Apache Vulnerability Announced

Aaron writes "Versions of the Apache HTTP Server up to and including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the routines which deal with invalid requests which are encoded using chunked encoding. In some cases it may be possible to cause a child process to terminate and restart, which consumes a non-trivial amount of resources. See the official announcement and stay tuned here for updated versions." This is in response to the rather uninformed and questionable security notice by ISS X-Force, about a bug that has already been mentioned on the public mailing lists for Apache and is fixed in CVS for Apache 2.0. I am also told that their patch doesn't fully solve the problem. I am sure though that by awaking us to the problem they will get a lot of great press just like any of the other companies currently using useless bug announcements as press releases.

Switch to IIS

Proof positive that IIS is a better web server than Apache. You don't see IIS vulnerabilites spouted all over the internet every day.

Re:Switch to IIS

"You don't see IIS vulnerabilites spouted all over the internet every day."

Yes, they tried but it's hard to get people to work on weekends.

Enough Already

Boy, it's a good thing these problems only affect Micro$oft server software, because it sure would be a pain in the neck if...

...oh, wait.

You mean *nix admins actually have to worry about patches and service packs too?

Don't get me wrong, I don't intend this to be an "I told you so!" from the MS camp to the *nix camp, but rather a polite reminder that all admins have to keep up with their patches, service packs, and whatever. You can't just install Apache and let it go. You need to know what you're doing.

There's a difference between an "admin" and "someone who installed some software".

Re:Enough Already

"Most IIS patches (read: not IE, a completely different product) are out whithin days or a week at the most as well."

The reason Microsoft patches are released close to when bugs are announced is because most security researchers withhold their reports until the vendor has a patch ready. Responsible disclosure and all. Eeye discovered the latest .htr bug in IIS and they waited until the hotfix was ready.

A lot of noise?

"Useless bug announcements" are a special topic. May be, some bugs appear intentionally to make a lot of noise of it?

Not enough time!!

Hey, it's not Apache org's fault that the bug is around. If those damned security news sites wouldn't release the exploits so soon then it wouldn't be a problem. It's those irresponsible bastards that are the problem here. Sheesh, the nerve.

A bug in open source code?

That's unpossible!

Useless bug announcements-- My turn!

The Rocjoe Institute is reporting that under some conditions, Windows *may* crash...

Finally...

Good to know that some Grey Hats are working on finding holes in Apache, too. That way it can stay ahead of IIS, which gets patched on a rather regular basis.

echo Patch apache >> todo.txt

Debian

so how long before i need to apt-get update && apt-get upgrade? :)

It's still better than IIS

Despite the existence of a flaw, it's going to be less serious than a comparable flaw in IIS. No, I'm not an anti-MS bigot; Apache typically runs an an unprivledged user. Thus, you can't root the box because of this flaw. If it were IIS, you'd have system level privledges.

Apache team not trusted

I posted this as a story earlier...

Turns out the ISS X-Force team doesn't trust the Apache crew to fix what seems to be a very serious exploitable bug in the http code. They just released an advisory to the Bugtraq mailing list here [securityfocus.com] and provided some 'patch code'. The patch code (which attempted to typcast the vulnerable area) doesn't seem to fix the issue.
So in effect there are a bunch of Apache servers out there with a possibly remote exploitable buffer overflow. Was this a big ooops on the part of ISS?
One has to wonder why they didn't go to the Apache team first with this? Rumor has it that ISS feels that Red Hat has burned them (ISS) in the past and since the Apache team has some Red Hat employees they shouldn't be trusted.
Another rumor that has been floating is that the ISS team doesn't consider Apache to be "a vendor" and therefore doesn't need to follow the normal disclosure rules. This sets a pretty bad precedant of not working with vendors just because you don't get along with them. A companies personal pettiness should not be allowed to override the security of a majority of the internets websites. The patch has offically made it into the Apache CVS but again why the hell didn't ISS talk with Apache? I noticed another post by NGGS (referenced in link above) that they already had a CVS number so they appeared to have gone through the proper channels and got 'beat to the punch' by ISS. Sounds like a motive to me....

