The Apache Foundation has issued a warning that exploits to its chunk
handling vulnerability are circulating on the Internet, putting users of its
open-source server at high risk.
The vulnerability, which Apache now says affects both 64-bit platforms and 32-bit
platforms alike, could cause denial-of-service
or allow a attacker to take remote control of a server.
“Though we previously reported that 32-bit platforms were not remotely
exploitable, it has since been proven (that certain conditions allowing
exploitation do exist),” Apache warned, urging users upgrade to versions
1.3.26 and 2.0.39 to apply a comprehensive fix.
“Due to the existence of exploits circulating in the wild for some
the risk is considered high…All users are urged to upgrade immediately,”
the Foundation said.
Apache updated its security
bulletin to warn that exploitation of the chunk handling bug could lead
to the further exploitation of vulnerabilities unrelated to Apache on the
local system, potentially allowing the intruder root access.
“Note that early patches for this issue released by ISS and others do not
address its full scope,” Apache said, referring to a patch that was issued
by the Internet Security Systems (IIS) that did not offer a comprehensive
The existence of the Apache exploit made the rounds on the popular Bugtraq security e-mail
list. Posts to the list include this warning that the Apache exploit tool was “./friendly,”
meaning anyone with basic scripting capabilities “should be able to run it
without any trouble.”
The release of the source code for the Apache exploit adds new fuel to the
controversy over how the bug announcement was handled. The original warning
was first reported by the ISS, causing friction between the security outfit
and the Apache Foundation.
Apache officials were upset they weren’t first notified before the ISS
issued its advisory and patch, a normal procedure when bugs are detected.
The Apache Foundation said the bug affected versions of its Web server up to
and including 1.3.24 and 2.0 up to and including 2.0.36 and 2.0.36-dev,
warning that it could be triggered remotely by sending a carefully crafted
invalid request, which is enabled by default.
“In most cases the outcome of the invalid request is that the child process
dealing with the request will terminate. At the least, this could help a
remote attacker launch a denial of service attack as the parent process
will eventually have to replace the terminated child process and starting
new children uses non-trivial amounts of resources,” Apache said.
Because Apache servers on the Windows and Netware platforms runs one
multithreaded child process to service requests, the Foundation said the
teardown and subsequent setup time to replace the lost child process
presents a significant interruption of service. “As the Windows and Netware
ports create a new process and reread the configuration, rather than fork a
child process, this delay is much more pronounced than on other platforms,”
In the Apache 2.0 version, it said the error condition is correctly detected
and would not allow an attacker to execute code on the server. In Apache
1.3, it said the issue causes a stack overflow.
The Foundation again warned that vendor patches should be used to correct
the vulnerability as a matter of urgency.