COMMAND
httpd
SYSTEMS AFFECTED
Systems running Apache httpd 1.1.1 or earlier
PROBLEM
There is a serious vulnerability in the cookies module of the
Apache httpd, which makes it possible for remote individuals to
obtain access to systems running the Apache httpd. Only sites
which enabled mod_cookies, a nondefault option, are vulnerable.
Remote individuals can obtain access to the web server. If the
httpd services requests as user root, attackers can obtain root
access. If the httpd is run in a chroot() environment, the
attacker will be restricted to the chrooted environment.
To tell which web server software you are using, telnet to port
80 of the web server, and issue the command:
GET / HTTP/1.0
to the web server, followed by two carriage returns. You should
see something which looks like:
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 200 OK
Date: Tue, 07 Jan 1997 18:59:31 GMT
Server: Apache/1.1.1
Content-type: text/html
Set-Cookie: Apache=localhost9185266357164; path=/
.
.
.
The important lines to look at are the Server: lines, and the
Set-Cookie: lines. The Server: line tells you which web server
software you are running, and the Set-Cookie line appears only if
your web server is using cookies to track users. If the
Set-Cookie: line appears, and the Server: line reads
Apache/1.1.1, or a number smaller than 1.1.1, then you are
vulnerable.
In addition to the Apache httpd, some commercial web servers
derived from the Apache httpd are likely to be vulnerable. In
particular, Thawte Consulting's Sioux server, and Community
ConneXion's Stronghold server appear likely to be vulnerable. In
both cases, as in the Apache httpd, a nondefault compile-time
option must be enabled. This text is mix of SNI announce and some
discussion on www-security.
SOLUTION
Apache versions 1.2b0 and later do not appear to be vulnerable.
This is because of the changes made to the cookie handling code
when it was moved to mod_usertrack. As part of these changes,
the buffer in the make_cookie function was moved off of the
stack. Therefore although the overflow is still present, and
prevents users with long host names from accessing the web
server, it is not likely to be exploitable.
The Apache group suggests that Apache 1.1.1 users do one of the
following:
1. Upgrade to Apache 1.1.2, which can be obtained at
http://www.apache.org/dist/, compile the new version, then
kill your currently-running httpd, and start the new version.
2. Apply the attached patch to mod_cookies.c, recompile, and kill
and restart your httpd. (NOTE: This will break your CGI
execution.
3. Discontinue the use of mod_cookies, by editing the
Configuration file, and recommpiling.
4. Upgrade to the current Apache 1.2 beta.
Note that options 2 and 3 do not fix an unrelated hole which
allows remote users to obtain directory indexes even when an
index.html is present.
Users of the Stronghold web server will be able to obtain a fix at
http://stronghold.c2.net/support/ups_and_bugs.php.
There will be a new release of Stronghold, fixing the problem.
Anyway, because of side effects and portability problems, a 1.1.3
release is imminent.