Re:Apache team not trusted

From

- len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining;

to

+ len_to_read = (r->remaining > (unsigned int)bufsiz) ? bufsiz : r->remaining

is _not_ a fix. It's a total kludge. If a variable can contain a value that exceeds the range of its type, such that it has a different value when cast to unsigned type, the _the variable is of the wrong type_, and _that's_ the problem that needs to be fixed.

This is nothing but lousy Elastoplast.

FP.

Re:Apache team not trusted

The compiler generates different code depending on whether it's comparing signed or unsigned values.
To pick a nit, on a number of architectures, the difference is not in the code to compare the quantities but the code in the conditional jump. Somehow casting a signed value to an unsigned value sounds like an opportunity for lots of subtle mischief. The Apache team is wise to examine this stuff carefully and not let themselves get panicked into doing something stupid.

Thoughts on this hole

(A) Bugtraq and associated lists perhaps have held off on posting this, MAYBE, but then this brings us back to the Full Disclosure arguement.

(B) Better question: Why is ISS releasing a poorly researched hole (they didn't even know that Apache 2.x had it) and a worthless patch prior to contacting the vendor? Premature ejaculation here or WHAT?

I fail to see what their hurry was, lest their market share is dipping and they really needed to beat someone (such as David Litchfield?) to the punch.

This is completely irresponsible. There are scores of devices that use Apache embedded. These manufacturers and THEIR clients now need to come up with something *fast* to get locked down.

F'n genius....

Full disclosure and reputations...

Well, I think it can be safely reasoned that ISS cannot be considered a reputable security organization. Do you really want to give these guys any money when:

1) They are unable to fully understand the nature of a discovered flaw

2) They are unable to release a patch that solves the problem (demonstrating a lack of a good QA process)

3) They have demonstrated an inability to work effectively with industry leading software developers

I don't know about you, but I'd be hard pressed to trust my business or even my home data to the security of an organization that is so apparently incompetent. They have a lot of 'splaining to do.

Bugs Apply To All Software

Every large piece of software has bugs. It is inevitable. The difference is that if a piece of software is written with security in mind, it will have less bugs. If a piece of software is written with backward-compatibility, ease of use, performance at any cost, etc.., it will have more bugs.

Impact on *nix platforms

From the bulletin [apache.org]:
Due to the nature of the overflow on 32-bit Unix platforms this will cause a segmentation violation and the child will terminate. However on 64-bit platforms the overflow can be controlled and so for platforms that store return addresses on the stack it is likely that it is further exploitable. This could allow arbitrary code to be run on the server as the user the Apache children are set to run as.

It seems that thanks to the *nix way of handling processes and their childs, this represents minor threat than on other platforms, in which it is even more easily exploitable as a DOS attack. However, this is not minor news eve for us using *nix breeds.

ISS patch is not complete

As noted by valcu.gheorghe@caatoosee.ro on Bugtraq:

----
The patch that mentioned casting bufsiz from an int to an unsigned int
failed to do a few things:

1) There are 2 instances of the same code in http_protocol.c that need
to be fixed, as both suffer from the same problem
2) The cast to unsigned int was only done in comparison, and was not
done in assignment, which could possibly lead to problems down the road
with the int value?

I haven't checked any of this, just noticed it and was really just
wondering "why wasn't this done?".

The code that is apparently "buggy" is this:

len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining;

The code was mentioned to be changed to this:

len_to_read = (r->remaining > (unsigned int)bufsiz) ? bufsiz :
r->remaining;

However, this doesn't assign that casted value to len_to_read, it just
uses the cast for comparison and then passes on the possibly bogus data
on to len_to_read.

So, should the fix not be to change it to:

len_to_read = (r->remaining > (unsigned int)bufsiz) ? (unsigned
int)bufsiz : r->remaining;

Also, like I mentioned, there are two places where this happens in
http_protocol.c, one at line 2062, and the other (the one mentioned in
the patch) at 2174.

