[Prev][Next][Index][Thread]
Apache 1.1.1 overflow (fwd)
off topic, but may be interesting to webmasters out there..
I never chrooted it, but it runs with actual UID of nobody, did anyone set
Apache as root.root on his machine?
---------- Forwarded message ----------
Date: Sun, 12 Jan 1997 19:48:15 -0700
From: David Sacerdote <davids@secnet.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Subject: Apache 1.1.1 overflow
###### ## ## ######
## ### ## ##
###### ## # ## ##
## ## ### ##
###### . ## ## . ######.
Secure Networks Inc.
Security Advisory
January 12, 1997
Vulnerabilities in the Apache httpd
There is a serious vulnerability in the cookies module of the Apache httpd,
version 1.1.1 and earlier, which makes it possible for remote individuals
to obtain access to systems running the Apache httpd. Only sites which
enabled mod_cookies, a nondefault option, are vulnerable.
Technical Details
~~~~~~~~~~~~~~~~~
The function make_cookie, in mod_cookies.c uses a 100 byte buffer,
new_cookie to store information used to track web site users. The
hostname, which with even the most cautious of resolver libraries, can be
up to 255 characters long, is stuffed into this buffer, along with the
string "apache=" and a number. The offending code reads:
void make_cookie(request_rec *r)
{
struct timeval tv;
char new_cookie[100]; /* blurgh */
char *dot;
const char *rname = pstrdup(r->pool,
get_remote_host(r->connection, r->per_dir_config,
REMOTE_NAME));
struct timezone tz = { 0 , 0 };
if ((dot = strchr(rname,'.'))) *dot='\0'; /* First bit of hostname */
gettimeofday(&tv, &tz);
sprintf(new_cookie,"%s%s%d%ld%d; path=/",
COOKIE_NAME, rname,
(int)getpid(),
(long)tv.tv_sec, (int)tv.tv_usec/1000 );
table_set(r->headers_out,"Set-Cookie",new_cookie);
return;
}
Note that although the get_remote_host() function converts all uppercase
letters to lowercase letters, there is at least one way in which a
determined attacker can still exploit the overflow.
Impact
~~~~~~
Remote individuals can obtain access to the web server. If the httpd
services requests as user root, attackers can obtain root access. If the
httpd is run in a chroot() environment, the attacker will be restricted to
the chrooted environment. We strongly advise adminstrators to run their
web servers as an unpriviliged user in an chrooted environment whenever
possible.
Vulnerable Systems
~~~~~~~~~~~~~~~~~~
Any system running the Apache httpd 1.1.1 or earlier, with the compile-time
option mod_cookies enabled is vulnerable. To tell which web server
software you are using, telnet to port 80 of the web server, and issue the
command:
GET / HTTP/1.0
to the web server, followed by two carriage returns. You should see
something which looks like:
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 200 OK
Date: Tue, 07 Jan 1997 18:59:31 GMT
Server: Apache/1.1.1
Content-type: text/html
Set-Cookie: Apache=localhost9185266357164; path=/
Follow-Ups: