongoing basis. The first two (CAN-2002-0392 and CAN-2001-0925) are dangerous, and can cause unauthorized access to information and remote command execution. The last one, CAN-1999-1199, is a more “classic” DOS attack. For each vulnerability, I will show how I gained information about it, and how I tested it on my own Apache installation (whenever possible).

This vulnerability is listed on the page http://www.apacheweek.com/
features/security-13. The same issue is found in the list of Apache 2.0’s problems: http://www.apacheweek.com/features/security-20.

The bug takes advantage of a problem in the way Apache treats chunked transfers. How chunked transfers works is outlined in RFC 2616 (http://www.ietf.org/rfc/rfc2616.txt), which reads:

The chunked encoding modifies the body of a message in order to transfer it as a series of chunks, each with its own size indicator, followed by an OPTIONAL trailer containing entity-header fields.

Apache fails to calculate the size of the buffer needed to store the chunk’s information. Therefore, a malicious user can make a request that corrupts the server’s memory or crashes the server itself, and in some cases execute arbitrary code on the system.

More information about this vulnerability is available at http://cve.mitre
.org/cgi-bin/cvename.cgi?name=CAN-2002-0392.

The first line reads:

CONFIRM:http://httpd.apache.org/info/security_bulletin_
20020617.txt

The CONFIRM: field points to a piece of information on the Internet that officially confirms the existence of that vulnerability. In this case, it points to the “Security bulletin” published directly by the Apache Group, where you can read:

While testing for Oracle vulnerabilities, Mark Litchfield discovered a denial of service attack for Apache on Windows. Investigation by the Apache Software Foundation showed that this issue has a wider scope, which on some plat forms results in a denial of service vulnerability, while on some other platforms presents a potential remote exploit vulnerability.

The next point reads like this:

VULNWATCH:20020617 [VulnWatch] Apache httpd: vulnerability with chunked encoding

VulnWatch (http://www.vulnwatch.org) is a web site that aims to be a “nondiscussion, non-patch, all-vulnerability announcement list supported and run by a community of volunteer moderators distributed around the world.” VulnWatch sent a copy of the Apache security bulletin to its subscribers. The archived message can be found at http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0110.html. The string after the colon is the date (20020617), which represents June 17, 2002.

The third line reads:

ISS:20020617 Remote Compromise Vulnerability in Apache HTTP Server

Internet Security Systems (ISS, http://www.iss.net) is a company that provides security products. X-Force is their team of researchers, who keep a database of vulnerabilities compatible with CVE in their naming convention. From the link http://xforce.iss.net/xforce/search.php, you can search their database. For information on this bug, search for 20020617 and read ISS’s own documentation about this security issue.

There are many more entries about this bug on CVE. In particular, the issue was also discussed on BUGTRAQ:

BUGTRAQ:20020619 Remote Apache 1.3.x Exploit

BUGTRAQ is a moderated mailing list focused on computer security. You can see its archive here: http://www.securityfocus.com/archive/1. The exploit was posted on July 19, 2001. You will need to browse the list’s archives to find the message. You may want to test the exploit if you are using BSD and you would like to test your system’s security.

The problem was fixed in Apache 1.3.26 and Apache 2.0.37.

This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.