Tutorial - Apache Vulnerabilities

Apache Vulnerabilities

Updated 4/7/03
CVE 2001-1342
CVE 2002-0061
CVE 2002-0392
CAN 2002-0661
CAN 2002-0839
CAN 2002-0840
CAN 2002-0843
CAN 2003-0016
CAN 2003-0017
CAN 2003-0132
CAN 2003-0134

Impact

A remote attacker could crash the web server or execute arbitrary commands.

Background

Apache is a web server which runs on Unix, Linux, and Windows systems.

Apache web servers support chunked encoding, which is part of the HTTP protocol specification. Chunked encoding is used by a web client to send data to the server in parts, or chunks. After a chunk is received, the server indicates that it is ready to receive the next chunk, until all of the data has been received.

The Problems

Multiple Vulnerabilities in Apache 2.0

Multiple vulnerabilities in Apache 2.0 prior to 2.0.45 could allow a remote attacker to cause a denial of service, retrieve arbitrary files, or execute commands.

4/7/03 (CAN 2003-0132) A denial-of-service vulnerability. (2.0 - 2.0.44)
4/7/03 A denial-of-service vulnerability affecting OS/2. (2.0 - 2.0.44, and 2.0.45 if unpatched on OS/2)
4/7/03 (CAN 2003-0134) Leak of file descriptors to child processes such as CGI scripts. (2.0 - 2.0.44)
1/24/03 (CAN 2003-0017) Remote file retrieval by requesting a URL that ends in illegal characters such as ">". (2.0 - 2.0.43 on Windows)
1/24/03 (CAN 2003-0016) A denial-of-service problem affecting unpatched Windows systems whereby an attacker could crash the system by requesting a DOS device. (2.0 - 2.0.43 on Windows 95/98/ME)
8/20/02 (CAN 2002-0661) Arbitrary command execution on systems which allow "\" as a path delimiter. An attacker exploiting this vulnerability could view ANY file on the system and execute it using the cgi-bin path. (2.0 - 2.0.39 on Windows, NetWare, OS/2)
8/20/02 Minor path disclosure vulnerability. (2.0 - 2.0.39)

Flaw in Chunked Encoding

6/18/02
CVE 2002-0392
Apache 1.2.2 through 1.3.24 and Apache 2.0.x prior to 2.0.37 contain a flaw in the implementation of chunked encoding. A remote attacker could cause the server to misinterpret the chunk size, leading to a heap overflow. In the worst case, with Apache 1.x this could allow the attacker to execute arbitrary commands on most platforms. In other cases, an attacker could cause the web server child process to terminate, leading to an interruption in service while the child process is replaced. This effect is especially significant on Windows and Netware platforms.

Potential Vulnerabilities in Apache pre 1.3.27

10/15/02
CAN 2002-0839
CAN 2002-0840
CAN 2002-0843
Apache 1.3.27 fixed several potential vulnerabilities. On System V platforms using shared memory based scoreboards, an attacker who is able to execute commands using the Apache user ID could send arbitrary signals to other processes with root privileges, or cause a local denial of service. A web server in a domain that allows wildcard DNS lookups is susceptible to cross-site scripting in the default 404 error page. Finally, the ab.c program, which is one of the support programs bundled with Apache but not part of Apache itself, contains a buffer overflow which could be exploited by a malicious server.

Batch File Processing Vulnerability

3/26/02
CVE 2002-0061
When it receives a request for a batch (.bat or .cmd) file, the Windows version of Apache uses cmd.exe to process the batch file with the given input parameters. Due to insufficient checking of the input parameters, it is possible for a remote attacker to execute arbitrary commands by appending them to the request using a pipe character (|). This vulnerability is especially easy to exploit on Apache version 2 prior to 2.0.34 due to the presence of a sample batch file on the web server, /cgi-bin/test-cgi.bat. However, it is also exploitable on Apache version 1 prior to 1.3.24 using any .bat or .cmd files which happen to be present on the web server. This vulnerability affects Windows systems only.

Illegal Operation Handling Flaw

5/18/01
CVE 2001-1342
A vulnerability in the Windows and OS/2 versions of Apache could allow a remote attacker to cause the web server to perform an illegal operation. This attack would cause the server to remain unresponsive until an administrator is able to clear the fault and restart the server.

The Windows and OS/2 versions of Apache 1.3.19 and earlier are affected by this vulnerability unless the patch has been applied.

Resolutions

Upgrade Apache 1.x to version 1.3.27 or higher, or 2.x to version 2.0.45 or higher.

8/20/02
The directory traversal vulnerability affecting Apache 2.0 - 2.0.39 can be fixed by a simple one-line modification of the httpd.conf file. Prior to the first 'Alias' or 'Redirect' directive, add the following directive to the Global Environment section:

   RedirectMatch 400 "\\\.\."

However, it is preferable to upgrade to the latest version of Apache, as this will fix two minor path-revealing exposures.

Where can I read more about this?

The vulnerabilities in Apache 2.0 were reported in the Apache 2.0.44 release announcement and Apache 2.0.45 release announcement. The directory traversal vulnerability is briefly described in an Apache Security Bulletin. More information is available through a later Bugtraq posting. The chunked encoding vulnerability was reported in CERT Advisory 2002-17 and an Apache Security Bulletin. The potential vulnerabilities in Apache versions prior to 1.3.27 were reported in the Apache 1.3.27 release announcement. The batch file processing vulnerability was posted to Bugtraq and reported in CIAC Bulletin M-070. The illegal operation handling flaw was posted to the Apache announcements list.