httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [Fwd: Apache httpd vulenrabilities]
Date Tue, 29 May 2007 21:28:07 GMT
Ian Holsman wrote:
> Hey Bill
> 
> just to clarify these are LOCAL DoS attacks? ie you need access to the
> machine (or the ability to execute php) in order for this to be an issue?

AIUI all of these are loading modules of untrusted code (or a scripting
language which gives you the same effect.)  Now mod_perl has minimal
presumption that it can be used to run untrusted code, while the PHP
community anticipates running untrusted code.  The httpd community is
(mostly) suspect on invoking untrusted code in-process.

That said, #2/3 looks like the only significant issue IMHO.  That the
parent could be cooerced to do something 'as root' is badness, and
we can agree with the reporter on that.  As the reporter apparently
believes 2 weeks is enough to solve any security issue, these are now
public.

#1 and #4 are minor, IMHO, as resource consumption is pretty trivial
if you are running anyone's code on your machine, through the facilities
of serving httpd or giving them a local user account.  I'd classify #1
as a bug, and #4 as silly but possibly worth patching.

Essentially, PID tables need to move from the score to a local process
list only in the parent, and unshared.  That would solve the 80/20 of
this entire class of issues.



> William A. Rowe, Jr. wrote:
>> Published - ergo moving discussion from security@ to dev@.
>>
>> Of course if in the course of this discussion, you uncover a new
>> edge case, feel free to move that thread back to security@httpd
>> to discuss your new discovery.
>>  
>> ------------------------------------------------------------------------
>>
>> Subject:
>> Apache httpd vulenrabilities
>> From:
>> Blazej Miga <bla@man.poznan.pl>
>> Date:
>> Tue, 29 May 2007 20:00:42 +0200 (CEST)
>> To:
>> bugtraq@securityfocus.com
>>
>> To:
>> bugtraq@securityfocus.com
>>
>>
>> PSNC Security Team has got the pleasure to announce that, as a result
>> of Apache httpd server (ver. 1.3.x, 2.0.x and 2.2.x) source code
>> analysis, several vulnerabilities have been found that make it
>> possible to perfom a DoS attack against the services and the system
>> that the application is running on. Below the basic information on
>> found vulnerabilities may be found:
>>
>> Vuln#1
>> Httpd Server DoS
>> Test environment: ver. 2.0.59, 2.2.4, prefork mpm module
>>
>> An appropriate code run in the worker process context makes it
>> possible to kill all worker processes with simultaneous blocking of
>> creating new worker processes by the master process. As a result, the
>> server stops to accept and handle new connections.
>>
>> Vuln #2
>> SIGUSR1 killer
>> Test environment: ver. 2.0.59, 2.2.4 prefork mpm module
>>
>> An appropriate code run in the worker process context makes it
>> possible to send SIGUSR1 signals by the master process (that runs with
>> root credentials) to an arbitrary process within the system.
>>
>> Vuln #3
>> SIGUSR1 killer
>> Test environment: ver 1.3.37
>>
>> An appropriate code run in the worker process context makes it
>> possible to send SIGUSR1 signals by the master process (that runs with
>> root credentials) to an arbitrary process within the system.
>>
>> Vuln #4
>> System DoS
>> Test environment: ver 2.0.59, 2.2.4 prefork mpm module
>>
>> An appropriate code run in the worker process context makes it
>> possible to force the master process to create an unlimited amount of
>> new worker processes. As a result, the activity of the whole system
>> may be blocked.
>>
>>
>> Countermeasures:
>>
>> Disabling the possibility of running the user.s code in the worker
>> process context. An especial emphasis should be put on programming
>> languages that may be configures as an Apache module (like mod_php,
>> mod_perl etc.) in order to block dangerous functions, e.g. dl(),
>> dlopen().
>>
>>
>>
>>
>> The information on the vulnerabilities above was sent to Apache
>> Software Foundation on 16 May, 2006. For over 1 year no official patch
>> has been issued. PSNC Security Team is currently working on its own,
>> unofficial patches. Our patches will be published on 18 June, 2007 on
>> the team webpage (http://security.psnc.pl). On 20 June, 2007 the
>> detailed information on the found vulnerabilities will be issued.
>>
>>
>> PSNC Security Team
>>
>>
>>
> 
> 
> 


Mime
View raw message