[SECURITY] Remote exploit for 32-bit Apache HTTP Server known
Date: Fri, 21 Jun 2002 00:54:53 -0400 (EDT)
From: jwoolley@apache.org
To: announce@apache.org, announce@httpd.apache.org
Subject: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
Cc: bugtraq@securityfocus.com
[[ Note: this issue affects both 32-bit and 64-bit platforms; the
subject of this message emphasizes 32-bit platforms since that
is the most important information not announced in our previous
advisory. ]]
SUPERSEDES: http://httpd.apache.org/info/security_bulletin_20020617.txt
Date: June 20, 2002
Product: Apache Web Server
Versions: Apache 1.3 all versions including 1.3.24; Apache 2.0 all versions
up to 2.0.36; Apache 1.2 all versions.
CAN-2002-0392 (mitre.org) [CERT VU#944335]
----------------------------------------------------------
------------UPDATED ADVISORY------------
----------------------------------------------------------
Introduction:
While testing for Oracle vulnerabilities, Mark Litchfield discovered a
denial of service attack for Apache on Windows. Investigation by the
Apache Software Foundation showed that this issue has a wider scope, which
on some platforms results in a denial of service vulnerability, while on
some other platforms presents a potential remote exploit vulnerability.
This follow-up to our earlier advisory is to warn of known-exploitable
conditions related to this vulnerability on both 64-bit platforms and
32-bit platforms alike. Though we previously reported that 32-bit
platforms were not remotely exploitable, it has since been proven by
Gobbles that certain conditions allowing exploitation do exist.
Successful exploitation of this vulnerability can lead to the execution of
arbitrary code on the server with the permissions of the web server child
process. This can facilitate the further exploitation of vulnerabilities
unrelated to Apache on the local system, potentially allowing the intruder
root access.
Note that early patches for this issue released by ISS and others do not
address its full scope.
Due to the existence of exploits circulating in the wild for some platforms,
the risk is considered high.
The Apache Software Foundation has released versions 1.3.26 and 2.0.39
that address and fix this issue, and all users are urged to upgrade
immediately; updates can be downloaded from http://httpd.apache.org/ .
As a reminder, we respectfully request that anyone who finds a potential
vulnerability in our software reports it to security@apache.org.
----------------------------------------------------------
The full text of this advisory including additional details is available
at http://httpd.apache.org/info/security_bulletin_20020620.txt .
