Internet Security Systems and NGSSoftware found a security issue with chunk encoding in the popular Apache web server. The problems may lead to a remote compromise and denial of service.
1) Apache Chunk Handling advisories
ISS Advisory “Remote Compromise Vulnerability in Apache HTTP Server”
Brief description: ISS X-Force has discovered a serious vulnerability in the default version of Apache HTTP Server. Apache is the most popular Web server and is used on over half of all Web servers on the Internet. It may be possible for remote attackers to exploit this vulnerability to compromise Apache Web servers. Successful exploitation may lead to modified Web content, denial of service, or further compromise.
Affected versions: Many commercial Web Application Servers such as Oracle 9ias and IBM Websphere use Apache HTTP Server to process HTTP requests. Additional products that bundle Apache HTTP Server for Windows may be affected.
Apache Security Bulletin
Brief description: Versions of the Apache web server up to and including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the routines which deal with invalid requests which are encoded using chunked encoding. This bug can be triggered remotely by sending a carefully crafted invalid request. This functionality is enabled by default. In most cases the outcome of the invalid request is that the child process dealing with the request will terminate. At the least, this could help a remote attacker launch a denial of service attack as the parent process will eventually have to replace the terminated child process and starting new children uses non-trivial amounts of resources.
We were also notified today by ISS that they had published the same issue which has forced the early release of this advisory. Please note that the patch provided by ISS does not correct this vulnerability.
CERT Advisory CA-2002-17 – Apache Web Server Chunk Handling Vulnerability
Brief description: There is a remotely exploitable vulnerability in the handling of large chunks of data in web servers that are based on Apache source code. This vulnerability is present by default in configurations of Apache web servers versions 1.3 through 1.3.24 and versions 2.0 through 2.0.36. The impact of this vulnerability is dependent upon the software version and the hardware platform the server is running on.
2) Problem discussion:
David Litchfield – david(a)ngssoftware.com on Bugtraq
Like ISS obviously did, one of the first things NGSSoftware did after the eEye ASP Chunk Transfer Encoding vulnerability came out, was check ‘what else’ is vulnerable to this kind of issue. Like ISS, NGSSoftware also noted that the Win32 distribution of Apache was vulnerable.
However, our approach to addressing this problem was/is completely different. We alerted Oracle, Apahce and CERT.
Our last response from Mark Fox of Apache was that they “have decided that we need to co-ordinate this issue with CERT so that we can get other vendors who ship Apache in their OS and projects aheads-up to this issue.” NGSSoftware, of course agreed that this would be the best plan of action as most people who use the Win32 Apache version do not have a compiler and so can take steps to protect themselves. They’re mostly relying on their apache ‘supplier’ to produce a patch.
Of course, with a premature release from ISS many are now left vulnerable without a patch from the apache ‘supplier’.
This, now, leads to the next issue. There have been many instances where two or more security organizations discover the same vulnerability at the same time but differ in the manner and time at which they choose to alert the general public, leading to all sorts of problems.
With more people and organisations doing security research, perhaps it is time for a Vulnerability Co-ordinator Center (a VCC) – some trusted third party like an off-shoot of CERT. I know this is not a new idea and one which has been brought up before but one I think should perhaps be discussed again and acted upon.
When a vendor is alerted the VCC is CC’d (pun not intentional) and this way a co-ordinated full alert can go out when the time is right.
Marc Maiffret – marc(a)eeye.com on BugTraq
You bring up a good point David. Barely anyone in the Windows world is going to sit and recompile their Apache versions especially with software like Oracle that also uses Apache. ISS has left all these people in a _very_ bad position.
It is worse than that though. According to Apache the ISS source code patch does not even work.
Since there has actually been many chunked encoding vulnerabilities released lately, and exploits (for win32) it only makes sense that it will take no time for someone to develop an exploit for this Apache Win32 chunked overflow, and then start using that to break into systems and what not.
Just read the Apache.org advisory: “While testing for Oracle vulnerabilities, Mark Litchfield discovered a denial of service attack for Apache on Windows. Investigation by the Apache Software Foundation showed that this issue has a wider scope, which on some platforms results in a denial of service vulnerability, while on some other platforms presents a potential a remote exploit vulnerability. We were also notified today by ISS that they had published the same issue which has forced the early release of this advisory.”
Sounds like ISS rushed the release of this to beat you to it Litchfield. That is rather poor on their part.
If someone has an Apache module that strips chunked encoding that _should_ at least give people a work around for this vulnerability for now. Not sure if the module will process before Apache processes chunked encoding itself but if it does it should work. We are currently looking into it.
Robert G. Ferrell – rferrell(a)texas.net on ISN list
Mark Litchfield discovered a vulnerability in Apache, and followed proper channels by contacting the software maintainer and working with them to develop a fix before going public with potentially exploitable details.
ISS bypasses accepted channels completely and posts information about the vulnerability to a public list, providing at the same time a patch that doesn’t seem to fix the vulnerability as stated, along with installation instructions that, while accurate, are not going to be of much use to most Win32 admins.
Apache is now in the position of having to scramble to release a patch before people start exploiting a vulnerability that would not have been widely known if ISS had shown a bit more restraint.
On possible interpretation of the sequence of events (not the only one, but the one that strikes me as most likely) is that ISS wanted to go on record as having reported the vulnerability in Apache (and these are relatively rare) first, come hell or high water. I understand that being first out of the chute can give you a public relations edge in the tough, competitive world of information security products and services, but it looks to me as though going this route is paramount to shooting yourself in both feet with the same bullet. Being first to post a non-existent vulnerability and then providing a patch that wouldn’t fix it anyway ain’t no way to go through life.
Robert Lemos – rob.lemos(a)cnet.com article on CNET
Chris Rouland, director of ISS’s research and development team, known as X-Force, maintains that the company did the right thing when it released an advisory on the issue and included a patch as well. “We are competing with the 10 million hackers out there, who are trying to break in to Web servers,” he said. “The hackers were the real ones that were ticked off that we released the advisory. That’s one less exploit that they could use.”
Read this article on CNET ).
3) Solutions and patches
ISS X-Force has developed a patch for “Remote Compromise Vulnerability in Apache HTTP Serve” issue. The patch is available from the ISS advisory located on the top of this paper.
(Please note that the patch provided by ISS does not correct the vulnerability found by NGSSoftware).
CERT advice: The Apache Software Foundation has released two new versions of Apache that correct this vulnerability. System administrators can prevent the vulnerability from being exploited by upgrading to Apache version 1.3.25 or 2.0.39. The new versions of Apache will be available from their web site at http://httpd.apache.org/
Update: Version 1.3.26 is available to download as of 19.06.2002.
Update: New version of mod_ssl was released and is available on the following address:
4) Vendor security advisories
Vulnerable: SGI is currently investigating this security issue
Vulnerable: Debian GNU/Linux 2.2
Vulnerable: Debian GNU/Linux 2.2 – revised advisory
Vulnerable: Debian GNU/Linux 2.2 – (apache-ssl advisory)
Vendor: EnGarde Linux
Vulnerable: EnGarde Secure Linux
Vulnerable: SuSE Linux 6.4-8.0, SuSE Linux Database Server, SuSE eMail Server III and SuSE Linux Enterprise Server
Vulnerable: Conectiva Linux 6.0-8