RE: Remote Compromise Vulnerability in Apache HTTP Server

["Marc Maiffret" <marc () eeye com>]

You bring up a good point David. Barely anyone in the Windows world is going
to sit and recompile their Apache versions especially with software like
Oracle that also uses Apache. ISS has left all these people in a _very_ bad
position.

It is worse than that though. According to Apache the ISS source code patch
does not even work.

Since there has actually been many chunked encoding vulnerabilities released
lately, and exploits (for win32) it only makes sense that it will take no
time for someone to develop an exploit for this Apache Win32 chunked
overflow, and then start using that to break into systems and what not.

Just read the Apache.org advisory:
"While testing for Oracle vulnerabilities, Mark Litchfield discovered a
denial of service attack for Apache on Windows.  Investigation by the Apache
Software Foundation showed that this issue has a wider scope, which on some
platforms results in a denial of service vulnerability, while on some other
platforms presents a potential a remote exploit vulnerability.
We were also notified today by ISS that they had published the same issue
which has forced the early release of this advisory."
Sounds like ISS rushed the release of this to beat you to it Litchfield.
That is rather poor on their part.

If someone has an Apache module that strips chunked encoding that _should_
at least give people a work around for this vulnerability for now. Not sure
if the module will process before Apache processes chunked encoding itself
but if it does it should work. We are currently looking into it.


Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: David Litchfield [mailto:david () ngssoftware com]
| Sent: Monday, June 17, 2002 10:08 AM
| To: bugtraq () securityfocus com
| Subject: Re: Remote Compromise Vulnerability in Apache HTTP Server
|
|
| Like ISS obviously did, one of the first things NGSSoftware did after the
| eEye ASP Chunk Transfer Encoding vulnerability came out, was check 'what
| else' is vulnerable to this kind of issue. Like ISS, NGSSoftware
| also noted
| that the Win32 distribution of Apache was vulnerable.
|
| However, our approach to addressing this problem was/is completely
| different. We alerted Oracle, Apahce and CERT.
|
| Our last response from Mark Fox of Apache was that they "have decided that
| we need to co-ordinate this issue with CERT so that we can get
| other vendors
| who ship Apache in their OS and projects aheads-up to this issue."
| NGSSoftware, of course agreed that this would be the best plan of
| action as
| most people who use the Win32 Apache version do not have a compiler and so
| can take steps to protect themselves. They're mostly relying on
| their apache
| 'supplier' to produce a patch.
|
| Of course, with a premature release from ISS many are now left vulnerable
| without a patch from the apache 'supplier'.
|
| This, now, leads to the next issue. There have been many
| instances where two
| or more security organizations discover the same vulnerability at the same
| time but differ in the manner and time at which they choose to alert the
| general public, leading to all sorts of problems.
|
| With more people and organisations doing security research, perhaps it is
| time for a Vulnerability Co-ordinator Center (a VCC) - some trusted third
| party like an off-shoot of CERT. I know this is not a new idea
| and one which
| has been brought up before but one I think should perhaps be
| discussed again
| and acted upon.
|
| When a vendor is alerted the VCC is CC'd (pun not intentional)
| and this way
| a co-ordinated full alert can go out when the time is right.
|
| Any takers???
|
| Cheers,
| David Litchfield
| Next Generation Security Software Ltd
| http://www.ngssoftware.com/
| +44(0)208 401 0070
|
|