You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brian Behlendorf <br...@hyperreal.com> on 1996/04/19 22:55:20 UTC
READ ME! (was Re: (Fwd) CIAC Bulletin G-20: Vulnerability in NCSA and Apache htt (fwd))
READ ME!
Folks, Apache 1.0.4 does *not* fix the problem located in this bulletin.
The only difference between 1.0.4 and 1.0.3 is that "cgi-src/util.c" has
the newline check implemented - *this* bulletin states that the
(potential) vulnerability exists also in "src/util.c".
If the person who built 1.0.4 could fix this, update the CHANGES file, as
well as /export/pub/apache/dist/CHANGES on hyperreal, today, and then let
us know. I was about to send a message out to apache-announce about this
(2454 subscribers!) when I decided on a lark to check. :) If I don't
hear back from the builder I'll build it myself and replace it. I hunbly
suggest this causes a bump to 1.0.5 (hey, it happens, remember Mosaic
2.2?), though I won't protest if 1.0.4 is silently replaced.
Thanks.
Brian
On Fri, 19 Apr 1996, Ben Laurie wrote:
> (Forwarded from ssl-users) ... I have applied the patch to 1.1.
>
> We probably should release 1.0.4!
>
> Its nice of IBM to fix these problems, but you'd think they might _tell_ us!
>
> Cheers,
>
> Ben.
>
> Peter Trei wrote:
> >
> > __________________________________________________________
> >
> > The U.S. Department of Energy
> > Computer Incident Advisory Capability
> > ___ __ __ _ ___
> > / | /_\ /
> > \___ __|__ / \ \___
> > __________________________________________________________
> >
> > INFORMATION BULLETIN
> >
> > Vulnerability in NCSA and Apache httpd Servers
> >
> > April 16, 1996 18:00 GMT Number G-20
> > ______________________________________________________________________________
> > PROBLEM: A vulnerability exists in the httpd servers provided by NCSA
> > and the Apache organization
> > PLATFORM: All systems capable of running either httpd
> > DAMAGE: A user can potentially gain the same access privileges as the
> > httpd server
> > SOLUTION: For NCSA httpd, upgrade to the lates version; For Apache httpd,
> > install the patch described below
> > ______________________________________________________________________________
> > VULNERABILITY This vulnerability can lead to compromise of a web server
> > ASSESSMENT:
> > ______________________________________________________________________________
> >
> > [ Start IBM Bulletin ]
> >
> > ======= ============ ====== ======
> > ======= ============== ======= =======
> > === === ==== ====== ======
> > === =========== ======= =======
> > === =========== === ======= ===
> > === === ==== === ===== ===
> > ======= ============== ===== === =====
> > ======= ============ ===== = =====
> >
> > EMERGENCY RESPONSE SERVICE
> > SECURITY VULNERABILITY ALERT
> >
> > 16 April 1996 16:00 GMT Number: ERS-SVA-E01-1996:002.2
> > ===============================================================================
> > UPDATE TO ERS-SVA-E01-1996:002.1
> >
> > I. Description
> >
> > This Security Vulnerability Alert provides updated information about
> > the NCSA HTTPD and Apache HTTPD Common Gateway Interface vulnerability
> > described in ERS-SVA-E01-1996:002.1, which was released on 26 February
> > 1996.
> >
> > ERS-SVA-E01-1996:002.1 described a vulnerabilty in the
> > escape_shell_cmd() function contained in the Common Gateway Interface
> > sample code file "cgi-src/util.c", provided with NCSA HTTPD Version
> > 1.5 and earlier, or Apache HTTPD Version 1.0.3 and earlier. This
> > vulnerabilty allowed a malicious user to embed the newline character
> > (Hexadecimal 0A) in a query, allowing an arbitrary shell command to be
> > executed by the HTTPD server.
> >
> > IBM-ERS has learned that the escape_shell_command() function is also
> > contained in the server source code file, "src/util.c". Note that the files
> > "src/util.c" and "cgi-src/util.c" are not identical, however they contain
> > identical copies of the escape_shell_command() function. The file
> > "src/util.c" is used to build the HTTPD server; therefore the "newline"
> > vulnerability exists in the server itself.
