httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Murcko <ch...@telebase.com>
Subject Re: READ ME! (was Re: (Fwd) CIAC Bulletin G-20: Vulnerability in NCSA and Apache htt (fwd))
Date Fri, 19 Apr 1996 21:03:55 GMT
Done. Kick me again, so I read the patches right. Sorry.

Brian Behlendorf liltingly intones:
> 
> 
> READ ME!
> 
> Folks, Apache 1.0.4 does *not* fix the problem located in this bulletin.  
> The only difference between 1.0.4 and 1.0.3 is that "cgi-src/util.c" has 
> the newline check implemented - *this* bulletin states that the 
> (potential) vulnerability exists also in "src/util.c".  
> 
> If the person who built 1.0.4 could fix this, update the CHANGES file, as 
> well as /export/pub/apache/dist/CHANGES on hyperreal, today, and then let 
> us know.  I was about to send a message out to apache-announce about this 
> (2454 subscribers!) when I decided on a lark to check.  :)  If I don't 
> hear back from the builder I'll build it myself and replace it.  I hunbly 
> suggest this causes a bump to 1.0.5 (hey, it happens, remember Mosaic 
> 2.2?), though I won't protest if 1.0.4 is silently replaced.
> 
> Thanks.
> 
> 	Brian
> 
> On Fri, 19 Apr 1996, Ben Laurie wrote:
> > (Forwarded from ssl-users) ... I have applied the patch to 1.1.
> > 
> > We probably should release 1.0.4!
> > 
> > Its nice of IBM to fix these problems, but you'd think they might _tell_ us!
> > 
> > Cheers,
> > 
> > Ben.
> > 
> > Peter Trei wrote:
> > > 
> > >              __________________________________________________________
> > > 
> > >                        The U.S. Department of Energy
> > >                     Computer Incident Advisory Capability
> > >                            ___  __ __    _     ___
> > >                           /       |     /_\   /
> > >                           \___  __|__  /   \  \___
> > >              __________________________________________________________
> > > 
> > >                              INFORMATION BULLETIN
> > > 
> > >                  Vulnerability in NCSA and Apache httpd Servers
> > > 
> > > April 16, 1996 18:00 GMT                                           Number G-20
> > > ______________________________________________________________________________
> > > PROBLEM:       A vulnerability exists in the httpd servers provided by NCSA
> > >                and the Apache organization
> > > PLATFORM:      All systems capable of running either httpd
> > > DAMAGE:        A user can potentially gain the same access privileges as the
> > >                httpd server
> > > SOLUTION:      For NCSA httpd, upgrade to the lates version; For Apache httpd,
> > >                install the patch described below
> > > ______________________________________________________________________________
> > > VULNERABILITY  This vulnerability can lead to compromise of a web server
> > > ASSESSMENT:
> > > ______________________________________________________________________________
> > > 
> > > [ Start IBM Bulletin ]
> > > 
> > >                   =======  ============    ======       ======
> > >                   =======  ==============  =======     =======
> > >                     ===      ===     ====    ======   ======
> > >                     ===      ===========     ======= =======
> > >                     ===      ===========     === ======= ===
> > >                     ===      ===     ====    ===  =====  ===
> > >                   =======  ==============  =====   ===   =====
> > >                   =======  ============    =====    =    =====
> > > 
> > >                            EMERGENCY RESPONSE SERVICE
> > > 			  SECURITY VULNERABILITY ALERT
> > > 
> > > 16 April 1996 16:00 GMT                          Number: ERS-SVA-E01-1996:002.2
> > > ===============================================================================
> > >                         UPDATE TO ERS-SVA-E01-1996:002.1
> > > 
> > > I. Description
> > > 
> > > This Security Vulnerability Alert provides updated information about
> > > the NCSA HTTPD and Apache HTTPD Common Gateway Interface vulnerability
> > > described in ERS-SVA-E01-1996:002.1, which was released on 26 February
> > > 1996.
> > > 
> > > ERS-SVA-E01-1996:002.1 described a vulnerabilty in the
> > > escape_shell_cmd() function contained in the Common Gateway Interface
> > > sample code file "cgi-src/util.c", provided with NCSA HTTPD Version
> > > 1.5 and earlier, or Apache HTTPD Version 1.0.3 and earlier.  This
> > > vulnerabilty allowed a malicious user to embed the newline character
> > > (Hexadecimal 0A) in a query, allowing an arbitrary shell command to be
> > > executed by the HTTPD server.
