[iwar] [fc:An.interesting.analysis.on.ISS'.recent.vulnerability.advisory]

From: Fred Cohen (fc@all.net)
Date: 2002-06-18 19:52:31
Next message: Fred Cohen: "[iwar] [fc:Report:.LEA.Tools.for.Investigating.Cyber.Attacks:.A.National.Needs.Assessment]"
Previous message: Fred Cohen: "[iwar] [fc:Hamas.Militant.Group.Provides.'How-to'.Video.for.Constructing.Explosives]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200206190252.g5J2qVg22747@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Tue, 18 Jun 2002 19:52:31 -0700 (PDT)
Subject: [iwar] [fc:An.interesting.analysis.on.ISS'.recent.vulnerability.advisory]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Forwarded from: Robert G. Ferrell

While I generally stay out of the full-disclosure and associated
topics debate these days because I've already stated my position
(probably too many times), there are some questions surrounding this
advisory that I can't help but think ought to be brought out into the
open. Let me state for the record that I harbor no ill-will toward
ISS; I just think they might have been a bit out of line here. The
following discussion is a bit convoluted, so bear with me.

For any who missed it, here is the advisory itself, as posted on
Bugtraq.  For the sake of clarity, I'll present my comments at the
end, rather than mucking up the body of the advisory.

======================
Internet Security Systems Security Advisory
June 17, 2002

Remote Compromise Vulnerability in Apache HTTP Server

Synopsis:

ISS X-Force has discovered a serious vulnerability in the default
version of Apache HTTP Server. Apache is the most popular Web server
and is used on over half of all Web servers on the Internet. It may be
possible for remote attackers to exploit this vulnerability to
compromise Apache Web servers. Successful exploitation may lead to
modified Web content, denial of service, or further compromise.

Affected Versions:

Apache 1.x

Note: Many commercial Web Application Servers such as Oracle 9ias and
IBM Websphere use Apache HTTP Server to process HTTP requests.
Additional products that bundle Apache HTTP Server for Windows may be
affected.

Description:

The Apache HTTP Server is maintained by the Apache Software
Foundation. Apache is an extremely popular open-source Web server.
Netcraft (http://www.netcraft.com) reports 
that as of May 2002, Apache
accounts for over 63% of all active Web sites. Apache's installed base
is larger than all other Web servers combined.

The Apache Project is an open-source and volunteer collaboration aimed
to create and maintain a free, feature-rich, powerful, and secure Web
server implementation. Apache is well regarded as the best, freely
available Web server.

Apache contains a flawed mechanism meant to calculate the size of
"chunked" encoding. Chunked encoding is part of the HTTP Protocol
Specification used for accepting data from Web users. When data is
sent from the user, the Web server needs to allocate a memory buffer
of a certain size to hold the submitted data. When the size of the
data being submitted is unknown, the client or Web browser will
communicate with the server by creating "chunks" of data of a
negotiated size.

The Apache HTTP Server has a software flaw that misinterprets the size
of incoming data chunks. This error may lead to a signal race, heap
overflow, and to exploitation of malicious code.

X-Force has verified that this issue is exploitable on Apache for
Windows (Win32) version 1.3.24. Apache 1.x for Unix contains the same
source code, but X-Force believes that successful exploitation on most
Unix platforms is unlikely.

Recommendations:

Internet Scanner X-Press Update 6.12 includes a check,
ApacheChunkedEncodingBo, to detect installations of Apache HTTP Server
for Win32. XPU 6.12 is available from the ISS Download Center at:
<a href="http://www.iss.net/download">http://www.iss.net/download>. For questions 
about downloading and
installing this XPU, email support@iss.net.

Detection support for this attack will be included in future X-Press
Updates for RealSecure Network Sensor 6.x and 7.0. These XPUs will be
available from the ISS Download Center, and this alert will be updated
when these updates become available.

ISS X-Force has developed a patch for this issue. Follow the
instructions below, or contact your vendor for assistance:

To apply a source code patch to your Apache package:

1. Locate your source directory and navigate into the "main" sub-
   directory.

2. Verify that "http_protocol.c" is present in the current directory.
3. To update your http_protocol.c file, create a file named
   "apache_patch.diff", containing the following text:

- --- http_protocol.c.vuln Fri Jun 14 16:12:50 2002
+++ http_protocol.c Fri Jun 14 16:13:47 2002
@@ -2171,7 +2171,7 @@

      /* Otherwise, we are in the midst of reading a chunk of data */

- -    len_to_read = (r-remaining  bufsiz) ? bufsiz : r-remaining;
+    len_to_read = (r-remaining  (unsigned int)bufsiz) ? bufsiz : r-
remaining;

      len_read = ap_bread(r-connection-client, buffer, len_to_read);
      if (len_read &lt;= 0) {

4. Apply the source code update using the "patch" command, or a similar
   utility.

5. Build new binaries and reinstall.

The Apache Server Project has been notified and will make a formal
patch available soon. Please refer to the Apache Server Project's
homepage for more information: http://httpd.apache.org/

Additional Information:

<a href="http://www.iss.net/security_center">http://www.iss.net/security_center>
<a href="http://www.apache.org">http://www.apache.org>
<a href="http://httpd.apache.org/">http://httpd.apache.org/>

Credits:

This vulnerability was discovered and researched by Neel Mehta of the
ISS X-Force.

