-----BEGIN PGP SIGNED MESSAGE----- 

Internet Security Systems Security Advisory 
June 17, 2002 

Remote Compromise Vulnerability in Apache HTTP Server 

Synopsis: 

ISS X-Force has discovered a serious vulnerability in the default 
version of Apache HTTP Server. Apache is the most popular Web server and 
is used on over half of all Web servers on the Internet. It may be 
possible for remote attackers to exploit this vulnerability to 
compromise Apache Web servers. Successful exploitation may lead to 
modified Web content, denial of service, or further compromise. 

Affected Versions: 

Apache 1.x 

Note: Many commercial Web Application Servers such as Oracle 9ias and 
IBM Websphere use Apache HTTP Server to process HTTP requests. 
Additional products that bundle Apache HTTP Server for Windows may be 
affected. 

Description: 

The Apache HTTP Server is maintained by the Apache Software Foundation. 
Apache is an extremely popular open-source Web server. Netcraft 
(http://www.netcraft.com) reports that as of May 2002, Apache accounts 
for over 63% of all active Web sites. Apache?s installed base is larger 
than all other Web servers combined. 

The Apache Project is an open-source and volunteer collaboration aimed 
to create and maintain a free, feature-rich, powerful, and secure Web 
server implementation. Apache is well regarded as the best, freely 
available Web server. 

Apache contains a flawed mechanism meant to calculate the size of 
"chunked" encoding. Chunked encoding is part of the HTTP Protocol 
Specification used for accepting data from Web users. When data is sent 
from the user, the Web server needs to allocate a memory buffer of a 
certain size to hold the submitted data. When the size of the data being 
submitted is unknown, the client or Web browser will communicate with 
the server by creating "chunks" of data of a negotiated size. 

The Apache HTTP Server has a software flaw that misinterprets the size 
of incoming data chunks. This error may lead to a signal race, heap 
overflow, and to exploitation of malicious code. 

X-Force has verified that this issue is exploitable on Apache for 
Windows (Win32) version 1.3.24. Apache 1.x for Unix contains the same 
source code, but X-Force believes that successful exploitation on most 
Unix platforms is unlikely. 

Recommendations: 

Internet Scanner X-Press Update 6.12 includes a check, 
ApacheChunkedEncodingBo, to detect installations of Apache HTTP Server 
for Win32. XPU 6.12 is available from the ISS Download Center at: 
http://www.iss.net/download. For questions about downloading and 
installing this XPU, email support@iss.net. 

Detection support for this attack will be included in future X-Press 
Updates for RealSecure Network Sensor 6.x and 7.0. These XPUs will be 
available from the ISS Download Center, and this alert will be updated 
when these updates become available. 

ISS X-Force has developed a patch for this issue. Follow the 
instructions below, or contact your vendor for assistance: 

To apply a source code patch to your Apache package: 

1. Locate your source directory and navigate into the "main" sub- 
directory. 
2. Verify that "http_protocol.c" is present in the current directory. 
3. To update your http_protocol.c file, create a file named 
"apache_patch.diff", containing the following text: 

- --- http_protocol.c.vuln Fri Jun 14 16:12:50 2002 
+++ http_protocol.c Fri Jun 14 16:13:47 2002 
@@ -2171,7 +2171,7 @@ 

     /* Otherwise, we are in the midst of reading a chunk of data */ 

- - len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining; 
+ len_to_read = (r->remaining > (unsigned int)bufsiz) ? bufsiz : r-> 
remaining; 

     len_read = ap_bread(r->connection->client, buffer, len_to_read); 
     if (len_read <= 0) { 

4. Apply the source code update using the "patch" command, or a similar 
   utility. 
5. Build new binaries and reinstall. 

The Apache Server Project has been notified and will make a formal patch 
available soon. Please refer to the Apache Server Project?s homepage for 
more information: http://httpd.apache.org/ 

Additional Information: 

http://www.iss.net/security_center 
http://www.apache.org 
http://httpd.apache.org/ 

Credits: 

This vulnerability was discovered and researched by Neel Mehta of the 
ISS X-Force. 

______ 

About Internet Security Systems (ISS) 
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a 
pioneer and world leader in software and services that protect critical 
online resources from an ever-changing spectrum of threats and misuse. 
Internet Security Systems is headquartered in Atlanta, GA, with 
additional operations throughout the Americas, Asia, Australia, Europe 
and the Middle East. 

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved 
worldwide. 

Permission is hereby granted for the electronic redistribution of this 
document. It is not to be edited or altered in any way without the 
express written consent of the Internet Security Systems X-Force. If you 
wish to reprint the whole or any part of this document in any other 
medium excluding electronic media, please email xforce@iss.net for 
permission. 

Disclaimer: The information within this paper may change without notice. 
Use of this information constitutes acceptance for use in an AS IS 
condition. There are NO warranties, implied or otherwise, with regard to 
this information or its use. Any use of this information is at the 
user's risk. In no event shall the author/distributor (Internet Security 
Systems X-Force) be held liable for any damages whatsoever arising out 
of or in connection with the use or spread of this information. 

X-Force PGP Key available on MIT's PGP key server and PGP.com's key 
server, as well as at http://www.iss.net/security_center/sensitive.php 

Please send suggestions, updates, and comments to: X-Force 
xforce@iss.net of Internet Security Systems, Inc. 

-----BEGIN PGP SIGNATURE----- 
Version: 2.6.2 

iQCVAwUBPQ4GqzRfJiV99eG9AQHAAQQArA9Xso3VW2fdkUYjyu/mjzji6d13ekEw 
o13+G231veDDNdA6dy3QB5JxrspUehzIIvp2Ceo5ZjegBZVEJW0VnnOJ8FsnY6Uj 
wArq9Je2r2X55AYOWIVCFtlfcKtON68couPaMumldWcLBQ+ktJCY7oygydXFfs19 
6iBtJDMKucs= 
=eZeq 
-----END PGP SIGNATURE-----