Two days till web meltdown

[Rizzo gal]

--------------------------------------------------------------------------------
Apache Update: Two days till web meltdown
By Robert Jaques [19-06-2002]
Servers must be patched immediately, says Apache expert

IT managers have only "a couple of days" before crackers produce an exploit capable of attacking over 50 million web servers left open by the latest Apache security flaw.
Speaking exclusively to vnunet.com, Mark Cox, founding member of the Apache Software Foundation, warned: "We have to assume that serious and intelligent crackers will produce an exploit that targets this vulnerability in a couple of days. Then it's only a little while before it filters down to the script kiddies.

"Nobody should sit around and think that this issue will not be exploited or could not be exploited. They should immediately patch servers.

"This is the first time that a remote exploit has affected Apache, certainly during the life of version 1.3, which is at least four years old. We've designed the best security that we can, but obviously there can be mistakes."

Cox stressed the seriousness of the security flaw. "On some platforms in some circumstances this can be very serious," he said. "Remotely running arbitrary code and denial of service attacks are serious."

According to Cox the most serious manifestation of the vulnerability will be on Unix platforms. However, he added that, for 64-bit Unix installations, the level of risk depends principally on actual operating system platforms because of variations in how their respective stacks operate.

He indicated that Apache had been aware of the security flaw for some time and that the Computer Emergency Response Team was contacted last week to develop vulnerability lists for all vendors.

Cox added that Apache had been forced to publicise the exploit before a full set of patches was developed because ISS released its incomplete workaround early.

"ISS released its advisory early and jumped the gun," he said. "The company says it found the vulnerability independently and gave us only two hours warning before publishing its advisory.

"What ISS should have done is contact the Apache security team before publishing. They said that they couldn't find anyone at Apache, but I don't think that they tried very hard.

"Any political problems between vendors could have been solved here if ISS had followed responsible disclosure procedures."

However, Cox added that Apache did not want a flame war to continue, stressing that the most important thing was for companies to patch vulnerable servers.

The latest information on this security issue is available from Apache's website.

Server managers should get the right information from Apache, and should read the advisory to make an informed assessment of their own risk. Only then can people take the appropriate action, be it upgrading servers or whatever.




http://www.vnunet.com/News/1132795

[Rizzo gal]

Apache hole puts millions at risk
By Robert Jaques [18-06-2002]
Unix and Win 32 affected as patch fails to work
Millions of websites are at risk from a potentially devastating security vulnerability in Apache that could allow malicious crackers to remotely execute arbitrary code on compromised servers.
According to the Computer Emergency Response Team's (Cert's) Co-ordination Centre the flaw, which centres on Apache's support for handling HTTP1.1 chunk-encoded data, affects web servers running Apache code versions 1.3 through 1.3.24 and versions 2.0 through 2.0.36 on both Unix and Win 32 platforms.

In its latest security advisory, posted late on Monday, Cert warned: "For Apache versions 1.3 through 1.3.24 inclusive, this vulnerability may allow the execution of arbitrary code by remote attackers.

"Several sources have reported that this vulnerability can be used by intruders to execute arbitrary code on Windows platforms.

"Additionally, the Apache Software Foundation has reported that a similar attack may allow the execution of arbitrary code on 64-bit UNIX systems."

However, the advisory added that, for Apache versions 2.0 and later, the vulnerability is correctly detected and the malicious child process is terminated.

But Cert issued the following caveat: "Depending on a variety of factors, including the threading model supported by the vulnerable system, this may lead to a denial-of-service attack against the Apache web server."

Cert warned that a patch, currently circulating with the ISS advisory to fix this vulnerability, does not work.

Marc Maiffret, chief hacking officer at eEye Digital Security, warned that the implications of the Apache vulnerability are not confined to web servers.

"Barely anyone in the Windows world is going to sit and re-compile their Apache versions, especially with software like Oracle that also uses Apache," he said.

"ISS has left all these people in a very bad position. It is worse than that though. According to Apache the ISS source code patch does not even work."

Cert researcher Florian Weimer, from the University of Stuttgart, posted the following comment on BugTraq: "The patch that mentioned casting bufsiz from an int to an unsigned int failed to do a few things.

"There are two instances of the same code in otocol.c that need to be fixed, as both suffer from the same problem. And the cast to unsigned int was only done in comparison, and was not done in assignment, which could possibly lead to problems down the road with the int value."

The latest versions of Apache servers can be found at Apache's website.



http://www.vnunet.com/News/1132708

[teefleur]

Huh??? Wouldn't THAT be a kick in the head!

[Con-tractor]

From apache.org



In Apache 1.3 the issue causes a stack overflow. Due to the nature of the
overflow on 32-bit Unix platforms this will cause a segmentation violation
and the child will terminate. However on 64-bit platforms the overflow
can be controlled and so for platforms that store return addresses on the
stack it is likely that it is further exploitable. This could allow
arbitrary code to be run on the server as the user the Apache children are
set to run as. We have been made aware that Apache 1.3 on Windows is
exploitable in a similar way as well.

TB2K is running 32bit Linux at this time, is it an issue technically yes. Is TB2K going to melt down ummmm NO!

The webserver should be updated

BTW I have known about this since the 17th of June

Con

[OddOne]

An exploit attack against ApacheHTTPD is a HUGE issue to the Web, since probably two-thirds of the PLANET'S webservers run some flavor of Apache.

Betcha there'll be some crazy patching going on all over the place this weekend. Not to mention *NIX admins losing their weekend off over this one.

oO

[teefleur]

Odd... your post brings me no comfort...