> >
> > II. Impact
> >
> > A malicious user who knows how to exercise this vulnerability may have
> > the ability to:
> >
> > 1. Execute arbitrary commands on the server host using the same
> > user-id as the user running the "httpd" server. If "httpd" is
> > being run as "root," the unauthorized commands are also run as
> > "root."
> >
> > 2. Access any file on the system that is accessible to the user-id
> > that is running the "httpd" server. If the "httpd" server
> > user-id has read access to the file, the attacker can also read
> > the file. If the "httpd" server user-id has write access to the
> > file, the attacker can change or destroy the contents of the
> > file. If the "httpd" server is being run as "root," the attacker
> > can read, modify, or destroy any file on the server host.
> >
> > 3. Given an X11-based terminal emulator ("xterm" or equivalent)
> > installed on the "httpd" server host, gain full interactive
> > access to the server host just as if he were logging in locally.
> >
> >
> > III. Solutions
> >
> > IBM-ERS recommends that you consider taking the following actions
> > (subject to any licensing restrictions that may apply to your copies
> > of the programs):
> >
> > 1. If are using NCSA HTTPD, upgrade to Version 1.5.1, which does not
> > contain this vulnerability.
> >
> > NCSA HTTPD Version 1.5 is available from:
> >
> > ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/current/httpd_1.5.1-export_source.tar.Z
> >
> > 2. If you are using Apache HTTPD, locate the escape_shell_command()
> > function in the file "src/util.c" (approximately line 430). In
> > that function, the line that reads
> >
> > if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
> >
> > should be changed to read
> >
> > if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){
> >
> > The server should then be recompiled, reinstalled, and restarted.
> >
> > IV. Acknowledgements
> >
> > IBM-ERS would like to thank the NASA Automated Systems Incident
> > Response Capability (NASIRC) for providing the information contained
> > in this update. NASIRC in turn acknowledges Ken Bell of NASA Goddard
> > Institute for Sapce Studies for bringing this vulnerability to their
> > attention, and the NCSA HTTPD Development Team for confirming the
> > problem and the fix.
> >
> > IBM-ERS would also like to thank Jennifer Myers, a post-doctoral
> > fellow at Northwestern University, who originally discovered the
> > vulnerability described in ERS-SVA-E01-1996:002.1, and made public the
> > description of the problem and its solution. This acknowledgement was
> > omitted from the original alert.
> >
> > ===============================================================================
> >
> > Copyright 1996 International Business Machines Corporation.
> >
> > [ End IBM Bulletin ]
> >
> > _______________________________________________________________________________
> >
> > CIAC wishes to acknowledge the contributions of IBM Emergency Response
> > Service (IBM-ERS), and those they attribute, for the information
> > contained in this bulletin.
> > _______________________________________________________________________________
> >
> >
> >
> > CIAC, the Computer Incident Advisory Capability, is the computer
> > security incident response team for the U.S. Department of Energy
> > (DOE) and the National Institutes of Health (NIH). CIAC is located at
> > the Lawrence Livermore National Laboratory in Livermore,
> > California. CIAC is also a founding member of FIRST, the Forum of
> > Incident Response and Security Teams, a global organization
> > established to foster cooperation and coordination among computer
> > security teams worldwide.
> >
> > CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
> > can be contacted at:
> > Voice: +1 510-422-8193
> > FAX: +1 510-423-8002
> > STU-III: +1 510-423-2604
> > E-mail: ciac@llnl.gov
> >
> > For emergencies and off-hour assistance, DOE, DOE contractor sites,
> > and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
> > 8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
> > or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
> > Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
> > duty person, and the secondary PIN number, 8550074 is for the CIAC
> > Project Leader.
> >
> > Previous CIAC notices, anti-virus software, and other information are
> > available from the CIAC Computer Security Archive.
