-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 10.03.2002 Apache 1.3.x shared memory scoreboard vulnerabilities 16:00 GMT, October 3, 2002 I. BACKGROUND The Apache Software Foundation's HTTP Server is an effort to develop and maintain an open-source HTTP server for modern operating systems including Unix and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. More details about it are available at http://httpd.apache.org . II. DESCRIPTION Apache HTTP Server contains a vulnerability in its shared memory scoreboard. Attackers who can execute commands under the Apache UID can either send a (SIGUSR1) signal to any process as root, in most cases killing the process, or launch a local denial of service (DoS) attack. III. ANALYSIS Exploitation requires execute permission under the Apache UID. This can be obtained by any local user with a legitimate Apache scripting resource (ie: PHP, Perl), exploiting a vulnerability in web-based applications written in the above example languages, or through the use of some other local/remote Apache exploit. Once such a status is attained, the attacker can then attach to the httpd daemon's 'scoreboard', which is stored in a shared memory segment owned by Apache. The attacker can then cause a DoS condition on the system by continuously filling the table with null values and causing the server to spawn new children. The attacker also has the ability to send any process a SIGUSR1 signal as root. This is accomplished by continuously overwriting the parent[].pid and parent[].last_rtime segments within the scoreboard to the pid of the target process and a time in the past. When the target pid receives the signal SIGUSR1, it will react according to how it is designed to manage the signal. According to the man page (man 7 signal), if the signal is un-handled then the default action is to terminate: ... SIGUSR1 30,10,16 A User-defined signal 1 ... The letters in the "Action" column have the following meanings: A Default action is to terminate the process. ... iDEFENSE successfully terminated arbitrary processes, including those that "kicked" people off the system. IV. DETECTION Apache HTTP Server 1.3.x, running on all applicable Unix platforms, is affected. V. VENDOR FIX/RESPONSE Apache HTTP Server 1.3.27 fixes this problem. It should be available on October 3 at http://www.apache.org/dist/httpd/ . VI. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-0839 to this issue. VII. DISCLOSURE TIMELINE 8/27/2002 Issue disclosed to iDEFENSE 9/18/2002 Vendor notified at security@apache.org 9/18/2002 iDEFENSE clients notified 9/19/2002 Response received from Mark J Cox (mark@awe.com) 10/3/2002 Coordinated public disclosure VIII. CREDIT zen-parse (zen-parse@gmx.net) disclosed this issue to iDEFENSE. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world — from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. iALERT, our security intelligence service, provides decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com. - -dave David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPZx0I0rdNYRLCswqEQIowQCfQT+FYR1FLTEzlf49SpJXwDnie8wAn3Kr CncduGV6EYHqVayQE90b7Yij =4T8j -----END PGP SIGNATURE-----