Title: Apache Chunked-Encoding Memory Corruption Vulnerability

Severity: CRITICAL

Description:

Apache is a freely available webserver for UNIX and Linux variants as well as Microsoft operating systems.

The HTTP protocol specifies a method of data coding called 'Chunked Encoding', designed to facilitate fragmentation of HTTP requests in transit. A vulnerability has been discovered in the Apache implementation of 'Chunked Encoding'.

When processing requests coded with the 'Chunked Encoding' mechanism, Apache fails to properly calculate required buffer sizes. This may be due to improper (signed) interpretation of an unsigned integer value.

Consequently, several conditions that have security implications may occur. Reportedly, a buffer overrun and signal race condition occur. Exploiting these conditions may allow arbitrary code to run.

On Windows and NetWare platforms, Apache uses threads within a single server process to handle concurrent connections. Causing the server process to crash on these platforms may result in a denial of service.

It has been confirmed that this vulnerability may be exploited to execute arbitrary code on both Win32 and UNIX platforms.

NOTE: Products that use or bundle Apache (such as Oracle 9iAS or IBM WebSphere) may also be affected.

**Update**: Reportedly, at least one worm is exploiting this vulnerability to propagate in the wild. The worm targets FreeBSD 4.5 systems running Apache 1.3.22-24 and 1.3.20. Other versions may also be affected.

It appears that once infected, the worm installs a backdoor on the target system, listening on UDP port 2001. This backdoor may also function as a distributed denial-of-service agent. There are several strings in the worm binary to suggest this:

Udp flooding target
Tcp flooding target
Sending packets to target
Dns flooding target

When infecting a host, the worm creates a copy of itself as the files "/tmp/.uua" and "/tmp/.a". It also appears that the files "/bin/.log", "/tmp/tmp" and "/tmp/init" are created at some point. It is highly likely that a system is infected if these files are present.

Sometime during execution, the worm may either transmit an email to another location or connect to a IP address that is hardcoded into the binary:

12.127.17.71

The email created by the worm appears to have some identifying characteristics. The return path and message-id will include the domain "aol.com":

Return-Path: <%c%c%c%c%c%c%c@aol.com>
From: %s
Message-ID: <%x.%x.%x@aol.com>

The string "webmaster@mydomain.com" appears in the binary, and may be the destination address of this email.

To mitigate this worm, administrators are highly advised to:

- Upgrade Apache as soon as possible.
- Apply network access control to block ALL incoming traffic to UDP port 2001 and all traffic to or from "12.127.17.71".
- Deploy intrusion detection systems and monitor logs closely for possible attacks or suspicious activity.
- Monitor the filesystem for the above mentioned files. The presence of a line similar to this in syslog may indicate exploitation attempts:

[Sat Jun 22 04:20:51 2002] [notice] child pid 26902 exit signal Segmentation
fault (11)

Complete analysis by the DeepSight TMS analyst team is forthcoming.

Affected Products:

Apache Software Foundation Apache 1.0.0
Apache Software Foundation Apache 1.0.2
Apache Software Foundation Apache 1.0.3
Apache Software Foundation Apache 1.0.5
Apache Software Foundation Apache 1.1.0
Apache Software Foundation Apache 1.1.1
Apache Software Foundation Apache 1.2.0
Apache Software Foundation Apache 1.2.5
Apache Software Foundation Apache 1.3.0
Apache Software Foundation Apache 1.3.1
Apache Software Foundation Apache 1.3.11
Apache Software Foundation Apache 1.3.12
Apache Software Foundation Apache 1.3.14
Apache Software Foundation Apache 1.3.17
Apache Software Foundation Apache 1.3.18
Apache Software Foundation Apache 1.3.19
Apache Software Foundation Apache 1.3.20
Apache Software Foundation Apache 1.3.22
Apache Software Foundation Apache 1.3.23
Apache Software Foundation Apache 1.3.24
Apache Software Foundation Apache 1.3.3
Apache Software Foundation Apache 1.3.4
Apache Software Foundation Apache 1.3.9
Apache Software Foundation Apache 2.0.0
Apache Software Foundation Apache 2.0.28
Apache Software Foundation Apache 2.0.32
Apache Software Foundation Apache 2.0.35
Apache Software Foundation Apache 2.0.36
Apache Software Foundation Apache 2.0.37
Apache Software Foundation Apache 2.0.38
Apache Software Foundation Apache 2.0.39
Apache Software Foundation Apache for Mac 1.3.14 Mac
Apache Software Foundation Apache for Windows 1.3.11
Apache Software Foundation Apache for Windows 1.3.12
Apache Software Foundation Apache for Windows 1.3.13
Apache Software Foundation Apache for Windows 1.3.14
Apache Software Foundation Apache for Windows 1.3.15
Apache Software Foundation Apache for Windows 1.3.16
Apache Software Foundation Apache for Windows 1.3.17
Apache Software Foundation Apache for Windows 1.3.18
Apache Software Foundation Apache for Windows 1.3.19
Apache Software Foundation Apache for Windows 1.3.20
Apache Software Foundation Apache for Windows 1.3.22
Apache Software Foundation Apache for Windows 1.3.23
Apache Software Foundation Apache for Windows 1.3.24
Apple Mac OS X 10.1.0
Apple Mac OS X 10.1.1
Apple Mac OS X 10.1.2
Apple Mac OS X 10.1.3
Apple Mac OS X 10.1.4
Apple Mac OS X 10.1.5
Apple Mac OS X 10.2.0
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.5
Apple Mac OS X 10.2.6
Apple Mac OS X 10.2.7
Apple Mac OS X 10.2.8
Apple Mac OS X 10.3.0
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3.2
Apple Mac OS X Server 10.1.0
Apple Mac OS X Server 10.1.1
Apple Mac OS X Server 10.1.2
Apple Mac OS X Server 10.1.3
Apple Mac OS X Server 10.1.4
Apple Mac OS X Server 10.1.5
Apple Mac OS X Server 10.2.0
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.5
Apple Mac OS X Server 10.2.6
Apple Mac OS X Server 10.2.7
Apple Mac OS X Server 10.2.8
Apple Mac OS X Server 10.3.0
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3.2
BSDI BSD/OS 4.0.0
Caldera OpenLinux Server 3.1.0
Caldera OpenLinux Server 3.1.1
Caldera OpenLinux Workstation 3.1.0
Caldera OpenLinux Workstation 3.1.1
Conectiva Linux 6.0.0
Conectiva Linux 7.0.0
Conectiva Linux 8.0.0
Debian Linux 2.2.0
Debian Linux 2.2.0 68k
Debian Linux 2.2.0 alpha
Debian Linux 2.2.0 arm
Debian Linux 2.2.0 powerpc
Debian Linux 2.2.0 sparc
Debian Linux 2.3.0
EnGarde Secure Linux 1.0.1
HP Compaq Secure Web Server for OpenVMS 1.0.0 -1
HP Compaq Secure Web Server for OpenVMS 1.1.0 -1
HP Compaq Secure Web Server for OpenVMS 1.2.0
HP HP-UX (VVOS) 11.0.0 4
HP HP-UX 11.0.0
HP HP-UX 11.0.0 4
HP HP-UX 11.11.0
HP HP-UX 11.20.0
HP HP-UX 11.22.0
HP INTERNET EXPRESS EAK 2.0.0
HP OpenView Network Node Manager 6.1.0
HP OpenView Network Node Manager 6.10.0
HP OpenView Network Node Manager 6.2.0
HP OpenView Network Node Manager 6.31.0
HP OpenView Service Information Portal 1.0.0
HP OpenView Service Information Portal 2.0.0
HP OpenView Service Information Portal 3.0.0
HP Secure OS software for Linux 1.0.0
HP Tru64 UNIX Compaq Secure Web Server 5.8.1
HP Tru64 UNIX Compaq Secure Web Server 5.8.2
HP Tru64 UNIX INTERNET EXPRESS 5.9.0
HP VirtualVault 4.5.0
HP VirtualVault 4.6.0
IBM HTTP Server 1.3.19
Macromedia ColdFusion Server MX Developer
Macromedia ColdFusion Server MX Enterprise
