Topic: Apache Buffer Overflow
started by: Wiley
Posted by Wiley on Jun. 21 2002,02:33
To Eliminate the Apache Chunked Vulnerability From Your Systems:The Apache Software Foundation has released versions 1.3.26 and 2.0.39 to address and fix this issue. You may download this patched versions from:
< http://www.apache.org/dist/httpd/ >
just a FYI for you Webmasters who haven't seen the light and moved to IIS.
Posted by incubus on Jun. 24 2002,17:01
| Quote (Wiley @ 20 June 2002,18:33) |
| just a FYI for you Webmasters who haven't seen the light and moved to IIS. |
... must ... not ... be ... trolled ... </strain>
Posted by RadioActive on Jun. 24 2002,19:00
| Quote (Wiley @ 20 June 2002,21:33) |
| just a FYI for you Webmasters who haven't seen the light and moved to IIS. |
too bad that light is a freight train coming straight at you
Posted by Wiley on Jun. 24 2002,19:09
Posted by Dysorderia on Jun. 25 2002,01:20
| Quote (F.U.C.K @ my mailbox) |
| Subj: [FUCK] Apache bug - workaround found Date: 6/22/02 3:18:14 PM Pacific Daylight Time From: shaddack@ns.arachne.cz Sender: owner-fuck@attrition.org Reply-to: shaddack@ns.arachne.cz To: fuck@attrition.org, shaddack@arachne.cz As you probably already know, there was a security hole discovered in Apache webserver, up to the newest versions. (The newest newest version with the hole patched was just released, I am figuring out how to configure it to work without breaking any of the add-ons we need.) The hole allows crashing the server subprocess (harmless, though a possible denial-of-service), and possibly even running arbitrary code with the server rights (very dangerous, can be exploited for hacking the machine). I just found a way to neuter that bug. It is dependent on telling the server to handle the incoming data encoding as "chunked", then telling the server invalid size of the chunk. Transfer encoding "chunked" is almost never used, except very few special cases outside of our current scope of interest. The value of the "Transfer-encoding:" header is compared with the string "chunked", which is stored somewhere in the binary file of the weserver program. Before comparison, leading and trailing spaces are stripped from the value. My method involves finding the string "chunked" in the binary file, and overwriting it with any hexadecimal editor to the value " ", or seven spaces. This causes the server to never be able to evaluate any transfer encoding header as chunked, thus disabling the problematic function. As we will never use it anyway, it should cause no problem. However, any attacker attempting to exploit this hole will knock to nonexistent door. I just tested the solution and submitted it Bugtraq, a must-read list for security professionals. It is very very simple, should work across the platforms and versions, and doesn't require anything other than a hexeditor to be implemented, so could make me pretty popular. Anyway, we will see the reactions...  |
Posted by Beldurin on Jun. 25 2002,02:45
1-->| Quote (incubus @ 24 June 2002,111) |
| [quote=Wiley,20 June 2002,18:33]just a FYI for you Webmasters who haven't seen the light and moved to IIS. |
... must ... not ... be ... trolled ... </strain>[/quote]
I think we've resisted quite nicely! But, having worked with both, I must say in IIS' favor, it's a much easier point-and-click system than Apache. You know, for all of those so-called web server admins who actually don't know their ass from port 80 and so couldn't handle Apache...
Posted by Bob_the_Cannibal on Jun. 25 2002,03:13
IIS :: apache : AOL :: any other ISP
Posted by Wiley on Jun. 25 2002,05:47
What's a port 80?
Posted by Beldurin on Jun. 25 2002,06:09
| Quote (Wiley @ 24 June 2002,23:47) |
| What's a port 80? |
rofl dude, you just cracked my shit up...I so did not expect that!
just about fell out of my damn chair...
Posted by Wiley on Jun. 25 2002,16:49
I'm still waiting for somebody to jump in with the whole "I'm studying CIS at such and such school and I know a lot about computers and so let me tell you all about what port 80 is because you are a stupid n00bie who doesn't know all the computers stuffs that I know because I am in my first semester of studying it in school" Isn't that guy due to jump into this thread about now and flame me?
Posted by Darth Liberus on Jun. 26 2002,01:07
thanks for the warning, just patched my systems to 1.26.that makes one security vulnerability found in Apache in the six months I've been running it here, versus a whole lot for IIS
if you hate tweaking httpd.conf, < Webmin > makes Apache configuration a breeze. Works great for BIND too.