httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <and...@aaaaaaaa.demon.co.uk>
Subject CIAC Bulletin G-20: Vulnerability in NCSA and Apache httpd Servers (fwd)
Date Fri, 19 Apr 1996 12:23:59 GMT
Make sure you read all of this, especially the bit about server
code being broken...

An official patch to the 1.0.3 release (or a 1.0.4 release) would
seem timely if this report is to believed.

Am I r0ng in thinking this is a slightly different report to the
last advisory we got, on the same subject?  I don't remember the
bastards telling us about their new findings.  It'd be nice to be
told in future, how can we set our selves up as VIPs with their
alerting/research process?

Groan.

> -----BEGIN PGP SIGNED MESSAGE-----
> 
> 
>              __________________________________________________________
> 
>                        The U.S. Department of Energy
>                     Computer Incident Advisory Capability
>                            ___  __ __    _     ___
>                           /       |     /_\   /
>                           \___  __|__  /   \  \___
>              __________________________________________________________
> 
>                              INFORMATION BULLETIN
> 
>                  Vulnerability in NCSA and Apache httpd Servers
> 
> April 16, 1996 18:00 GMT                                           Number G-20
> ______________________________________________________________________________
> PROBLEM:       A vulnerability exists in the httpd servers provided by NCSA
>                and the Apache organization
> PLATFORM:      All systems capable of running either httpd
> DAMAGE:        A user can potentially gain the same access privileges as the
>                httpd server
> SOLUTION:      For NCSA httpd, upgrade to the lates version; For Apache httpd,
>                install the patch described below
> ______________________________________________________________________________
> VULNERABILITY  This vulnerability can lead to compromise of a web server
> ASSESSMENT:
> ______________________________________________________________________________
> 
> [ Start IBM Bulletin ]
> 
>                   =======  ============    ======       ======
>                   =======  ==============  =======     =======
>                     ===      ===     ====    ======   ======
>                     ===      ===========     ======= =======
>                     ===      ===========     === ======= ===
>                     ===      ===     ====    ===  =====  ===
>                   =======  ==============  =====   ===   =====
>                   =======  ============    =====    =    =====
> 
>                            EMERGENCY RESPONSE SERVICE
> 			  SECURITY VULNERABILITY ALERT
> 
> 16 April 1996 16:00 GMT                          Number: ERS-SVA-E01-1996:002.2
> ===============================================================================
>                         UPDATE TO ERS-SVA-E01-1996:002.1
> 
> I. Description
> 
> This Security Vulnerability Alert provides updated information about
> the NCSA HTTPD and Apache HTTPD Common Gateway Interface vulnerability
> described in ERS-SVA-E01-1996:002.1, which was released on 26 February
> 1996.
> 
> ERS-SVA-E01-1996:002.1 described a vulnerabilty in the
> escape_shell_cmd() function contained in the Common Gateway Interface
> sample code file "cgi-src/util.c", provided with NCSA HTTPD Version
> 1.5 and earlier, or Apache HTTPD Version 1.0.3 and earlier.  This
> vulnerabilty allowed a malicious user to embed the newline character
> (Hexadecimal 0A) in a query, allowing an arbitrary shell command to be
> executed by the HTTPD server.
> 
> IBM-ERS has learned that the escape_shell_command() function is also
> contained in the server source code file, "src/util.c".  Note that the files
> "src/util.c" and "cgi-src/util.c" are not identical, however they contain
> identical copies of the escape_shell_command() function.  The file
> "src/util.c" is used to build the HTTPD server; therefore the "newline"
> vulnerability exists in the server itself.
> 
> II. Impact
> 
> A malicious user who knows how to exercise this vulnerability may have
> the ability to:
> 
>   1. Execute arbitrary commands on the server host using the same
>      user-id as the user running the "httpd" server.  If "httpd" is
>      being run as "root," the unauthorized commands are also run as
>      "root."
> 
>   2. Access any file on the system that is accessible to the user-id