-----

Double standard

This is in response to the rather uninformed and questionable security notice by ISS X-Force, about a bug that has already been mentioned on the public mailing lists for Apache and is fixed in CVS for Apache 2.0.

So your company publicizes a bug for IIS, you're a hero. Publicize one for Apache, you're now "uninformed and questionable"? Geez.

It's not just a DoS

This is a memory mismanagement issue, AKA a sort of buffer overflow. In this case, under certian platforms and implementations it can be exploited to execute arbitrary code with the web server's UID (usually nobody/www/nopriv/etc). It's worse than you think.

doesnt it saw "windows version"?

It claims that it's a 32 bit overflow problem - and in unices it will cause the child process to terminate. This post almost got me thinking i had to upgrade to a new version... ;)
If you're running on a sane OS, The bug seeme negligable.. so a few people will have to hit reload if they try to do funny stuff.
(It's not easy foreseeing 'issues' with dealing with a non-open or standardized OS)
isnt using a good server software on an OS that really WAS NOT made for server functions sort of like using a bandaid to cover up leporacy? (sp?)

Oh lovely

Here come all the 'Linux death watch'/'Linux is evil' trolls with their nonsense about how Linux is more insecure than Windows. Death to all trolls!

What happened to disclosure lead times?

WTF!?!?!

What happened to the lead time given to a software vendor before publishing a vulnerability ? I thought that all professional 'sploit hunters honoured this.

The idea is to give the vendor time to produce a patch so that when you announce the vulnerability there is an official patch available. It's 22:16 here now and I'll be sat up half the night waiting to see if Apache release a patch because I have around 20 servers that run Apache, and I can't sleep until I know they're secure.

I'm all for full disclosure, but I much prefer RESPONSIBLE full disclosure. If anyone from IIS is reading this, you're a bunch of immature mornons. Play by the rules or fuck off!

Scuse me

In Apache 1.3 the issue causes a stack overflow. Due to the nature of the overflow on 32-bit Unix platforms this will cause a segmentation violation and the child will terminate. However on 64-bit platforms the overflow can be controlled and so for platforms that store return addresses on the stack it is likely that it is further exploitable. This could allow arbitrary code to be run on the server as the user the Apache children are set to run as. We have been made aware that Apache 1.3 on Windows is exploitable in this way.

Ok can someone PLEASE explain what this report is about? Can you or can you not cause a stack overwrite on x86 Linux? it says that 32 bit unices it won't work; how is the stack handling different from 'doze? it then goes on to say that 64 bit architectures can be exploited and that "Apache 1.3 on windows is exploitable in this way". Apache on windows == 32 bit != 64 bit!

Someone care to clarify?

Most can wait for a patch

From the ISS article:

"X-Force has verified that this issue is exploitable on Apache for Windows (Win32) version 1.3.24. Apache 1.x for Unix contains the same source code, but X-Force believes that successful exploitation on most Unix platforms is unlikely."

Sounds to me like it's nothing more than your basic overflow. While the article from Apache mentions the possible execution of code, I think they're referring to the Windows platform. Since all daemons have full security (root) on Windows, it makes sense that an attacker could run malicious code on a Windows machine. With *nix, Apache runs as nobody (by default, anyway) so attackers can't run any code as root, greatly reducing the amount of damage other than a DoS.

It also mentions that the overflow consumes more resources on Windows, since on *nix it's only a child process restarting rather than the ENTIRE process restarting.

Since there's no proof of concept issued yet, it's unlikely that a widespread attack will occur before a patch is issued.

Don't point the finger at ISS.

What they did (unilaterally going ahead and releasing a bug they discoverd) is shady, but you should instead point the finger of blame at the Apache group for distributing a buggy product (IIS had a similar problem with chunking way back when... what's that cliche about forgetting history?) and, if you're the one who's pimping open source as the best thing since sliced bread to anyone who will or won't listen, point the finger right back at yourself for blindly trusting the code you're running.

The fact is, I do trust the Apache group...

The fact is, I do trust the Apache group. And for good reason. I know the code is flawed because I write software for a living. All code is flawed, and to believe otherwise is folly. I also know that the competing products are also flawed. What Apache offers that none of their major competitors provide is access to the code. Give me the patch, and I'll apply it myself. If I'm still concerned, I can have a look around the code. And most importantly, they do a much better job at getting the fixes out in a timely manner.

Unfortunately, the exploit clock is now actively running which, no thanks to ISS, was an otherwise unnecessary hassle. That said however, I am confident that hundreds of very concerned and capable open source programmers will be able to outpace the dozen or so overworked and underpaid software engineers who have the misfortune of handling Microsoft's IIS holes.

Lastly, the vendors who provide Apache in their distributions do not have a monopoly on the market place. Their response time is critical to their relationship with their customers. Microsoft, by comparison, has no such relationship with their customers. Having personally been on the receiving end of many thousands of hours of Microsoft's service contracts, partnership deals, inside promotions, and developer support, I can safely say that we spent a lot of money for nothing. Microsoft ignores their preferred partners and Fortune 500 customers just as much as they discount the average desktop user. Through various positions, I've participated directly in all three cases, and after years of poor support from Microsoft, Linux has become a necessary and major factor in how I do business.

-Hope

Too good

From the official announcement:

Please note that the patch provided by ISS does not correct this vulnerability.

Will upgrading to 32-bit color on my hard drive fix it or do I need to upgrade my monitor refresh rate to 512MB?

ISS posts a response

Nothing about their motive to release this without notifying the vendor (apache dev team) but sheds light on remotely exploitable aspects of this find.

----------

This vulnerability was originally detected auditing the Apache 2.0 source
tree. Apache 2.0 uses the same function to determine the chunk size, and
has the same vulnerable signed comparison. It is, however, not vulnerable
(by luck?) due to a signed comparison deep within the buffered reading
routines (within core_input_filter).

This issue is no more exploitable or unexploitable on a 32-bit platform than
on a 64-bit platform. Due to the signed comparison, the minimum size passed
to the memcpy() function is 0x80000000 or about 2gb. Unless Apache has over
2gb of contiguous stack memory located after the target buffer in memory, a
segmentation fault will be caused. If you understand how the stack is used,
you will understand that this is an impossibility.

Apache on "Win32" is not exploitable due to any "64-bit" addressing issues.
It is easily exploitable due to the nature of structured exception handling
on Windows and the fact that exception handler pointers are stored on the
stack.

If the DoS vulnerability is related to the overflow then the ISS patch will
work to prevent it. The unsigned comparison prevents any stack overflow and
as a result any related DoS issue is prevented. If the DoS issue is
unrelated, then of course the ISS patch will not be of any help.

ISS X-Force

Updates

Updates to this story can also be found here [myhometechie.com]

IIUC

If I understand correctly, my i686 boxes running Linux are vulnerable to the DOS attack using the invalid remote request IF the default "chunk encoding" response is enabled. But I'm not vulnerable to the stackoverflow remote vulernability because I (1) don't have a 64 bit processor and (2) don't run Windows.

Question: where do I change the default "chunk encoding" response to an invalid request?

Some more data

Some more data has become public: Some one close to the Apache team claimed that the IIS patch is wrong [uni-stuttgart.de], and there's a response from IIS [uni-stuttgart.de]. Maybe the IIS patch does fix the problem, but it is certainly not the most obvious and reader-friendly way to do it.

And, by the way, we have extrated the critical patch [uni-stuttgart.de] from the 1.3.x CVS (currently skipping mod_proxy), created a Debian package [uni-stuttgart.de] containing it, and written a German notice [uni-stuttgart.de] (still preliminary) for our free security newsletter [uni-stuttgart.de]. (The Debian package will be updated as new changes appear in the Apache CVS .)