Flutterby™! : Upgrade your Apache

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Upgrade your Apache

2002-06-19 14:07:27+00 by Dan Lyke 12 comments

Equal time for non Microsoft exploits too: Upgrade your Apache, there's a hole which allows DOS attacks on 32 bit architectures and stack exploits on 64 bit machines.

[ related topics: Free Software Microsoft security ]

comments in ascending chronological order (reverse):

#Comment made: 2002-06-20 01:39:10+00 by: ghasty

Looks like ISS is catching hell on the way they handled this one. Was at the Townhall Meeting last night with the CEO of ISS as a panelist...he got a little nervous when when of the questions basically paraphrased "why not go after a certain operating system maker since they're on 95% of the home machines that get hit and make them stop putting out crappy software"... hehe...ISS is VERY in with M$ (and unfortunatly certain telco's)...

#Comment made: 2002-06-20 04:34:08+00 by: Dan Lyke

Especially since as we examine the details, it's on Windows that this problem becomes most exploitable as a DOS attack.

#Comment made: 2002-06-20 14:42:37+00 by: pharm

Turns out the 32bit version is exploitable as well. Time to upgrade folks!

#Comment made: 2002-06-20 15:05:17+00 by: TheSHAD0W

Apache issued a fix within 24 hours of being informed of the problem. Would MS do that? COULD they?

#Comment made: 2002-06-20 15:21:48+00 by: Dan Lyke

Pharm, I haven't seen news of a 32 bit exploit yet. Got a source? I'm wondering if I should go through the hell of compiling from source, or if the day or two waiting for the Debian package will be fine.

#Comment made: 2002-06-20 15:49:39+00 by: pharm

Erm, hold on...

OK, see: http://www.cert.org/advisories/CA-2002-17.html

which is pretty clear on the "all systems" bit. Note especially the changelog at the bottom which shows that they've added the "all systems" part subsequent to the original CERT advisory.

break out that compiler!

#Comment made: 2002-06-20 16:06:39+00 by: pharm [edit history]

whoops

#Comment made: 2002-06-20 16:14:07+00 by: Dan Lyke

The Apache security bulletin says:

In Apache 1.3 the issue causes a stack overflow. Due to the nature of the overflow on 32-bit Unix platforms this will cause a segmentation violation and the child will terminate. However on 64-bit platforms the overflow can be controlled and so for platforms that store return addresses on the stack it is likely that it is further exploitable. This could allow arbitrary code to be run on the server as the user the Apache children are set to run as. We have been made aware that Apache 1.3 on Windows is exploitable in a similar way as well.

So I'm a little less freaked, we're still in DOS stage on 32 bit Unices. Maybe I'll see if I can find the ...24 to ...26 diffs and build from package source.

#Comment made: 2002-06-20 16:22:35+00 by: pharm

Nope, the exploit affects 32-bit systems as well. Exploit code is out there...

http://online.securityfocus.co...1/277830/2002-06-17/2002-06-23/0

Everbody needs to upgrade to 1.3.26 or 2.0.30 ASAP. Debian already has debs available for stable. Debs for unstable are in incoming...

Debian stable: apt-get update; apt-get install apache Debian unstable: http://incoming.debian.org/ or apt-get install apache/stable

cheers,

Phil

#Comment made: 2002-06-20 16:48:22+00 by: Dan Lyke

Thanks. Someday I'll learn how to really use the package manager.

#Comment made: 2002-06-20 16:53:12+00 by: Dan Lyke

Okay, we're updated. Package-manager wise, I just run testing (unstable's broken my machine, testing has recent enough versions that I'm not tempted to just go compile everything from source and end up in package-or-original-source hell. At some point I thought I'd tried having both stable and testing in my sources.list, and I got doubles of everything in dselect.

Anyway, got and installed the upgrade. Thanks.

#Comment made: 2002-06-20 17:10:11+00 by: pharm

I have to admit that I avoid using dselect at all costs :) dpkg --set-selections / dpkg --get-selections and apt-cache / apt-get fill all my deb installation needs...