__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Vulnerability in NCSA and Apache httpd Servers April 16, 1996 18:00 GMT Number G-20 ______________________________________________________________________________ PROBLEM: A vulnerability exists in the httpd servers provided by NCSA and the Apache organization PLATFORM: All systems capable of running either httpd DAMAGE: A user can potentially gain the same access privileges as the httpd server SOLUTION: For NCSA httpd, upgrade to the lates version; For Apache httpd, install the patch described below ______________________________________________________________________________ VULNERABILITY This vulnerability can lead to compromise of a web server ASSESSMENT: ______________________________________________________________________________ [ Start IBM Bulletin ] ======= ============ ====== ====== ======= ============== ======= ======= === === ==== ====== ====== === =========== ======= ======= === =========== === ======= === === === ==== === ===== === ======= ============== ===== === ===== ======= ============ ===== = ===== EMERGENCY RESPONSE SERVICE SECURITY VULNERABILITY ALERT 16 April 1996 16:00 GMT Number: ERS-SVA-E01-1996:002.2 =============================================================================== UPDATE TO ERS-SVA-E01-1996:002.1 I. Description This Security Vulnerability Alert provides updated information about the NCSA HTTPD and Apache HTTPD Common Gateway Interface vulnerability described in ERS-SVA-E01-1996:002.1, which was released on 26 February 1996. ERS-SVA-E01-1996:002.1 described a vulnerabilty in the escape_shell_cmd() function contained in the Common Gateway Interface sample code file "cgi-src/util.c", provided with NCSA HTTPD Version 1.5 and earlier, or Apache HTTPD Version 1.0.3 and earlier. This vulnerabilty allowed a malicious user to embed the newline character (Hexadecimal 0A) in a query, allowing an arbitrary shell command to be executed by the HTTPD server. IBM-ERS has learned that the escape_shell_command() function is also contained in the server source code file, "src/util.c". Note that the files "src/util.c" and "cgi-src/util.c" are not identical, however they contain identical copies of the escape_shell_command() function. The file "src/util.c" is used to build the HTTPD server; therefore the "newline" vulnerability exists in the server itself. II. Impact A malicious user who knows how to exercise this vulnerability may have the ability to: 1. Execute arbitrary commands on the server host using the same user-id as the user running the "httpd" server. If "httpd" is being run as "root," the unauthorized commands are also run as "root." 2. Access any file on the system that is accessible to the user-id that is running the "httpd" server. If the "httpd" server user-id has read access to the file, the attacker can also read the file. If the "httpd" server user-id has write access to the file, the attacker can change or destroy the contents of the file. If the "httpd" server is being run as "root," the attacker can read, modify, or destroy any file on the server host. 3. Given an X11-based terminal emulator ("xterm" or equivalent) installed on the "httpd" server host, gain full interactive access to the server host just as if he were logging in locally. III. Solutions IBM-ERS recommends that you consider taking the following actions (subject to any licensing restrictions that may apply to your copies of the programs): 1. If are using NCSA HTTPD, upgrade to Version 1.5.1, which does not contain this vulnerability. NCSA HTTPD Version 1.5 is available from: ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/current/httpd_1.5.1-export_source.tar.Z 2. If you are using Apache HTTPD, locate the escape_shell_command() function in the file "src/util.c" (approximately line 430). In that function, the line that reads if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){ should be changed to read if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){ The server should then be recompiled, reinstalled, and restarted. IV. Acknowledgements IBM-ERS would like to thank the NASA Automated Systems Incident Response Capability (NASIRC) for providing the information contained in this update. NASIRC in turn acknowledges Ken Bell of NASA Goddard Institute for Sapce Studies for bringing this vulnerability to their attention, and the NCSA HTTPD Development Team for confirming the problem and the fix. IBM-ERS would also like to thank Jennifer Myers, a post-doctoral fellow at Northwestern University, who originally discovered the vulnerability described in ERS-SVA-E01-1996:002.1, and made public the description of the problem and its solution. This acknowledgement was omitted from the original alert. =============================================================================== Copyright 1996 International Business Machines Corporation. [ End IBM Bulletin ] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of IBM Emergency Response Service (IBM-ERS), and those they attribute, for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 510-422-8193 FAX: +1 510-423-8002 STU-III: +1 510-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (128.115.19.53) Modem access: +1 (510) 423-4753 (28.8K baud) +1 (510) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName FirstName and PhoneNumber when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) (G-10a) Winword Macro Viruses (G-11) HP Syslog Vulnerability (G-12) SGI ATT Packaging Utility Security Vulnerability (G-13) Kerberos Version 4 Key Server Vulnerability (G-14) Domain Name Service Vulnerabilities (G-15) Sunsoft Demo CD Vulnerability (G-16) SGI rpc.statd Program Security Vulnerabilities (G-17) Vulnerabilities in Sample HTTPD CGIs (G-18) Digital OSF/1 dxconsole Security Vulnerability (G-19) IBM AIX rmail Vulnerability RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC) Notes 07 - 3/29/95 A comprehensive review of SATAN Notes 08 - 4/4/95 A Courtney update Notes 09 - 4/24/95 More on the "Good Times" virus urban legend Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability in S/Key, EBOLA Virus Hoax, and Caibua Virus Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators, America On-Line Virus Scare, SPI 3.2.2 Released, The Die_Hard Virus Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X Windows, beta release of Merlin, Microsoft Word Macro Viruses, Allegations of Inappropriate Data Collection in Win95 Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST Conference Announcement, Security and Web Search Engines, Microsoft Word Macro Virus Update