Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
Re: [suse-security] Apache update
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Wed, 19 Jun 2002 11:22:27 +0200 (MEST)
  • Message-id: <Pine.LNX.4.44.0206191117580.16809-100000@xxxxxxxxxxxx>
> > There is an issue with apache, corroborated by the apache
> > guys,
> > with a story at /.
>
> I have some problems evaluating this bug.
>
> - --http://httpd.apache.org/info/security_bulletin_20020617.txt--
> In Apache 1.3 the issue causes a stack overflow. Due to the nature
> of the overflow on 32-bit Unix platforms this will cause a
> segmentation violation and the child will terminate. However on
> 64-bit platforms the overflow can be controlled and so for
> platforms that store return addresses on the stack it is likely
> that it is further exploitable. This could allow arbitrary code to
> be run on the server as the user the Apache children are set to run
> as. We have been made aware that Apache 1.3 on Windows is
> exploitable in a similar way as well.
> - --------------------------------------------------------------------
>
> So I guess when running apache on some x86-type of processor and
> linux or bsd as OS, all that can happen is a DOS. Right?
> If so, how severe is this DOS? How long does it take for httpd to
> fork a new child under normal conditions (moderate load, plenty of
> ram, dual pIII 800)?

You can forget about the overhead caused by the fork()s. fork() is very
inexpensive on Linux, the really painful stuff is a set of pagefaults
caused by execve() (usually after some fork()). The load on your machine
is by the order of a magnitude higher with the effort of getting a child
to crash, when attacked.

Our (Olafs) current analysis shows that the bug is not exploitable on 32
bit linux platforms in the sense that you can execute code. There is only
a DoS. However, since we don't want to risk to be wrong, we take this very
seriously. All packages have been built already and are waiting for
publishing, but testing them takes some minutes, still. We have some heat
problems here in Nürnberg, causing us to use more time.

Thanks,
Roman.
--
- -
| Roman Drahtmüller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE Linux AG - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -


< Previous Next >
Follow Ups
References