> > > 
> > > IBM-ERS has learned that the escape_shell_command() function is also
> > > contained in the server source code file, "src/util.c".  Note that the files
> > > "src/util.c" and "cgi-src/util.c" are not identical, however they contain
> > > identical copies of the escape_shell_command() function.  The file
> > > "src/util.c" is used to build the HTTPD server; therefore the "newline"
> > > vulnerability exists in the server itself.
> > > 
> > > II. Impact
> > > 
> > > A malicious user who knows how to exercise this vulnerability may have
> > > the ability to:
> > > 
> > >   1. Execute arbitrary commands on the server host using the same
> > >      user-id as the user running the "httpd" server.  If "httpd" is
> > >      being run as "root," the unauthorized commands are also run as
> > >      "root."
> > > 
> > >   2. Access any file on the system that is accessible to the user-id
> > >      that is running the "httpd" server.  If the "httpd" server
> > >      user-id has read access to the file, the attacker can also read
> > >      the file.  If the "httpd" server user-id has write access to the
> > >      file, the attacker can change or destroy the contents of the
> > >      file.  If the "httpd" server is being run as "root," the attacker
> > >      can read, modify, or destroy any file on the server host.
> > > 
> > >   3. Given an X11-based terminal emulator ("xterm" or equivalent)
> > >      installed on the "httpd" server host, gain full interactive
> > >      access to the server host just as if he were logging in locally.
> > > 
> > > 
> > > III. Solutions
> > > 
> > > IBM-ERS recommends that you consider taking the following actions
> > > (subject to any licensing restrictions that may apply to your copies
> > > of the programs):
> > > 
> > > 1. If are using NCSA HTTPD, upgrade to Version 1.5.1, which does not
> > >    contain this vulnerability.
> > > 
> > >    NCSA HTTPD Version 1.5 is available from:
> > > 
> > >      ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/current/httpd_1.5.1-export_source.tar.Z
> > > 
> > > 2. If you are using Apache HTTPD, locate the escape_shell_command()
> > >    function in the file "src/util.c" (approximately line 430).  In
> > >    that function, the line that reads
> > > 
> > >      if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
> > > 
> > >    should be changed to read
> > > 
> > >      if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){
> > > 
> > >    The server should then be recompiled, reinstalled, and restarted.
> > > 
> > > IV. Acknowledgements
> > > 
> > > IBM-ERS would like to thank the NASA Automated Systems Incident
> > > Response Capability (NASIRC) for providing the information contained
> > > in this update.  NASIRC in turn acknowledges Ken Bell of NASA Goddard
> > > Institute for Sapce Studies for bringing this vulnerability to their
> > > attention, and the NCSA HTTPD Development Team for confirming the
> > > problem and the fix.
> > > 
> > > IBM-ERS would also like to thank Jennifer Myers, a post-doctoral
> > > fellow at Northwestern University, who originally discovered the
> > > vulnerability described in ERS-SVA-E01-1996:002.1, and made public the
> > > description of the problem and its solution.  This acknowledgement was
> > > omitted from the original alert.
> > > 
> > > ===============================================================================
> > > 
> > > Copyright 1996 International Business Machines Corporation.
> > > 
> > > [ End IBM Bulletin ]
> > > 
> > > _______________________________________________________________________________
> > > 
> > > CIAC wishes to acknowledge the contributions of IBM Emergency Response
> > > Service (IBM-ERS), and those they attribute, for the information
> > > contained in this bulletin.
> > > _______________________________________________________________________________
> > > 
> > > 
> > > 
> > > CIAC, the Computer Incident Advisory Capability, is the computer
> > > security incident response team for the U.S. Department of Energy
> > > (DOE) and the National Institutes of Health (NIH). CIAC is located at
> > > the Lawrence Livermore National Laboratory in Livermore,
> > > California. CIAC is also a founding member of FIRST, the Forum of
> > > Incident Response and Security Teams, a global organization
> > > established to foster cooperation and coordination among computer
> > > security teams worldwide.
> > > 
> > > CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
> > > can be contacted at:
> > >     Voice:    +1 510-422-8193
> > >     FAX:      +1 510-423-8002
> > >     STU-III:  +1 510-423-2604
> > >     E-mail:   ciac@llnl.gov
> > > 
> > > For emergencies and off-hour assistance, DOE, DOE contractor sites,
> > > and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
> > > 8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
> > > or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
> > > Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
> > > duty person, and the secondary PIN number, 8550074 is for the CIAC
> > > Project Leader.
> > > 
> > > Previous CIAC notices, anti-virus software, and other information are
> > > available from the CIAC Computer Security Archive.