> >
> > World Wide Web: http://ciac.llnl.gov/
> > Anonymous FTP: ciac.llnl.gov (128.115.19.53)
> > Modem access: +1 (510) 423-4753 (28.8K baud)
> > +1 (510) 423-3331 (28.8K baud)
> >
> > CIAC has several self-subscribing mailing lists for electronic
> > publications:
> > 1. CIAC-BULLETIN for Advisories, highest priority - time critical
> > information and Bulletins, important computer security information;
> > 2. CIAC-NOTES for Notes, a collection of computer security articles;
> > 3. SPI-ANNOUNCE for official news about Security Profile Inspector
> > (SPI) software updates, new features, distribution and
> > availability;
> > 4. SPI-NOTES, for discussion of problems and solutions regarding the
> > use of SPI products.
> >
> > Our mailing lists are managed by a public domain software package
> > called ListProcessor, which ignores E-mail header subject lines. To
> > subscribe (add yourself) to one of our mailing lists, send the
> > following request as the E-mail message body, substituting
> > CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
> > valid information for LastName FirstName and PhoneNumber when sending
> >
> > E-mail to ciac-listproc@llnl.gov:
> > subscribe list-name LastName, FirstName PhoneNumber
> > e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36
> >
> > You will receive an acknowledgment containing address, initial PIN,
> > and information on how to change either of them, cancel your
> > subscription, or get help.
> >
> > PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
> > communities receive CIAC bulletins. If you are not part of these
> > communities, please contact your agency's response team to report
> > incidents. Your agency's team will coordinate with CIAC. The Forum of
> > Incident Response and Security Teams (FIRST) is a world-wide
> > organization. A list of FIRST member organizations and their
> > constituencies can be obtained by sending email to
> > docserver@first.org with an empty subject line and a message body
> > containing the line: send first-contacts.
> >
> > This document was prepared as an account of work sponsored by an
> > agency of the United States Government. Neither the United States
> > Government nor the University of California nor any of their
> > employees, makes any warranty, express or implied, or assumes any
> > legal liability or responsibility for the accuracy, completeness, or
> > usefulness of any information, apparatus, product, or process
> > disclosed, or represents that its use would not infringe privately
> > owned rights. Reference herein to any specific commercial products,
> > process, or service by trade name, trademark, manufacturer, or
> > otherwise, does not necessarily constitute or imply its endorsement,
> > recommendation or favoring by the United States Government or the
> > University of California. The views and opinions of authors expressed
> > herein do not necessarily state or reflect those of the United States
> > Government or the University of California, and shall not be used for
> > advertising or product endorsement purposes.
> >
> > LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
> >
> > (G-10a) Winword Macro Viruses
> > (G-11) HP Syslog Vulnerability
> > (G-12) SGI ATT Packaging Utility Security Vulnerability
> > (G-13) Kerberos Version 4 Key Server Vulnerability
> > (G-14) Domain Name Service Vulnerabilities
> > (G-15) Sunsoft Demo CD Vulnerability
> > (G-16) SGI rpc.statd Program Security Vulnerabilities
> > (G-17) Vulnerabilities in Sample HTTPD CGIs
> > (G-18) Digital OSF/1 dxconsole Security Vulnerability
> > (G-19) IBM AIX rmail Vulnerability
> >
> > RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)
> >
> > Notes 07 - 3/29/95 A comprehensive review of SATAN
> >
> > Notes 08 - 4/4/95 A Courtney update
> >
> > Notes 09 - 4/24/95 More on the "Good Times" virus urban legend
> >
> > Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
> > in S/Key, EBOLA Virus Hoax, and Caibua Virus
> >
> > Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators,
> > America On-Line Virus Scare, SPI 3.2.2 Released,
> > The Die_Hard Virus
> >
> > Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X
> > Windows, beta release of Merlin, Microsoft Word
> > Macro Viruses, Allegations of Inappropriate Data
> > Collection in Win95
> >
> > Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST
> > Conference Announcement, Security and Web Search
> > Engines, Microsoft Word Macro Virus Update
>
> --
> Ben Laurie Phone: +44 (181) 994 6435
> Freelance Consultant and Fax: +44 (181) 994 6472
> Technical Director Email: ben@algroup.co.uk
> A.L. Digital Ltd, URL: http://www.algroup.co.uk
> London, England.
>