>      that is running the "httpd" server.  If the "httpd" server
>      user-id has read access to the file, the attacker can also read
>      the file.  If the "httpd" server user-id has write access to the
>      file, the attacker can change or destroy the contents of the
>      file.  If the "httpd" server is being run as "root," the attacker
>      can read, modify, or destroy any file on the server host.
> 
>   3. Given an X11-based terminal emulator ("xterm" or equivalent)
>      installed on the "httpd" server host, gain full interactive
>      access to the server host just as if he were logging in locally.
> 
> 
> III. Solutions
> 
> IBM-ERS recommends that you consider taking the following actions
> (subject to any licensing restrictions that may apply to your copies
> of the programs):
> 
> 1. If are using NCSA HTTPD, upgrade to Version 1.5.1, which does not
>    contain this vulnerability.
> 
>    NCSA HTTPD Version 1.5 is available from:
> 
>      ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/current/httpd_1.5.1-export_source.tar.Z
> 
> 2. If you are using Apache HTTPD, locate the escape_shell_command()
>    function in the file "src/util.c" (approximately line 430).  In
>    that function, the line that reads
> 
>      if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
> 
>    should be changed to read
> 
>      if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){
> 
>    The server should then be recompiled, reinstalled, and restarted.
> 
> IV. Acknowledgements
> 
> IBM-ERS would like to thank the NASA Automated Systems Incident
> Response Capability (NASIRC) for providing the information contained
> in this update.  NASIRC in turn acknowledges Ken Bell of NASA Goddard
> Institute for Sapce Studies for bringing this vulnerability to their
> attention, and the NCSA HTTPD Development Team for confirming the
> problem and the fix.
> 
> IBM-ERS would also like to thank Jennifer Myers, a post-doctoral
> fellow at Northwestern University, who originally discovered the
> vulnerability described in ERS-SVA-E01-1996:002.1, and made public the
> description of the problem and its solution.  This acknowledgement was
> omitted from the original alert.
> 
> ===============================================================================
> 
> Copyright 1996 International Business Machines Corporation.
> 
> [ End IBM Bulletin ]
> 
> _______________________________________________________________________________
> 
> CIAC wishes to acknowledge the contributions of IBM Emergency Response
> Service (IBM-ERS), and those they attribute, for the information
> contained in this bulletin.
> _______________________________________________________________________________
> 
> 
> 
> CIAC, the Computer Incident Advisory Capability, is the computer
> security incident response team for the U.S. Department of Energy
> (DOE) and the National Institutes of Health (NIH). CIAC is located at
> the Lawrence Livermore National Laboratory in Livermore,
> California. CIAC is also a founding member of FIRST, the Forum of
> Incident Response and Security Teams, a global organization
> established to foster cooperation and coordination among computer
> security teams worldwide.
> 
> CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
> can be contacted at:
>     Voice:    +1 510-422-8193
>     FAX:      +1 510-423-8002
>     STU-III:  +1 510-423-2604
>     E-mail:   ciac@llnl.gov
> 
> For emergencies and off-hour assistance, DOE, DOE contractor sites,
> and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
> 8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
> or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
> Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
> duty person, and the secondary PIN number, 8550074 is for the CIAC
> Project Leader.
> 
> Previous CIAC notices, anti-virus software, and other information are
> available from the CIAC Computer Security Archive.
> 
>    World Wide Web:      http://ciac.llnl.gov/
>    Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
>    Modem access:        +1 (510) 423-4753 (28.8K baud)
>                         +1 (510) 423-3331 (28.8K baud)
> 
> CIAC has several self-subscribing mailing lists for electronic
> publications:
> 1. CIAC-BULLETIN for Advisories, highest priority - time critical
>    information and Bulletins, important computer security information;
> 2. CIAC-NOTES for Notes, a collection of computer security articles;