Macromedia ColdFusion Server MX Professional
Macromedia JRun 4.0.0
MandrakeSoft Corporate Server 1.0.1
MandrakeSoft Linux Mandrake 7.1.0
MandrakeSoft Linux Mandrake 7.2.0
MandrakeSoft Linux Mandrake 8.0.0
MandrakeSoft Linux Mandrake 8.0.0 ppc
MandrakeSoft Linux Mandrake 8.1.0
MandrakeSoft Linux Mandrake 8.1.0 ia64
MandrakeSoft Linux Mandrake 8.2.0
MandrakeSoft Linux Mandrake 8.2.0 ppc
MandrakeSoft Single Network Firewall 7.2.0
Microsoft Windows 95
Microsoft Windows 98
Netscreen NetScreen-Global PRO Express Policy Manager Server
Netscreen NetScreen-Global PRO Policy Manager Server
OpenBSD OpenBSD 2.8.0
OpenBSD OpenBSD 2.9.0
OpenBSD OpenBSD 3.0
OpenBSD OpenBSD 3.1
OpenPKG OpenPKG 1.0.0
Oracle Oracle HTTP Server 1.0.2 .0
Oracle Oracle HTTP Server 1.0.2 .1
Oracle Oracle HTTP Server 1.0.2 .2
Oracle Oracle HTTP Server 1.0.2.2 Roll up 2
Oracle Oracle HTTP Server 8.1.7
Oracle Oracle HTTP Server 9.0.1
Oracle Oracle HTTP Server 9.0.2
Oracle Oracle HTTP Server 9.1.0
Oracle Oracle HTTP Server 9.2.0 .0
Oracle Oracle HTTP Server for Apps only 1.0.2.1s
Oracle Oracle8 8.1.7
Oracle Oracle8i Enterprise Edition 8.1.7 .0.0
Oracle Oracle8i Standard Edition 8.1.7
Oracle Oracle9i Application Server 1.0.2
Oracle Oracle9i Application Server 1.0.2 .1s
Oracle Oracle9i Application Server 1.0.2 .2
Oracle Oracle9i Application Server 9.0.2
RedHat Linux 5.2.0 alpha
RedHat Linux 5.2.0 i386
RedHat Linux 5.2.0 sparc
RedHat Linux 6.2.0 alpha
RedHat Linux 6.2.0 i386
RedHat Linux 6.2.0 sparc
RedHat Linux 7.0.0 alpha
RedHat Linux 7.0.0 i386
RedHat Linux 7.1.0 alpha
RedHat Linux 7.1.0 i386
RedHat Linux 7.1.0 ia64
RedHat Linux 7.2.0 i386
RedHat Linux 7.2.0 ia64
RedHat Linux 7.3.0
RedHat Linux 7.3.0 i386
RedHat Secure Web Server 3.2.0 i386
S.u.S.E. Linux 6.4.0
S.u.S.E. Linux 6.4.0 alpha
S.u.S.E. Linux 6.4.0 i386
S.u.S.E. Linux 6.4.0 ppc
S.u.S.E. Linux 7.0.0
S.u.S.E. Linux 7.0.0 alpha
S.u.S.E. Linux 7.0.0 i386
S.u.S.E. Linux 7.0.0 ppc
S.u.S.E. Linux 7.0.0 sparc
S.u.S.E. Linux 7.1.0
S.u.S.E. Linux 7.1.0 alpha
S.u.S.E. Linux 7.1.0 ppc
S.u.S.E. Linux 7.1.0 sparc
S.u.S.E. Linux 7.1.0 x86
S.u.S.E. Linux 7.2.0
S.u.S.E. Linux 7.2.0 i386
S.u.S.E. Linux 7.3.0
S.u.S.E. Linux 7.3.0 i386
S.u.S.E. Linux 7.3.0 ppc
S.u.S.E. Linux 7.3.0 sparc
S.u.S.E. Linux 8.0.0
S.u.S.E. Linux 8.0.0 i386
SGI IRIX 6.5.0
SGI IRIX 6.5.1
SGI IRIX 6.5.10
SGI IRIX 6.5.11
SGI IRIX 6.5.12
SGI IRIX 6.5.12 f
SGI IRIX 6.5.12 m
SGI IRIX 6.5.13
SGI IRIX 6.5.13 f
SGI IRIX 6.5.13 m
SGI IRIX 6.5.14
SGI IRIX 6.5.14 f
SGI IRIX 6.5.14 m
SGI IRIX 6.5.15
SGI IRIX 6.5.16
SGI IRIX 6.5.17
SGI IRIX 6.5.18
SGI IRIX 6.5.2
SGI IRIX 6.5.3
SGI IRIX 6.5.4
SGI IRIX 6.5.5
SGI IRIX 6.5.6
SGI IRIX 6.5.7
SGI IRIX 6.5.8
SGI IRIX 6.5.9
Slackware Linux 8.0.0
Slackware Linux 8.1.0
Sun Cobalt Control Station 4100CS
Sun Cobalt ManageRaQ v2 3599BD
Sun Cobalt Qube3 4000WG
Sun Cobalt RaQ 550
Sun Cobalt RaQ XTR 3500R
Sun Cobalt RaQ4 3001R
Sun Solaris 8
Sun Solaris 8_x86
Sun Solaris 9
Sun Solaris 9_x86
Sun Solaris 9_x86 Update 2
Sun SunOS 5.8.0
Sun SunOS 5.8.0 _x86
Sun SunOS 5.9.0
Sun SunOS 5.9.0 _x86
Trustix Secure Linux 1.1.0
Trustix Secure Linux 1.2.0
Trustix Secure Linux 1.5.0
Unisphere Networks SDX-300 2.0.3

References:

Apache Group: security_bulletin_20020617.txt
Apache Software Foundation: Apache Software Foundation Homepage
Apple: Security Updates
Astaro Security Linux: Up2Date 3.201
CORE Security: Apache chunked encoding exploit
CORE Security: OracleDB Apache ChunkedEncoding overflow exploit
CVE: CAN-2002-0392
IBM: AIX Toolbox download page - Alphabetical Listing
Internet Security Systems: Heap Overflow in IIS HTR Chunked Encoding
Macromedia: MPSB02-07 - Patch available to support Apache 2.0.39 with JRun 4.0/ColdFusion MX
NetScreen: NetScreen Response to Apache Security Hole CAN-2002-0392
OpenBSD: OpenBSD 3.0 release errata & patch list
OpenBSD: OpenBSD 3.2 release errata & patch list
Oracle: Oracle Security Alert #36
Sun: Sun Alert ID: 45961

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.

J-Security Center

Title: Apache Chunked-Encoding Memory Corruption Vulnerability

Severity: CRITICAL

Description:

Affected Products:

References: