httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <har...@deppeler.org>
Subject Re: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
Date Fri, 21 Jun 2002 09:51:42 GMT

Concerning this vulnerability: is safe to assume that a patched
reverse proxy will protect a vulnerable back end server from such
malicious requests?

cu - Harry
 
>>>>> "jwoolley" == jwoolley  <jwoolley@apache.org> writes:

    jwoolley>  [[ Note: this issue affects both 32-bit and 64-bit
    jwoolley> platforms; the subject of this message emphasizes 32-bit
    jwoolley> platforms since that is the most important information
    jwoolley> not announced in our previous advisory. ]]


    jwoolley> SUPERSEDES:
    jwoolley> http://httpd.apache.org/info/security_bulletin_20020617.txt

    jwoolley> Date: June 20, 2002 Product: Apache Web Server Versions:
    jwoolley> Apache 1.3 all versions including 1.3.24; Apache 2.0 all
    jwoolley> versions up to 2.0.36; Apache 1.2 all versions.

    jwoolley> CAN-2002-0392 (mitre.org) [CERT VU#944335]

    jwoolley> ----------------------------------------------------------
    jwoolley> ------------UPDATED ADVISORY------------
    jwoolley> ----------------------------------------------------------
    jwoolley> Introduction:

    jwoolley> While testing for Oracle vulnerabilities, Mark
    jwoolley> Litchfield discovered a denial of service attack for
    jwoolley> Apache on Windows.  Investigation by the Apache Software
    jwoolley> Foundation showed that this issue has a wider scope,
    jwoolley> which on some platforms results in a denial of service
    jwoolley> vulnerability, while on some other platforms presents a
    jwoolley> potential remote exploit vulnerability.

    jwoolley> This follow-up to our earlier advisory is to warn of
    jwoolley> known-exploitable conditions related to this
    jwoolley> vulnerability on both 64-bit platforms and 32-bit
    jwoolley> platforms alike.  Though we previously reported that
    jwoolley> 32-bit platforms were not remotely exploitable, it has
    jwoolley> since been proven by Gobbles that certain conditions
    jwoolley> allowing exploitation do exist.

    jwoolley> Successful exploitation of this vulnerability can lead
    jwoolley> to the execution of arbitrary code on the server with
    jwoolley> the permissions of the web server child process.  This
    jwoolley> can facilitate the further exploitation of
    jwoolley> vulnerabilities unrelated to Apache on the local system,
    jwoolley> potentially allowing the intruder root access.

    jwoolley> Note that early patches for this issue released by ISS
    jwoolley> and others do not address its full scope.

    jwoolley> Due to the existence of exploits circulating in the wild
    jwoolley> for some platforms, the risk is considered high.

    jwoolley> The Apache Software Foundation has released versions
    jwoolley> 1.3.26 and 2.0.39 that address and fix this issue, and
    jwoolley> all users are urged to upgrade immediately; updates can
    jwoolley> be downloaded from http://httpd.apache.org/ .

    jwoolley> As a reminder, we respectfully request that anyone who
    jwoolley> finds a potential vulnerability in our software reports
    jwoolley> it to security@apache.org.

    jwoolley> ----------------------------------------------------------

    jwoolley> The full text of this advisory including additional
    jwoolley> details is available at
    jwoolley> http://httpd.apache.org/info/security_bulletin_20020620.txt
    jwoolley> .


Mime
View raw message