WORM: Apache "Transfer-Encoding: chunked" Worm Infection Attempt
This signature detects attempts to infect Apache Web servers with the Apache Worm. Apache versions 1.3.26, 2.0.38 and prior are vulnerable. Apache improperly calculates required buffer sizes for chunked encoded requests due to a signed interpretation of an unsigned integer value. The worm sends POST requests containing malicious chunked encoded data to exploit the Apache daemon.
Extended Description
When processing requests coded with the 'Chunked Encoding' mechanism, Apache fails to properly calculate required buffer sizes. This is believed to be due to improper (signed) interpretation of an unsigned integer value. Consequently, several conditions that have security implications may occur. Reportedly, a buffer overrun and signal race condition occur. Exploiting these conditions may allow arbitrary code to run. **Update**: Reportedly, at least one worm is exploiting this vulnerability to propagate in the wild. The worm targets FreeBSD 4.5 systems running Apache 1.3.22-24 and 1.3.20. Other versions may also be affected.
Affected Products
Oracle oracle_http_server
References
BugTraq: 5033
CVE: CVE-2002-0392
URL: http://www.mycert.org.my/advisory/MA-044.072002.html http://httpd.apache.org/info/security_bulletin_20020617.txt
Short Name
WORM:CHUNKED-WORM
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
WORM
Keywords
"Transfer-Encoding: Apache Attempt CA-2002-17 CVE-2002-0392 Infection Worm bid:5033 chunked"
Release Date
04/22/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3339
False Positive
Unknown
Vendors
Apache_software_foundation
Red_hat
Ibm
Hp
Macromedia
Oracle
CVSS Score
7.5