There is an issue with apache, corroborated by the apache guys, with a story at /. Short version: Are we waiting for the apache team to come up with a patch, or do you guys have an idea of a fix? Is this remotely exploitable, or just a dos with apache 1.3.x?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ts wrote:
There is an issue with apache, corroborated by the apache guys, with a story at /.
I have some problems evaluating this bug. - --http://httpd.apache.org/info/security_bulletin_20020617.txt-- In Apache 1.3 the issue causes a stack overflow. Due to the nature of the overflow on 32-bit Unix platforms this will cause a segmentation violation and the child will terminate. However on 64-bit platforms the overflow can be controlled and so for platforms that store return addresses on the stack it is likely that it is further exploitable. This could allow arbitrary code to be run on the server as the user the Apache children are set to run as. We have been made aware that Apache 1.3 on Windows is exploitable in a similar way as well. - -------------------------------------------------------------------- So I guess when running apache on some x86-type of processor and linux or bsd as OS, all that can happen is a DOS. Right? If so, how severe is this DOS? How long does it take for httpd to fork a new child under normal conditions (moderate load, plenty of ram, dual pIII 800)? Martin Borchert - -- when in danger or in doubt, run in circles, scream and shout! pgp-key: via wwwkeys.de.pgp.net, key id is 0x21eec9b0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9EEeGLpdxqCHuybARAkNzAKCb8ONRoimecQOJBIm/cS6r0PtUPQCgxtcL 6hqrmoT5bTtYV/n8yJRk2dk= =vXiW -----END PGP SIGNATURE-----
There is an issue with apache, corroborated by the apache guys, with a story at /.
I have some problems evaluating this bug.
- --http://httpd.apache.org/info/security_bulletin_20020617.txt-- In Apache 1.3 the issue causes a stack overflow. Due to the nature of the overflow on 32-bit Unix platforms this will cause a segmentation violation and the child will terminate. However on 64-bit platforms the overflow can be controlled and so for platforms that store return addresses on the stack it is likely that it is further exploitable. This could allow arbitrary code to be run on the server as the user the Apache children are set to run as. We have been made aware that Apache 1.3 on Windows is exploitable in a similar way as well. - --------------------------------------------------------------------
So I guess when running apache on some x86-type of processor and linux or bsd as OS, all that can happen is a DOS. Right? If so, how severe is this DOS? How long does it take for httpd to fork a new child under normal conditions (moderate load, plenty of ram, dual pIII 800)?
You can forget about the overhead caused by the fork()s. fork() is very inexpensive on Linux, the really painful stuff is a set of pagefaults caused by execve() (usually after some fork()). The load on your machine is by the order of a magnitude higher with the effort of getting a child to crash, when attacked. Our (Olafs) current analysis shows that the bug is not exploitable on 32 bit linux platforms in the sense that you can execute code. There is only a DoS. However, since we don't want to risk to be wrong, we take this very seriously. All packages have been built already and are waiting for publishing, but testing them takes some minutes, still. We have some heat problems here in Nürnberg, causing us to use more time. Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am Mittwoch, 19. Juni 2002 11:22:11 schrieb Roman Drahtmueller:
There is an issue with apache, corroborated by the apache guys, with a story at /. I have some problems evaluating this bug. --http://httpd.apache.org/info/security_bulletin_20020617.txt-- So I guess when running apache on some x86-type of processor and linux or bsd as OS, all that can happen is a DOS. Right? If so, how severe is this DOS? Our (Olafs) current analysis shows that the bug is not exploitable on 32 bit linux platforms in the sense that you can execute code. There is only a DoS.
Thank you for the quick answer.
However, since we don't want to risk to be wrong, we take this very seriously. All packages have been built already and are waiting for publishing, but testing them takes some minutes, still.
And thank you for the great work
We have some heat problems here in Nürnberg, causing us to use more time.
I'm feeling with you. Heat problems seem to spread over whole Germany. Situation in Rostock: 34° in the office (glass front from south-east to west), still rising. Martin Borchert - -- when in danger or in doubt, run in circles, scream and shout! pgp-key: via wwwkeys.de.pgp.net, key id is 0x21eec9b0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9EFDTLpdxqCHuybARAk2mAJ9MVsRUYSzbAENhzAG8DpraiuKcPACgqeEd NEM+Mfad/GR59Etdy70u2xo= =MW/r -----END PGP SIGNATURE-----
participants (3)
-
Martin Borchert -
Roman Drahtmueller -
ts