[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] apache remote exploit (update)

To: linux-security
Subject: [linux-security] apache remote exploit (update)
From: Martin Siegert <siegert@sfu.ca>
Date: Sat, 22 Jun 2002 15:12:51 -0700
In-Reply-To: <20020620144243.A27197@stikine.ucs.sfu.ca>; from siegert@sfu.ca on Thu, Jun 20, 2002 at 02:42:43PM -0700
References: <20020620144243.A27197@stikine.ucs.sfu.ca>
User-Agent: Mutt/1.2.5.1i

This is an upgrade on the severity of the problem (see Problem Description
below). Also upgrade information for Mandrake and Slackware has been added.

On Thu, Jun 20, 2002 at 02:42:43PM -0700, Martin Siegert wrote:
> Topic
> =====
> remote exploit in apache webserver
> 
> Problem Description
> ===================
> Versions of the Apache web server up to and including 1.3.24 and 2.0
> up to and including 2.0.36 contain a bug in the routines which deal
> with invalid requests which are encoded using chunked encoding.  This
> bug can be triggered remotely by sending a carefully crafted invalid
> request.
> 
> On 32 bit Unix systems this bug allows a denial of service (DoS) attack:
> the web server stops running. Investigations by the Apache Software Foundation
> show that in some cases 64-bit platforms may have a greater exposure and
> could be remotely exploited to allow arbitrary code to be run on the server.
> This includes defacing of web pages served by the apache web server.

What was previously thought to have been a DoS-only condition has now
been proven to be more than that: exploitable conditions have been
discovered on both 32bit and 64bit platforms.  Successful exploitation of
this vulnerability may lead to the execution of arbitary code on the server
running a vulnerable Apache with the permissions of the web server child
process.

It is strongly recommended to upgrade apache immediately.
Exploits based on this vulnerability have already been published on
mailing lists.

> Affected Systems
> ================
> Web servers based on Apache code versions 1.3 through 1.3.24
> Web servers based on Apache code versions 2.0 through 2.0.36
> 
> Solution
> ========
> upgrade to versions 1.3.26 or 2.0.39 or a patched version for your
> distribution.
> 
> RedHat 6.x
> ----------
> rpm -Fvh apache-1.3.22-5.6.i386.rpm \
>          apache-devel-1.3.22-5.6.i386.rpm \
>          apache-manual-1.3.22-5.6.i386.rpm
> 
> RedHat 7.0, 7.1
> ---------------
> rpm -Fvh apache-1.3.22-5.7.1.i386.rpm \
>          apache-devel-1.3.22-5.7.1.i386.rpm \
>          apache-manual-1.3.22-5.7.1.i386.rpm
> 
> RedHat 7.2
> ----------
> rpm -Fvh apache-1.3.22-6.i386.rpm \
>          apache-devel-1.3.22-6.i386.rpm \
>          apache-manual-1.3.22-6.i386.rpm
> 
> RedHat 7.3
> ----------
> rpm -Fvh apache-1.3.23-14.i386.rpm \
>          apache-devel-1.3.23-14.i386.rpm \
>          apache-manual-1.3.23-14.i386.rpm
> 
> Debian 2.2 (potato)
> -------------------
> upgrade to apache_1.3.9-14.1_i386.deb, apache-common_1.3.9-14.1_i386.deb,
> apache-dev_1.3.9-14.1_i386.deb. 
> Then check your configuration: "apachectl configtest".
> Finally restart the webserver: "/etc/init.d/apache restart".

Mandrake 7.1, 7.2, 8.0
----------------------
rpm -Fvh apache-1.3.22-10.1mdk.i586.rpm \
         apache-common-1.3.22-10.1mdk.i586.rpm \
         apache-devel-1.3.22-10.1mdk.i586.rpm \
         apache-manual-1.3.22-10.1mdk.i586.rpm \
         apache-mod_perl-1.3.22_1.26-2.1mdk.i586.rpm \
         apache-modules-1.3.22-10.1mdk.i586.rpm \
         apache-source-1.3.22-10.1mdk.i586.rpm \
         mod_perl-common-1.3.22_1.26-2.1mdk.i586.rpm \
         mod_perl-devel-1.3.22_1.26-2.1mdk.i586.rpm \
         HTML-Embperl-1.3.22_1.3.4-2.1mdk.i586.rpm

Mandrake 8.1
------------
rpm -Fvh apache-1.3.22-10.1mdk.i586.rpm \
         apache-common-1.3.22-10.1mdk.i586.rpm \
         apache-devel-1.3.22-10.1mdk.i586.rpm \
         apache-manual-1.3.22-10.1mdk.i586.rpm \
         apache-mod_perl-1.3.22_1.26-4.1mdk.i586.rpm \
         apache-modules-1.3.22-10.1mdk.i586.rpm \
         apache-source-1.3.22-10.1mdk.i586.rpm \
         mod_perl-common-1.3.22_1.26-4.1mdk.i586.rpm \
         mod_perl-devel-1.3.22_1.26-4.1mdk.i586.rpm \
         HTML-Embperl-1.3.22_1.3.4-4.1mdk.i586.rpm

Mandrake 8.2
------------
rpm -Fvh apache-1.3.23-4.1mdk.i586.rpm \
         apache-common-1.3.23-4.1mdk.i586.rpm \
         apache-devel-1.3.23-4.1mdk.i586.rpm \
         apache-manual-1.3.23-4.1mdk.i586.rpm \
         apache-mod_perl-1.3.23_1.26-5.1mdk.i586.rpm \
         apache-modules-1.3.23-4.1mdk.i586.rpm \
         apache-source-1.3.23-4.1mdk.i586.rpm \
         mod_perl-common-1.3.23_1.26-5.1mdk.i586.rpm \
         mod_perl-devel-1.3.23_1.26-5.1mdk.i586.rpm \
         HTML-Embperl-1.3.23_1.3.4-5.1mdk.i586.rpm

Slackware 8.0
-------------
updated apache and mod_ssl packages:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/apache.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/mod_ssl.tgz

Slackware 8.1
-------------
updated apache and mod_ssl packages:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/n/apache-1.3.26-i386-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/n/mod_ssl-2.8.9_1.3.26-i386-1.tgz

References:
- [linux-security] apache remote exploit
  - From: Martin Siegert <siegert@sfu.ca>
- [linux-security] apache remote exploit
  - From: Martin Siegert <siegert@sfu.ca>

Prev by Date: [linux-security] apache remote exploit
Next by Date: [linux-security] Alert: remote root exploit in openssh daemon
Prev by thread: [linux-security] apache remote exploit
Next by thread: [linux-security] dhcp remote exploit
Index(es):
- Date
- Thread