> > > 
> > >    World Wide Web:      http://ciac.llnl.gov/
> > >    Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
> > >    Modem access:        +1 (510) 423-4753 (28.8K baud)
> > >                         +1 (510) 423-3331 (28.8K baud)
> > > 
> > > CIAC has several self-subscribing mailing lists for electronic
> > > publications:
> > > 1. CIAC-BULLETIN for Advisories, highest priority - time critical
> > >    information and Bulletins, important computer security information;
> > > 2. CIAC-NOTES for Notes, a collection of computer security articles;
> > > 3. SPI-ANNOUNCE for official news about Security Profile Inspector
> > >    (SPI) software updates, new features, distribution and
> > >    availability;
> > > 4. SPI-NOTES, for discussion of problems and solutions regarding the
> > >    use of SPI products.
> > > 
> > > Our mailing lists are managed by a public domain software package
> > > called ListProcessor, which ignores E-mail header subject lines. To
> > > subscribe (add yourself) to one of our mailing lists, send the
> > > following request as the E-mail message body, substituting
> > > CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
> > > valid information for LastName FirstName and PhoneNumber when sending
> > > 
> > > E-mail to       ciac-listproc@llnl.gov:
> > >         subscribe list-name LastName, FirstName PhoneNumber
> > >   e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36
> > > 
> > > You will receive an acknowledgment containing address, initial PIN,
> > > and information on how to change either of them, cancel your
> > > subscription, or get help.
> > > 
> > > PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
> > > communities receive CIAC bulletins.  If you are not part of these
> > > communities, please contact your agency's response team to report
> > > incidents. Your agency's team will coordinate with CIAC. The Forum of
> > > Incident Response and Security Teams (FIRST) is a world-wide
> > > organization. A list of FIRST member organizations and their
> > > constituencies can be obtained by sending email to
> > > docserver@first.org with an empty subject line and a message body
> > > containing the line: send first-contacts.
> > > 
> > > This document was prepared as an account of work sponsored by an
> > > agency of the United States Government. Neither the United States
> > > Government nor the University of California nor any of their
> > > employees, makes any warranty, express or implied, or assumes any
> > > legal liability or responsibility for the accuracy, completeness, or
> > > usefulness of any information, apparatus, product, or process
> > > disclosed, or represents that its use would not infringe privately
> > > owned rights. Reference herein to any specific commercial products,
> > > process, or service by trade name, trademark, manufacturer, or
> > > otherwise, does not necessarily constitute or imply its endorsement,
> > > recommendation or favoring by the United States Government or the
> > > University of California. The views and opinions of authors expressed
> > > herein do not necessarily state or reflect those of the United States
> > > Government or the University of California, and shall not be used for
> > > advertising or product endorsement purposes.
> > > 
> > > LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
> > > 
> > > (G-10a) Winword Macro Viruses
> > > (G-11)  HP Syslog Vulnerability
> > > (G-12)  SGI ATT Packaging Utility Security Vulnerability
> > > (G-13)  Kerberos Version 4 Key Server Vulnerability
> > > (G-14)  Domain Name Service Vulnerabilities
> > > (G-15)  Sunsoft Demo CD Vulnerability
> > > (G-16)  SGI rpc.statd Program Security Vulnerabilities
> > > (G-17)  Vulnerabilities in Sample HTTPD CGIs
> > > (G-18)  Digital OSF/1 dxconsole Security Vulnerability
> > > (G-19)  IBM AIX rmail Vulnerability
> > > 
> > > RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)
> > > 
> > > Notes 07 - 3/29/95     A comprehensive review of SATAN
> > > 
> > > Notes 08 - 4/4/95      A Courtney update
> > > 
> > > Notes 09 - 4/24/95     More on the "Good Times" virus urban legend
> > > 
> > > Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
> > >                        in S/Key, EBOLA Virus Hoax, and Caibua Virus
> > > 
> > > Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
> > >                        America On-Line Virus Scare, SPI 3.2.2 Released,
> > >                        The Die_Hard Virus
> > > 
> > > Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
> > >                        Windows, beta release of Merlin, Microsoft Word
> > >                        Macro Viruses, Allegations of Inappropriate Data
> > >                        Collection in Win95
> > > 
> > > Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
> > >                        Conference Announcement, Security and Web Search
> > >                        Engines, Microsoft Word Macro Virus Update
> > 
> > -- 
> > Ben Laurie                  Phone: +44 (181) 994 6435
> > Freelance Consultant and    Fax:   +44 (181) 994 6472
> > Technical Director          Email: ben@algroup.co.uk
> > A.L. Digital Ltd,           URL: http://www.algroup.co.uk
> > London, England.
> > 
> 

chuck
Chuck Murcko	N2K Inc.	Wayne PA	chuck@telebase.com
And now, on a lighter note:
"Gee, Toto, I don't think we are in Kansas anymore."

Mime
View raw message