Apache HTTP Server chunked encoding heap buffer overflow

apache-chunked-encoding-bo (9249)

High Risk

Description:

Apache HTTP Server is vulnerable to a heap buffer overflow in the mechanism that calculates the size of "chunked" encoding. Chunked encoding is a process by which a client generates a variable sized "chunk" of data and notifies the Web server of the data's size before transferring it, so that the Web server can allocate a buffer of the correct size. The Apache HTTP Server has a software flaw that misinterprets the size of incoming data chunks. A remote attacker can use this vulnerability to overflow a buffer and execute arbitrary code or cause a denial of service against the affected Web server.

Platforms Affected:

• Apache, HTTP Server 1.0
• Apache, HTTP Server 1.0.2
• Apache, HTTP Server 1.0.3
• Apache, HTTP Server 1.0.5
• Apache, HTTP Server 1.1
• Apache, HTTP Server 1.1.1
• Apache, HTTP Server 1.2
• Apache, HTTP Server 1.2.5
• Apache, HTTP Server 1.3
• Apache, HTTP Server 1.3.1
• Apache, HTTP Server 1.3.11
• Apache, HTTP Server 1.3.12
• Apache, HTTP Server 1.3.13
• Apache, HTTP Server 1.3.14
• Apache, HTTP Server 1.3.15
• Apache, HTTP Server 1.3.16
• Apache, HTTP Server 1.3.17
• Apache, HTTP Server 1.3.18
• Apache, HTTP Server 1.3.19
• Apache, HTTP Server 1.3.20
• Apache, HTTP Server 1.3.22
• Apache, HTTP Server 1.3.23
• Apache, HTTP Server 1.3.24
• Apache, HTTP Server 1.3.3
• Apache, HTTP Server 1.3.4
• Apache, HTTP Server 1.3.9
• Apache, HTTP Server 2.0
• Apache, HTTP Server 2.0.28
• Apache, HTTP Server 2.0.32
• Apache, HTTP Server 2.0.35
• Apache, HTTP Server 2.0.36
• Conectiva, Linux 6.0
• Conectiva, Linux 7.0
• Conectiva, Linux 8.0
• Debian, Debian Linux 2.2
• EngardeLinux, Secure Linux
• HP, HP-UX B.11.00
• HP, HP-UX B.11.11
• HP, OpenView Operations 7.1
• HP, OpenView Operations 8.0
• HP, OpenView Operations 8.1
• HP, OpenView Operations A.07.00
• HP, OpenView Operations A.07.10
• HP, OpenView Operations A.07.20
• HP, OpenView Operations A.07.21
• MandrakeSoft, Mandrake Linux 7.1
• MandrakeSoft, Mandrake Linux 7.2
• MandrakeSoft, Mandrake Linux 8.0
• MandrakeSoft, Mandrake Linux 8.0 PPC
• MandrakeSoft, Mandrake Linux 8.1 IA64
• MandrakeSoft, Mandrake Linux 8.1
• MandrakeSoft, Mandrake Linux 8.2 PPC
• MandrakeSoft, Mandrake Linux 8.2
• MandrakeSoft, Mandrake Linux Corporate Server 1.0.1
• MandrakeSoft, Mandrake Single Network Firewall 7.2
• OpenBSD, OpenBSD
• Oracle, Application Server
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Linux 6.2
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.1 for iSeries
• RedHat, Linux 7.1 for pSeries
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• RedHat, Secure Web Server 3.2
• RedHat, Stronghold
• SCO, Caldera OpenLinux Server 3.1
• SCO, Caldera OpenLinux Server 3.1.1
• SCO, Caldera OpenLinux Workstation 3.1
• SCO, Caldera OpenLinux Workstation 3.1.1
• SCO, Caldera OpenServer 5.0.5
• SCO, Caldera OpenServer 5.0.6
• SCO, Caldera OpenUnix 8.0.0
• SCO, Caldera UnixWare 7.1.1
• Slackware, Slackware Linux 7.1
• Slackware, Slackware Linux 8.0
• Slackware, Slackware Linux 8.1
• SuSE, SuSE Linux 6.4
• SuSE, SuSE Linux 7.0
• SuSE, SuSE Linux 7.1
• SuSE, SuSE Linux 7.2
• SuSE, SuSE Linux 7.3
• SuSE, SuSE Linux 8.0
• Trustix, Secure Linux 1.01
• Trustix, Secure Linux 1.1
• Trustix, Secure Linux 1.2
• Trustix, Secure Linux 1.5

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
ApacheChunkedEncodingBo
apache-chunked-encoding-bo

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
HTTP_Apache_Chunked_BO
HTTP_Apache_Chunked_DoS

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 80

For Manual Protection:

For Apache HTTP Server 1.x:
Upgrade to the latest version of Apache HTTP Server (1.3.25 or later), available from Apache Software Foundation download site. See References.

