-----BEGIN PGP SIGNED MESSAGE----- 

Date: June 17, 2002 
Product: Apache Web Server 
Versions: Apache 1.3 all versions including 1.3.24, Apache 2 all versions 
up to 2.0.39 

Introduction: 

While testing for Oracle vulnerabilities, Mark Litchfield discovered a 
denial of service attack for Apache on Windows. Investigation by the 
Apache Software Foundation showed that this issue has a wider scope, which 
on some platforms results in a denial of service vulnerability, while on 
some other platforms presents a potential a remote exploit vulnerability. 

We were also notified today by ISS that they had published the same issue 
which has forced the early release of this advisory. 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
assigned the name CAN-2002-0392 to this issue. 

Description: 

Versions of the Apache web server up to and including 1.3.24 and 2.0 up to 
and including 2.0.36 and 2.0.36-dev versions contain a bug in the routines 
which deal with invalid requests which are encoded using chunked encoding. 
This bug can be triggered remotely by sending a carefully crafted invalid 
request. This functionality is enabled by default. 

In most cases the outcome of the invalid request is that the child process 
dealing with the request will terminate. At the least, this could help a 
remote attacker launch a denial of service attack as the parent process 
will eventually have to replace the terminated child process and starting 
new children uses non-trivial amounts of resources. 

On the Windows and Netware platforms, Apache runs one multithreaded child 
process to service requests. The teardown and subsequent setup time to 
replace the lost child process presents a significant interruption of 
service. As the Windows and Netware ports create a new process and reread 
the configuration, rather than fork a child process, this delay is much 
more pronounced than on other platforms. 

In Apache 2.0 the error condition is correctly detected, so it will not 
allow an attacker to execure arbitrary code on the server. However 
platforms could be using a multithreaded model of multiple concurrent 
requests per child process (although the default preference remains 
multiple processes with a single thread and request per process, and most 
multithreaded models continue to create multiple child processes). Using 
any multithreaded model, all concurrent requests currently served by the 
affected child process will be lost. 

In Apache 1.3 the issue causes a stack overflow. Due to the nature of the 
overflow on 32-bit Unix platforms this will cause a segmentation violation 
and the child will terminate. However on 64-bit platforms the overflow 
can be controlled and so for platforms that store return addresses on the 
stack it is likely that it is further exploitable. This could allow 
arbitrary code to be run on the server as the user the Apache children are 
set to run as. 

We have been made aware that Apache 1.3 on Windows is exploitable in this 
way. 

Please note that the patch provided by ISS does not correct this 
vulnerability. 

The Apache Software Foundation are currently working on new releases that 
fix this issue, please see http://httpd.apache.org/ for updated 
versions. 

-----BEGIN PGP SIGNATURE----- 
Version: PGP 6.5.8 

iQCVAwUBPQ4aj+6tTP1JpWPZAQHIDwP/UrFoCphthG1gd82ZaAQT0hjCaExlFaM2 
p8BY5P6JS7VrRlzUoGd/7GRBF9o7foNpgFlANx1NNttr8FhHqlRbFBZH6u1FmTpY 
4zGq7GKFuZiiAKWaCaCFcpIQguJ1vlrJc49E9k9jvJhuyzh/0Jz/Lj/wAFgmctqm 
6Q7MwIcb1bk= 
=fZnx 
-----END PGP SIGNATURE-----