A chunk handling vulnerability has been detected in versions of the open-source
Apache Web server that could cause denial-of-service
attacks or allow an attacker to take remote control of a server.
According to the Computer Emergency Response Team Coordination Center
(CERT), a malformed request sent to Web servers based on Apache code
versions 1.3 through 1.3.24 and versions 2.0 through 2.0.36 can crash or
even lead to the exploitation of some servers.
In a separate advisory, the Apache Foundation confirmed the flaw but warned there was not yet a
comprehensive fix available.
The warning, which was first reported by the Internet Security Systems
(ISS), has created bad blood in the software security space with Apache
officials upset they weren’t first notified before the ISS issued its
advisory and patch. “We were also notified today by ISS that they had
published the same issue which has forced the early release of this
advisory,” the Foundation said.
It added that the security patch issued by the ISS “does not correct this
vulnerability.”
The Apache Foundation said versions of its Web server up to and including
1.3.24 and 2.0 up to and including 2.0.36 and 2.0.36-dev versions contain a
bug in the routines which deal with invalid requests which are encoded using
chunked encoding. The vulnerability could be triggered remotely by sending
a carefully crafted invalid request, which is enabled by default, it
explained.
“In most cases the outcome of the invalid request is that the child process
dealing with the request will terminate. At the least, this could help a
remote attacker launch a denial of service attack as the parent process
will eventually have to replace the terminated child process and starting
new children uses non-trivial amounts of resources,” Apache said.
Because Apache servers on the Windows and Netware platforms runs one
multithreaded child process to service requests, the Foundation said the
teardown and subsequent setup time to replace the lost child process
presents a significant interruption of service. “As the Windows and Netware
ports create a new process and reread the configuration, rather than fork a
child process, this delay is much more pronounced than on other platforms,”
it explained.
In the Apache 2.0 version, it said the error condition is correctly detected
and would not allow an attacker to execute code on the server. In Apache
1.3, it said the issue causes a stack overflow.
“Due to the nature of the overflow on 32-bit Unix platforms this will cause
a segmentation violation and the child will terminate. However on 64-bit
platforms the overflow can be controlled and so for platforms that store
return addresses on the stack it is likely that it is further exploitable.
This could allow arbitrary code to be run on the server as the user the
Apache children are
set to run as,” Apache said, adding that Apache 1.3 on Windows was also
exploitable in this way.
While the Apache Foundation has released two new versions to correct
vulnerability, it said a comprehensive patch would be posted on its Web Site.
The CERT advisory said vendor patches should be used to correct the
vulnerability but warned that statements from affected vendors may not be
readily available “because the publication of this advisory was
unexpectedly accelerated,” an obvious reference to the brouhaha over the
way the ISS handled the issue.
Meanwhile, the ISS issued a rebuttal statement, confirming the patch it
issued won’t work “if the DoS vulnerability is related to the (stack)
overflow.”
“If the DoS vulnerability is related to the overflow then the ISS patch will
work to prevent it. The unsigned comparison prevents any stack overflow and
as a result any related DoS issue is prevented. If the DoS issue is
unrelated, then of course the ISS patch will not be of any help,” the IIS
said in a statement posted on the BugTraq list.