For Apache HTTP Server 2.x:
Upgrade to the latest version of Apache HTTP Server (2.0.39 or later), available from Apache Software Foundation download site. See References.

For Debian GNU/Linux 2.2 (potato):
Upgrade to the latest version of the apache package (1.3.9-14.1 or later), as listed in DSA-131-1. See References.

For Engarde Secure Linux: Community Edition:
Upgrade to the latest apache package (1.3.26-1.0.30 or later), as listed in Engarde Secure Linux Security Advisory ESA-20020619-014. See References.

For Conectiva Linux 6.0, 7.0 and 8.0:
Upgrade to the latest apache package (1.3.26-1U60_1cl or later), as listed in Conectiva Linux Security Announcement CLSA-2002:498. See References.

For Caldera OpenLinux Server and Workstation 3.1 and 3.1.1:
Upgrade to the latest apache package (1.3.22-6 or later), as listed in Caldera Systems, Inc. Security Advisory CSSA-2002-029.0. See References.

For Mandrake Linux 7.1, 7.2, 8.0, 8.1, and Corporate Server 1.0.1:
Upgrade to the latest apache package (1.3.22-10.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:039-2 : apache. See References.

For Mandrake Linux 8.2:
Upgrade to the latest apache package (1.3.23-4.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:039-2 : apache. See References.

For Mandrake Single Network Firewall 7.2:
Upgrade to the latest apache package (1.3.20-5.1mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2002:039-2 : apache. See References.

For Red Hat Linux 6.2:
Upgrade to the latest apache package (1.3.22-5.6 or later), as listed in RHSA-2002:103-13. See References.

For Red Hat Linux 7.0 and 7.1:
Upgrade to the latest apache package (1.3.22-5.7.1 or later), as listed in RHSA-2002:103-13. See References.

For Red Hat Linux 7.2:
Upgrade to the latest apache package (1.3.22-6 or later), as listed in RHSA-2002:103-13. See References.

For Red Hat Linux 7.3:
Upgrade to the latest apache package (1.3.23-14 or later), as listed in RHSA-2002:103-13. See References.

For Red Hat Stronghold Errata:
Apply the appropriate patch for your system, as listed in RHSA-2002:118-06. See References.

For Red Hat Secure Web Server 3.2:
Apply the appropriate update for your system, as listed in RHSA-2002:117-11. See References.

For SuSE Linux 6.4, 7.0, and 7.1 (Intel):
Uprade to the latest apache package (1.3.19-115 or later), as listed in SuSE Security Announcement SuSE-SA:2002:022. See References.

For SuSE Linux 7.2 (Intel):
Uprade to the latest apache package (1.3.19-116 or later), as listed in SuSE Security Announcement SuSE-SA:2002:022. See References.

For SuSE Linux 7.3 (Intel):
Uprade to the latest apache package (1.3.20-66 or later), as listed in SuSE Security Announcement SuSE-SA:2002:022. See References.

For SuSE Linux 8.0 (Intel):
Uprade to the latest apache package (1.3.23-120 or later), as listed in SuSE Security Announcement SuSE-SA:2002:022. See References.

For SuSE Linux 6.4, 7.0, and 7.1 (Power PC):
Uprade to the latest apache package (1.3.19-56 or later), as listed in SuSE Security Announcement SuSE-SA:2002:022. See References.

For SuSE Linux 7.3 (Power PC):
Uprade to the latest apache package (1.3.20-52 or later), as listed in SuSE Security Announcement SuSE-SA:2002:022. See References.

For Trustix Secure Linux 1.01, 1.1, 1.2 and 1.5:
Uprade to the latest apache package (1.3.26-1tr or later), as listed in Trustix Secure Linux Security Advisory #2002-0056. See References.

For Caldera OpenServer 5.0.5 and 5.0.6:
Upgrade to the latest Apache packages, as listed in Caldera International, Inc. Security Advisory CSSA-2002-SCO.32. See References.

For Caldera UnixWare 7.1.1 and OpenUnix 8.0.0:
Upgrade to the latest Apache packages, as listed in Caldera International, Inc. Security Advisory CSSA-2002-SCO.31. See References.

For Slackware Linux:
Upgrade to the latest Apache, mod_ssl or openssh packages, as listed below. Refer to slackware-security Mailing List, Wed, Jun, 26 12:03:06 PDT 2002. See References.

