###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory January 12, 1997 Vulnerabilities in the Apache httpd There is a serious vulnerability in the cookies module of the Apache httpd, version 1.1.1 and earlier, which makes it possible for remote individuals to obtain access to systems running the Apache httpd. Only sites which enabled mod_cookies, a nondefault option, are vulnerable. Technical Details ~~~~~~~~~~~~~~~~~ The function make_cookie, in mod_cookies.c uses a 100 byte buffer, new_cookie to store information used to track web site users. The hostname, which with even the most cautious of resolver libraries, can be up to 255 characters long, is stuffed into this buffer, along with the string "apache=" and a number. The offending code reads: void make_cookie(request_rec *r) { struct timeval tv; char new_cookie[100]; /* blurgh */ char *dot; const char *rname = pstrdup(r->pool, get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME)); struct timezone tz = { 0 , 0 }; if ((dot = strchr(rname,'.'))) *dot='\0'; /* First bit of hostname */ gettimeofday(&tv, &tz); sprintf(new_cookie,"%s%s%d%ld%d; path=/", COOKIE_NAME, rname, (int)getpid(), (long)tv.tv_sec, (int)tv.tv_usec/1000 ); table_set(r->headers_out,"Set-Cookie",new_cookie); return; } Note that although the get_remote_host() function converts all uppercase letters to lowercase letters, there is at least one way in which a determined attacker can still exploit the overflow. Impact ~~~~~~ Remote individuals can obtain access to the web server. If the httpd services requests as user root, attackers can obtain root access. If the httpd is run in a chroot() environment, the attacker will be restricted to the chrooted environment. We strongly advise adminstrators to run their web servers as an unpriviliged user in an chrooted environment whenever possible. Vulnerable Systems ~~~~~~~~~~~~~~~~~~ Any system running the Apache httpd 1.1.1 or earlier, with the compile-time option mod_cookies enabled is vulnerable. To tell which web server software you are using, telnet to port 80 of the web server, and issue the command: GET / HTTP/1.0 to the web server, followed by two carriage returns. You should see something which looks like: $ telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.0 200 OK Date: Tue, 07 Jan 1997 18:59:31 GMT Server: Apache/1.1.1 Content-type: text/html Set-Cookie: Apache=localhost9185266357164; path=/ . . . The important lines to look at are the Server: lines, and the Set-Cookie: lines. The Server: line tells you which web server software you are running, and the Set-Cookie line appears only if your web server is using cookies to track users. If the Set-Cookie: line appears, and the Server: line reads Apache/1.1.1, or a number smaller than 1.1.1, then you are vulnerable. Apache versions 1.2b0 and later do not appear to be vulnerable. This is because of the changes made to the cookie handling code when it was moved to mod_usertrack. As part of these changes, the buffer in the make_cookie function was moved off of the stack. Therefore although the overflow is still present, and prevents users with long host names from accessing the web server, it is not likely to be exploitable. In addition to the Apache httpd, some commercial web servers derived from the Apache httpd are likely to be vulnerable. In particular, Thawte Consulting's Sioux server, and Community ConneXion's Stronghold server appear likely to be vulnerable. In both cases, as in the Apache httpd, a nondefault compile-time option must be enabled. Exploitability of web server software other than the Apache httpd has not been verified. Users of Apache derived web servers should disable mod_cookies if enabled, and contact their vendors for further information. Fix Information ~~~~~~~~~~~~~~~ We suggest increasing the buffer length to handle 255 character hostnames, and verifying that hostname length is within acceptable limits. The Apache group suggests that Apache 1.1.1 users do one of the following: 1. Upgrade to Apache 1.1.2, which can be obtained at http://www.apache.org/dist/, compile the new version, then kill your currently-running httpd, and start the new version. 2. Apply the attached patch to mod_cookies.c, recompile, and kill and restart your httpd. 3. Discontinue the use of mod_cookies, by editing the Configuration file, and recommpiling. 4. Upgrade to the current Apache 1.2 beta. Note that options 2 and 3 do not fix an unrelated hole which allows remote users to obtain directory indexes even when an index.html is present. *** mod_cookies.c Tue Jan 7 14:38:15 1997 --- /usr/tmp/mod_cookies.c Tue Jan 7 14:38:11 1997 *************** *** 119,125 **** void make_cookie(request_rec *r) { struct timeval tv; ! char new_cookie[100]; /* blurgh */ char *dot; const char *rname = pstrdup(r->pool, get_remote_host(r->connection, r->per_dir_config, --- 119,125 ---- void make_cookie(request_rec *r) { struct timeval tv; ! char new_cookie[1024]; /* blurgh */ char *dot; const char *rname = pstrdup(r->pool, get_remote_host(r->connection, r->per_dir_config, *************** *** 128,133 **** --- 128,136 ---- struct timezone tz = { 0 , 0 }; if ((dot = strchr(rname,'.'))) *dot='\0'; /* First bit of hostname */ + if (strlen (rname) > 255) + rname[256] = 0; + gettimeofday(&tv, &tz); sprintf(new_cookie,"%s%s%d%ld%d; path=/", COOKIE_NAME, rname, Users of the Stronghold web server will be able to obtain a fix at http://stronghold.c2.net/support/ups_and_bugs.php. There will be a new release of Stronghold on Monday, fixing the problem. Additional Information ~~~~~~~~~~~~~~~~~~~~~~ If you have any questions about this advisory, feel free to mail me at davids@secnet.com. Past Secure Networks advisories can be found at ftp://ftp.secnet.com/pub/advisories, and Secure Networks papers can be found at ftp://ftp.secnet.com/pub/papers. The following PGP key is for davids@secnet.com, should you wish to encrypt any message traffic to me.: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzJ4qJAAAAEEAOgB7mooQ6NgzcUSIehKUufGsyojutC7phVXZ+p8FnHLLZNB BLQEtj5kmfww2A2pR29q4rgPeqEUOjWPlLNdSLby3NI8yKz1AQSQLHAwIDXt/lku 8QXClaV6pNIaQSN8cnyyvjH6TYF778yZhYz0mwLqW6dU5whHtP93ojDw1UhtAAUR tCtEYXZpZCBTYWNlcmRvdGUgPGRhdmlkc0BzaWxlbmNlLnNlY25ldC5jb20+ =LtL9 -----END PGP PUBLIC KEY BLOCK----- Many thanks to Ramsey Dow (ramseyd@secnet.com) for helping find vulnerable Apache derivatives. For further information about the Apache httpd, see http://www.apache.org For further information about the Sioux web server, see http://www.thawte.com/products/sioux For further information about the Stronghold web server, see http://stronghold.c2.net/support/ups_and_bugs.php and http://stronghold.c2.net Many thanks to the Apache group and vendors of Apache derived web servers for an extremely prompt response. Copyright Notice ~~~~~~~~~~~~~~~~ The contents of this advisory are Copyright (C) 1997 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given. Apache httpd source code distributed in this advisory falls under the following license: Copyright (c) 1995, 1996 The Apache Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/)." 4. The names "Apache Server" and "Apache Group" must not be used to endorse or promote products derived from this software without prior written permission. 5. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/)." THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.