> 3. SPI-ANNOUNCE for official news about Security Profile Inspector
>    (SPI) software updates, new features, distribution and
>    availability;
> 4. SPI-NOTES, for discussion of problems and solutions regarding the
>    use of SPI products.
> 
> Our mailing lists are managed by a public domain software package
> called ListProcessor, which ignores E-mail header subject lines. To
> subscribe (add yourself) to one of our mailing lists, send the
> following request as the E-mail message body, substituting
> CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
> valid information for LastName FirstName and PhoneNumber when sending
> 
> E-mail to       ciac-listproc@llnl.gov:
>         subscribe list-name LastName, FirstName PhoneNumber
>   e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36
> 
> You will receive an acknowledgment containing address, initial PIN,
> and information on how to change either of them, cancel your
> subscription, or get help.
> 
> PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
> communities receive CIAC bulletins.  If you are not part of these
> communities, please contact your agency's response team to report
> incidents. Your agency's team will coordinate with CIAC. The Forum of
> Incident Response and Security Teams (FIRST) is a world-wide
> organization. A list of FIRST member organizations and their
> constituencies can be obtained by sending email to
> docserver@first.org with an empty subject line and a message body
> containing the line: send first-contacts.
> 
> This document was prepared as an account of work sponsored by an
> agency of the United States Government. Neither the United States
> Government nor the University of California nor any of their
> employees, makes any warranty, express or implied, or assumes any
> legal liability or responsibility for the accuracy, completeness, or
> usefulness of any information, apparatus, product, or process
> disclosed, or represents that its use would not infringe privately
> owned rights. Reference herein to any specific commercial products,
> process, or service by trade name, trademark, manufacturer, or
> otherwise, does not necessarily constitute or imply its endorsement,
> recommendation or favoring by the United States Government or the
> University of California. The views and opinions of authors expressed
> herein do not necessarily state or reflect those of the United States
> Government or the University of California, and shall not be used for
> advertising or product endorsement purposes.
> 
> LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
> 
> (G-10a) Winword Macro Viruses
> (G-11)  HP Syslog Vulnerability
> (G-12)  SGI ATT Packaging Utility Security Vulnerability
> (G-13)  Kerberos Version 4 Key Server Vulnerability
> (G-14)  Domain Name Service Vulnerabilities
> (G-15)  Sunsoft Demo CD Vulnerability
> (G-16)  SGI rpc.statd Program Security Vulnerabilities
> (G-17)  Vulnerabilities in Sample HTTPD CGIs
> (G-18)  Digital OSF/1 dxconsole Security Vulnerability
> (G-19)  IBM AIX rmail Vulnerability
> 
> RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)
> 
> Notes 07 - 3/29/95     A comprehensive review of SATAN
> 
> Notes 08 - 4/4/95      A Courtney update
> 
> Notes 09 - 4/24/95     More on the "Good Times" virus urban legend
> 
> Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
>                        in S/Key, EBOLA Virus Hoax, and Caibua Virus
> 
> Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
>                        America On-Line Virus Scare, SPI 3.2.2 Released, 
>                        The Die_Hard Virus
> 
> Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
>                        Windows, beta release of Merlin, Microsoft Word
>                        Macro Viruses, Allegations of Inappropriate Data
>                        Collection in Win95
> 
> Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
>                        Conference Announcement, Security and Web Search
>                        Engines, Microsoft Word Macro Virus Update
> 
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.1
> Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface
> 
> iQCVAwUBMXayBLnzJzdsy3QZAQGXPgP+KweK2n9fTvHCXwg0eJ++kdLTWREXll6C
> cNcQy8j/UykM5Sf1Jjky/3i87wGSkbrn6EGvlwidoMkGn1fhJGcCLeS8+KVfyOsm
> V/qgjGS41+k2+MicxmPZJHGba4Md+P+Vy2OysWnrz+G+H5F+/tw6mk2TKoqkbepT
> ovGB5VYQEEE=
> =EU7B
> -----END PGP SIGNATURE-----
> 
> 


Mime
View raw message