what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

g-20.NCSA.and.Apache.httpd.vulnerability.asc

g-20.NCSA.and.Apache.httpd.vulnerability.asc
Posted Sep 23, 1999

g-20.NCSA.and.Apache.httpd.vulnerability.asc

SHA-256 | 3e08f465991e1f920b484eb754007be0162d0b78169dbec52edac60bb2f393d1

g-20.NCSA.and.Apache.httpd.vulnerability.asc

Change Mirror Download

__________________________________________________________

The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________

INFORMATION BULLETIN

Vulnerability in NCSA and Apache httpd Servers

April 16, 1996 18:00 GMT Number G-20
______________________________________________________________________________
PROBLEM: A vulnerability exists in the httpd servers provided by NCSA
and the Apache organization
PLATFORM: All systems capable of running either httpd
DAMAGE: A user can potentially gain the same access privileges as the
httpd server
SOLUTION: For NCSA httpd, upgrade to the lates version; For Apache httpd,
install the patch described below
______________________________________________________________________________
VULNERABILITY This vulnerability can lead to compromise of a web server
ASSESSMENT:
______________________________________________________________________________

[ Start IBM Bulletin ]

======= ============ ====== ======
======= ============== ======= =======
=== === ==== ====== ======
=== =========== ======= =======
=== =========== === ======= ===
=== === ==== === ===== ===
======= ============== ===== === =====
======= ============ ===== = =====

EMERGENCY RESPONSE SERVICE
SECURITY VULNERABILITY ALERT

16 April 1996 16:00 GMT Number: ERS-SVA-E01-1996:002.2
===============================================================================
UPDATE TO ERS-SVA-E01-1996:002.1

I. Description

This Security Vulnerability Alert provides updated information about
the NCSA HTTPD and Apache HTTPD Common Gateway Interface vulnerability
described in ERS-SVA-E01-1996:002.1, which was released on 26 February
1996.

ERS-SVA-E01-1996:002.1 described a vulnerabilty in the
escape_shell_cmd() function contained in the Common Gateway Interface
sample code file "cgi-src/util.c", provided with NCSA HTTPD Version
1.5 and earlier, or Apache HTTPD Version 1.0.3 and earlier. This
vulnerabilty allowed a malicious user to embed the newline character
(Hexadecimal 0A) in a query, allowing an arbitrary shell command to be
executed by the HTTPD server.

IBM-ERS has learned that the escape_shell_command() function is also
contained in the server source code file, "src/util.c". Note that the files
"src/util.c" and "cgi-src/util.c" are not identical, however they contain
identical copies of the escape_shell_command() function. The file
"src/util.c" is used to build the HTTPD server; therefore the "newline"
vulnerability exists in the server itself.

II. Impact

A malicious user who knows how to exercise this vulnerability may have
the ability to:

1. Execute arbitrary commands on the server host using the same
user-id as the user running the "httpd" server. If "httpd" is
being run as "root," the unauthorized commands are also run as
"root."

2. Access any file on the system that is accessible to the user-id
that is running the "httpd" server. If the "httpd" server
user-id has read access to the file, the attacker can also read
the file. If the "httpd" server user-id has write access to the
file, the attacker can change or destroy the contents of the
file. If the "httpd" server is being run as "root," the attacker
can read, modify, or destroy any file on the server host.

3. Given an X11-based terminal emulator ("xterm" or equivalent)
installed on the "httpd" server host, gain full interactive
access to the server host just as if he were logging in locally.


III. Solutions

IBM-ERS recommends that you consider taking the following actions
(subject to any licensing restrictions that may apply to your copies
of the programs):

1. If are using NCSA HTTPD, upgrade to Version 1.5.1, which does not
contain this vulnerability.

NCSA HTTPD Version 1.5 is available from:

ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/current/httpd_1.5.1-export_source.tar.Z

2. If you are using Apache HTTPD, locate the escape_shell_command()
function in the file "src/util.c" (approximately line 430). In
that function, the line that reads

if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){

should be changed to read

if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){

The server should then be recompiled, reinstalled, and restarted.

IV. Acknowledgements

IBM-ERS would like to thank the NASA Automated Systems Incident
Response Capability (NASIRC) for providing the information contained
in this update. NASIRC in turn acknowledges Ken Bell of NASA Goddard
Institute for Sapce Studies for bringing this vulnerability to their
attention, and the NCSA HTTPD Development Team for confirming the
problem and the fix.

IBM-ERS would also like to thank Jennifer Myers, a post-doctoral
fellow at Northwestern University, who originally discovered the
vulnerability described in ERS-SVA-E01-1996:002.1, and made public the
description of the problem and its solution. This acknowledgement was
omitted from the original alert.

===============================================================================

Copyright 1996 International Business Machines Corporation.

[ End IBM Bulletin ]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of IBM Emergency Response
Service (IBM-ERS), and those they attribute, for the information
contained in this bulletin.
_______________________________________________________________________________



CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the National Institutes of Health (NIH). CIAC is located at
the Lawrence Livermore National Laboratory in Livermore,
California. CIAC is also a founding member of FIRST, the Forum of
Incident Response and Security Teams, a global organization
established to foster cooperation and coordination among computer
security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 510-422-8193
FAX: +1 510-423-8002
STU-III: +1 510-423-2604
E-mail: ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
Modem access: +1 (510) 423-4753 (28.8K baud)
+1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending

E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

(G-10a) Winword Macro Viruses
(G-11) HP Syslog Vulnerability
(G-12) SGI ATT Packaging Utility Security Vulnerability
(G-13) Kerberos Version 4 Key Server Vulnerability
(G-14) Domain Name Service Vulnerabilities
(G-15) Sunsoft Demo CD Vulnerability
(G-16) SGI rpc.statd Program Security Vulnerabilities
(G-17) Vulnerabilities in Sample HTTPD CGIs
(G-18) Digital OSF/1 dxconsole Security Vulnerability
(G-19) IBM AIX rmail Vulnerability

RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95 A comprehensive review of SATAN

Notes 08 - 4/4/95 A Courtney update

Notes 09 - 4/24/95 More on the "Good Times" virus urban legend

Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
in S/Key, EBOLA Virus Hoax, and Caibua Virus

Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators,
America On-Line Virus Scare, SPI 3.2.2 Released,
The Die_Hard Virus

Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X
Windows, beta release of Merlin, Microsoft Word
Macro Viruses, Allegations of Inappropriate Data
Collection in Win95

Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST
Conference Announcement, Security and Web Search
Engines, Microsoft Word Macro Virus Update
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close