Slackware Linux 8.0 and 8.1: apache-1.3.26 or later, mod_ssl-2.8.9_1.3 or later, or openssh-3.4p1or later

Slackware Linux 7.1: openssh-3.4p1 or later

For HP OpenView Operations:
Refer to HP Security Bulletin HPSBMA02149 SSRT050968 rev.1 for patch, upgrade, or suggested workaround information.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• Apache HTTP Server Project Web site, Apache HTTPD Project - The Apache HTTPD Server Project at http://httpd.apache.org.
• Apache Security Bulletin June 17, 2002, Apache Web Server at http://httpd.apache.org/info/security_bulletin_20020617.txt.
• Apache Security Bulletin June 20, 2002, Apache Web Server at http://httpd.apache.org/info/security_bulletin_20020620.txt.
• BugTraq Mailing List, Wed Sep 13 2006 - 12:16:43 CDT , [security bulletin] HPSBMA02149 SSRT050968 rev.1 - HP OpenView Operations, Remote Unauthorized Access and Denial of Service (DoS) at http://archives.neohapsis.com/archives/bugtraq/2006-09/0203.html.
• Caldera International, Inc. Security Advisory CSSA-2002-029.0, Apache Web Server Chunk Handling Vulnerability at ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-029.0.txt.
• Caldera International, Inc. Security Advisory CSSA-2002-SCO.31, UnixWare 7.1.1 Open UNIX 8.0.0 : Apache Web Server Chunk Handling Vulnerability / mod_ssl off-by-one error at ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.31/CSSA-2002-SCO.31.txt.
• Caldera International, Inc. Security Advisory CSSA-2002-SCO.32, OpenServer 5.0.5 OpenServer 5.0.6 : Apache Web Server Chunk Handling Vulnerability / mod_ssl off-by-one error at ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.32/CSSA-2002-SCO.32.txt.
• CERT Advisory CA-2002-17, Apache Web Server Chunk Handling Vulnerability at http://www.cert.org/advisories/CA-2002-17.html.
• CIAC Information Bulletin M-093, Apache HTTP Server Chunk Encoding Vulnerability at http://www.ciac.org/ciac/bulletins/m-093.shtml.
• Conectiva Linux Announcement CLSA-2002:498, Chunk transfer encoding vulnerability at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000498.
• EnGarde Secure Linux Security Advisory ESA-20020619-014, chunk handling overflow vulnerability at http://www.linuxsecurity.com/content/view/103912/109/.
• Internet Security Systems Security Advisory, June 17, 2002, Remote Compromise Vulnerability in Apache HTTP Server at http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502.
• Internet Security Systems Security Alert, June 19, 2002, Apache HTTP Server Exploit in Circulation at http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20524.
• National Infrastructure Protection Center Advisory 02-005.1, Remote Vulnerabilities in Apache Web Server Software at http://www.nipc.gov/warnings/advisories/2002/02-005.htm.
• National Infrastructure Protection Center Advisory 02-005.1, Remote Vulnerabilities in the Apache Web Server Software at http://www.nipc.gov/warnings/advisories/2002/02-005.1.htm.
• Oracle Security Alert #36, Security Vulnerability for Apache HTTP Server of Oracle9iAS at http://otn.oracle.com/deploy/security/pdf/apache_alert.pdf.
• SGI Security Advisory 20020605-01-A, Apache Web Server Chunk Handling vulnerability at ftp://patches.sgi.com/support/free/security/advisories/20020605-01-A.
• slackware-security Mailing List, Wed, Jun, 26 12:03:06 PDT 2002, [slackware-security] New OpenSSH packages available at http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y=2002&m=slackware-security.599462.
• Trustix Secure Linux Security Advisory #2002-0056, apache at http://www.trustix.net/errata/2002/0056/.
• BID-20005: HP OpenView Operations Denial of Service and Unauthorized Access Vulnerability
• BID-5033: Apache Chunked-Encoding Memory Corruption Vulnerability
• CVE-2002-0392: Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a chunk-encoded HTTP request that causes Apache to use an incorrect size.
• DSA-131: apache -- remote DoS / exploit
• DSA-132: apache-ssl -- remote DoS / exploit
• DSA-133: apache-perl -- remote DoS / exploit
• FrSIRT/ADV-2006-3598: HP OpenView Operations Remote Unauthorized Access and DoS Vulnerability
• MDKSA-2002:039: Updated apache packages fix DoS vulnerability
• MDKSA-2002:039-1: Updated apache packages fix DoS vulnerability
• MDKSA-2002:039-2: Updated apache packages fix remotely exploitable conditions
• OpenPKG-SA-2002.004: Apache
• OSVDB ID: 838: Apache HTTP Server Chunked Encoding Overflow
• RHSA-2002-103: Updated Apache packages fix chunked encoding issue
• RHSA-2002-126: apache security update
• RHSA-2002-150: apache security update for Stronghold
• RHSA-2003-106: Updated apache and mod_ssl packages available
• SA21917: HP OpenView Operations Apache Chunked Encoding Vulnerability
• US-CERT VU#944335: Apache web servers fail to handle chunks with a negative size

Reported:

Jun 17, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page