There is an issue with apache, corroborated by the apache guys, with a story at /. Short version: Are we waiting for the apache team to come up with a patch, or do you guys have an idea of a fix? Is this remotely exploitable, or just a dos with apache 1.3.x?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ts wrote:
There is an issue with apache, corroborated by the apache guys, with a story at /.
I have some problems evaluating this bug. - --http://httpd.apache.org/info/security_bulletin_20020617.txt-- In Apache 1.3 the issue causes a stack overflow. Due to the nature of the overflow on 32-bit Unix platforms this will cause a segmentation violation and the child will terminate. However on 64-bit platforms the overflow can be controlled and so for platforms that store return addresses on the stack it is likely that it is further exploitable. This could allow arbitrary code to be run on the server as the user the Apache children are set to run as. We have been made aware that Apache 1.3 on Windows is exploitable in a similar way as well. - -------------------------------------------------------------------- So I guess when running apache on some x86-type of processor and linux or bsd as OS, all that can happen is a DOS. Right? If so, how severe is this DOS? How long does it take for httpd to fork a new child under normal conditions (moderate load, plenty of ram, dual pIII 800)? Martin Borchert - -- when in danger or in doubt, run in circles, scream and shout! pgp-key: via wwwkeys.de.pgp.net, key id is 0x21eec9b0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9EEeGLpdxqCHuybARAkNzAKCb8ONRoimecQOJBIm/cS6r0PtUPQCgxtcL 6hqrmoT5bTtYV/n8yJRk2dk= =vXiW -----END PGP SIGNATURE-----
There is an issue with apache, corroborated by the apache guys, with a story at /.
I have some problems evaluating this bug.
- --http://httpd.apache.org/info/security_bulletin_20020617.txt-- In Apache 1.3 the issue causes a stack overflow. Due to the nature of the overflow on 32-bit Unix platforms this will cause a segmentation violation and the child will terminate. However on 64-bit platforms the overflow can be controlled and so for platforms that store return addresses on the stack it is likely that it is further exploitable. This could allow arbitrary code to be run on the server as the user the Apache children are set to run as. We have been made aware that Apache 1.3 on Windows is exploitable in a similar way as well. - --------------------------------------------------------------------
So I guess when running apache on some x86-type of processor and linux or bsd as OS, all that can happen is a DOS. Right? If so, how severe is this DOS? How long does it take for httpd to fork a new child under normal conditions (moderate load, plenty of ram, dual pIII 800)?
You can forget about the overhead caused by the fork()s. fork() is very
inexpensive on Linux, the really painful stuff is a set of pagefaults
caused by execve() (usually after some fork()). The load on your machine
is by the order of a magnitude higher with the effort of getting a child
to crash, when attacked.
Our (Olafs) current analysis shows that the bug is not exploitable on 32
bit linux platforms in the sense that you can execute code. There is only
a DoS. However, since we don't want to risk to be wrong, we take this very
seriously. All packages have been built already and are waiting for
publishing, but testing them takes some minutes, still. We have some heat
problems here in Nürnberg, causing us to use more time.
Thanks,
Roman.
--
- -
| Roman Drahtmüller
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am Mittwoch, 19. Juni 2002 11:22:11 schrieb Roman Drahtmueller:
There is an issue with apache, corroborated by the apache guys, with a story at /. I have some problems evaluating this bug. --http://httpd.apache.org/info/security_bulletin_20020617.txt-- So I guess when running apache on some x86-type of processor and linux or bsd as OS, all that can happen is a DOS. Right? If so, how severe is this DOS? Our (Olafs) current analysis shows that the bug is not exploitable on 32 bit linux platforms in the sense that you can execute code. There is only a DoS.
Thank you for the quick answer.
However, since we don't want to risk to be wrong, we take this very seriously. All packages have been built already and are waiting for publishing, but testing them takes some minutes, still.
And thank you for the great work
We have some heat problems here in Nürnberg, causing us to use more time.
I'm feeling with you. Heat problems seem to spread over whole Germany. Situation in Rostock: 34° in the office (glass front from south-east to west), still rising. Martin Borchert - -- when in danger or in doubt, run in circles, scream and shout! pgp-key: via wwwkeys.de.pgp.net, key id is 0x21eec9b0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9EFDTLpdxqCHuybARAk2mAJ9MVsRUYSzbAENhzAG8DpraiuKcPACgqeEd NEM+Mfad/GR59Etdy70u2xo= =MW/r -----END PGP SIGNATURE-----
participants (3)
-
Martin Borchert
-
Roman Drahtmueller
-
ts