Home page logo

bugtraq logo Bugtraq mailing list archives

Re[2]: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server
From: "bogachev igor" <drugoy_bog () mail ru>
Date: Mon, 17 Jun 2002 23:51:26 +0400

This question may be interesting for russian users of apache

        if(r && r->ra_codep && r->ra_codep->cp_itabl_p)
            ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
                        "chunked Transfer-Encoding not supported by Russian
Apache: %s", r->uri);
            return (lenp) ? HTTP_BAD_REQUEST : HTTP_LENGTH_REQUIRED;

does it mean that russian apache isn't vulnerable?

copy of this message was sent to coordinator of russian_apache devolopers group
lexa () lexa ru

The patch that mentioned casting bufsiz from an int to an unsigned int
failed to do a few things:

1) There are 2 instances of the same code in http_protocol.c that need
to be fixed, as both suffer from the same problem
2) The cast to unsigned int was only done in comparison, and was not
done in assignment, which could possibly lead to problems down the road
with the int value?

I haven't checked any of this, just noticed it and was really just
wondering "why wasn't this done?".

The code that is apparently "buggy" is this:

len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining;

The code was mentioned to be changed to this:

len_to_read = (r->remaining > (unsigned int)bufsiz) ? bufsiz :

However, this doesn't assign that casted value to len_to_read, it just
uses the cast for comparison and then passes on the possibly bogus data
on to len_to_read.

So, should the fix not be to change it to:

len_to_read = (r->remaining > (unsigned int)bufsiz) ? (unsigned
int)bufsiz : r->remaining;

Also, like I mentioned, there are two places where this happens in
http_protocol.c, one at line 2062, and the other (the one mentioned in
the patch) at 2174.

----- Original Message -----
From: X-Force <xforce () iss net>
To: <bugtraq () securityfocus com>
Sent: Monday, June 17, 2002 6:57 PM
Subject: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server


Internet Security Systems Security Advisory
June 17, 2002

Remote Compromise Vulnerability in Apache HTTP Server


ISS X-Force has discovered a serious vulnerability in the default
version of Apache HTTP Server. Apache is the most popular Web server and
is used on over half of all Web servers on the Internet. It may be
possible for remote attackers to exploit this vulnerability to
compromise Apache Web servers. Successful exploitation may lead to
modified Web content, denial of service, or further compromise.

Affected Versions:

Apache 1.x

Note: Many commercial Web Application Servers such as Oracle 9ias and
IBM Websphere use Apache HTTP Server to process HTTP requests.
Additional products that bundle Apache HTTP Server for Windows may be


The Apache HTTP Server is maintained by the Apache Software Foundation.
Apache is an extremely popular open-source Web server. Netcraft
(http://www.netcraft.com) reports that as of May 2002, Apache accounts
for over 63% of all active Web sites. Apache's installed base is larger
than all other Web servers combined.

The Apache Project is an open-source and volunteer collaboration aimed
to create and maintain a free, feature-rich, powerful, and secure Web
server implementation. Apache is well regarded as the best, freely
available Web server.

Apache contains a flawed mechanism meant to calculate the size of
"chunked" encoding. Chunked encoding is part of the HTTP Protocol
Specification used for accepting data from Web users. When data is sent
from the user, the Web server needs to allocate a memory buffer of a
certain size to hold the submitted data. When the size of the data being
submitted is unknown, the client or Web browser will communicate with
the server by creating "chunks" of data of a negotiated size.

The Apache HTTP Server has a software flaw that misinterprets the size
of incoming data chunks. This error may lead to a signal race, heap
overflow, and to exploitation of malicious code.

X-Force has verified that this issue is exploitable on Apache for
Windows (Win32) version 1.3.24. Apache 1.x for Unix contains the same
source code, but X-Force believes that successful exploitation on most
Unix platforms is unlikely.


Internet Scanner X-Press Update 6.12 includes a check,
ApacheChunkedEncodingBo, to detect installations of Apache HTTP Server
for Win32. XPU 6.12 is available from the ISS Download Center at:
http://www.iss.net/download. For questions about downloading and
installing this XPU, email support () iss net 

Detection support for this attack will be included in future X-Press
Updates for RealSecure Network Sensor 6.x and 7.0. These XPUs will be
available from the ISS Download Center, and this alert will be updated
when these updates become available.

ISS X-Force has developed a patch for this issue. Follow the
instructions below, or contact your vendor for assistance:

To apply a source code patch to your Apache package:

1. Locate your source directory and navigate into the "main" sub-
2. Verify that "http_protocol.c" is present in the current directory.
3. To update your http_protocol.c file, create a file named
"apache_patch.diff", containing the following text:

- --- http_protocol.c.vuln Fri Jun 14 16:12:50 2002
+++ http_protocol.c Fri Jun 14 16:13:47 2002
@@ -2171,7 +2171,7 @@

     /* Otherwise, we are in the midst of reading a chunk of data */

- -    len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining;
+    len_to_read = (r->remaining > (unsigned int)bufsiz) ? bufsiz : r->

     len_read = ap_bread(r->connection->client, buffer, len_to_read);
     if (len_read <= 0) {

4. Apply the source code update using the "patch" command, or a similar
5. Build new binaries and reinstall.

The Apache Server Project has been notified and will make a formal patch
available soon. Please refer to the Apache Server Project's homepage for
more information: http://httpd.apache.org/

Additional Information:



This vulnerability was discovered and researched by Neel Mehta of the
ISS X-Force.


About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforce () iss net for

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php

Please send suggestions, updates, and comments to: X-Force
xforce () iss net of Internet Security Systems, Inc.

Version: 2.6.2


Молоток: от Фаберже до неглиже

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]