======================

In order to put my comments into perspective, let's examine the
(approximate) chronology of events relevant to this announcement:

1. Mark Litchfield discovers a potential DOS attack while searching for
   Oracle vulnerabilities.

From the VulnWatch mailing list:

======================

From: "Mark J Cox" &lt;<a href="mailto:mjc@apache.org?Subject=Re:%20(ai)%20An%20interesting%20analysis%20on%20ISS'%20recent%20vulnerability%20disclosure%2526In-Reply-To=%2526lt;B9349D01.34114%25rforno@infowarrior.org">mjc@apache.org</a>
To: &lt;<a href="mailto:vulnwatch@vulnwatch.org?Subject=Re:%20(ai)%20An%20interesting%20analysis%20on%20ISS'%20recent%20vulnerability%20disclosure%2526In-Reply-To=%2526lt;B9349D01.34114%25rforno@infowarrior.org">vulnwatch@vulnwatch.org</a>
Sent: Monday, June 17, 2002 11:23 AM
Subject: [VulnWatch] Apache httpd: vulnerability with chunked encoding

Date: June 17, 2002
Product: Apache Web Server
Versions: Apache 1.3 all versions including 1.3.24, Apache 2 all versions
up to 2.0.39 

Introduction:

While testing for Oracle vulnerabilities, Mark Litchfield discovered a
denial of service attack for Apache on Windows.  Investigation by the
Apache Software Foundation showed that this issue has a wider scope,
which on some platforms results in a denial of service vulnerability,
while on some other platforms presents a potential a remote exploit
vulnerability.

We were also notified today by ISS that they had published the same
issue which has forced the early release of this advisory.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0392 to this issue.

[snip]

======================

2. As suggested by the above statements, the Litchfields and Apache
are working together to sort out the problem and take corrective
action.

3.  ISS releases an unexpected advisory, the one I've included above
in its entirety. There are two glaring problems with this advisory.
The first is that they apparently gave Apache no time at all to
respond before posting on a public forum.  This, most people believe,
is a no-no.  From what I can see ISS does not contact Apache until
*after* the advisory is posted, in fact.

The vulnerability posted by ISS is a little too vague for my tastes,
but basically it involves a "misinterpretation" of an unsigned int as
signed.  In order for this to take place, the variable in question has
to be greater than 32k in value (otherwise it can't be an unsigned
int).  The "bufsiz" in the advisory is actually (according to the
Apache source code) assigned to a static variable named
HUGE_STRING_LEN, which is limited in size in a #DEFINE in httpd.h to
8192 (8k).  Therefore, it can't be interpreted as unsigned, unless the
compiler has gone insane.  By my own quick-n-dirty audit, every bit of
code in the source trees I happen to have that refers to
HUGE_STRING_LEN contains an include statement for httpd.h. Badda bing,
badda boom.

The upshot of this is that the patch supplied by ISS doesn't fix
anything, at least as far as I can tell.  I'm not an expert coder (or
expert anything else, with the possible exception of smartass, as I've
taken pains to point out before), but I've had a true expert whose
opinion I respect without reservation indicate the same thing to me,
so I feel fairly secure in this assertion.

Ok, so we have an advisory, and a patch that doesn't do anything.
Not only is the patch of questionable utility, it requires, in their
(ISS') own words, that the users "build new binaries and reinstall."
Now, given the fact that they've stated that Apache for Win32 is
vulnerable, and remembering that the vast majority of installations of
Apache on Windows platforms are derived from binary distributions, not
source code, one has to wonder how these recompilations are going to
take place.  In point of fact, they're not. At least not at the user
level.

So, to summarize:

Mark Litchfield discovered a vulnerability in Apache, and followed
proper channels by contacting the software maintainer and working with
them to develop a fix before going public with potentially exploitable
details.

ISS bypasses accepted channels completely and posts information about
the vulnerability to a public list, providing at the same time a patch
that doesn't seem to fix the vulnerability as stated, along with
installation instructions that, while accurate, are not going to be of
much use to most Win32 admins.

Apache is now in the position of having to scramble to release a patch
before people start exploiting a vulnerability that would not have
been widely known if ISS had shown a bit more restraint.

On possible interpretation of the sequence of events (not the only
one, but the one that strikes me as most likely) is that ISS wanted to
go on record as having reported the vulnerability in Apache (and these
are relatively rare) first, come hell or high water.  I understand
that being first out of the chute can give you a public relations edge
in the tough, competitive world of information security products and
services, but it looks to me as though going this route is paramount
to shooting yourself in both feet with the same bullet.  Being first
to post a non-existent vulnerability and then providing a patch that
wouldn't fix it anyway ain't no way to go through life.

But then, that's just the way I see it.

RGF

Robert G. Ferrell

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Free $5 Love Reading
Risk Free!
http://us.click.yahoo.com/3PCXaC/PfREAA/Ey.GAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:Report:.LEA.Tools.for.Investigating.Cyber.Attacks:.A.National.Needs.Assessment]"
Previous message: Fred Cohen: "[iwar] [fc:Hamas.Militant.Group.Provides.'How-to'.Video.for.Constructing.Explosives]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2003-08-24 02:46:32 PDT