Logo of NSFOCUS
English Version Chinese Version Japanese Version
产品与解决方案 专业服务 客户支持 安全研究 工作机会 关于我们
安全漏洞
业界动态
紧急通告
研究成果
研究机构
 
Apache Web Server分块编码远程溢出漏洞

发布日期:2002-06-18
更新日期:2002-06-20

受影响系统:
Apache Group Apache 2.0.34-BETA win32
Apache Group Apache 2.0.32-BETA win32
Apache Group Apache 2.0.28-BETA win32
Apache Group Apache 1.3.9win32
Apache Group Apache 1.3.9
Apache Group Apache 1.3.7-dev
Apache Group Apache 1.3.6win32
Apache Group Apache 1.3.4
Apache Group Apache 1.3.3
Apache Group Apache 1.3.24win32
Apache Group Apache 1.3.24
Apache Group Apache 1.3.23win32
Apache Group Apache 1.3.23
Apache Group Apache 1.3.22win32
Apache Group Apache 1.3.22
Apache Group Apache 1.3.20win32
Apache Group Apache 1.3.20
Apache Group Apache 1.3.19win32
Apache Group Apache 1.3.19
Apache Group Apache 1.3.18win32
Apache Group Apache 1.3.18
Apache Group Apache 1.3.17win32
Apache Group Apache 1.3.17
Apache Group Apache 1.3.16win32
Apache Group Apache 1.3.15win32
Apache Group Apache 1.3.14win32
Apache Group Apache 1.3.14Mac
Apache Group Apache 1.3.14
Apache Group Apache 1.3.13win32
Apache Group Apache 1.3.12win32
Apache Group Apache 1.3.12
Apache Group Apache 1.3.11win32
Apache Group Apache 1.3.11
Apache Group Apache 1.3.1
Apache Group Apache 1.3
不受影响系统:
Apache Group Apache 2.0.39
Apache Group Apache 1.3.26
描述:
BUGTRAQ  ID: 5033
CVE(CAN) ID: CVE-2002-0392

Apache Web Server是一款非常流行的开放源码、功能强大的Web服务器程序,由Apache Software Foundation开发和维护。它可以运行在多种操作系统平台下,例如Unix/Linux/BSD系统以及Windows系统。

Apache在处理以分块(chunked)方式传输数据的HTTP请求时存在设计漏洞,远程攻击者可能利用此漏洞在某些Apache服务器上以Web服务器进程的权限执行任意指令或进行拒绝服务攻击。

分块编码(chunked encoding)传输方式是HTTP 1.1协议中定义的Web用户向服务器提交数据的一种方法,当服务器收到chunked编码方式的数据时会分配一个缓冲区存放之,如果提交的数据大小未知,客户端会以一个协商好的分块大小向服务器提交数据。

Apache服务器缺省也提供了对分块编码(chunked encoding)支持。Apache使用了一个有符号变量储存分块长度,同时分配了一个固定大小的堆栈缓冲区来储存分块数据。出于安全考虑,在将分块数据拷贝到缓冲区之前,Apache会对分块长度进行检查,如果分块长度大于缓冲区长度,Apache将最多只拷贝缓冲区长度的数据,否则,则根据分块长度进行数据拷贝。然而在进行上述检查时,没有将分块长度转换为无符号型进行比较,因此,如果攻击者将分块长度设置成一个负值,就会绕过上述安全检查,Apache会将一个超长(至少>0x80000000字节)的分块数据拷贝到缓冲区中,这会造成一个缓冲区溢出。

对于1.3到1.3.24(含1.3.24)版本的Apache,现在已经证实在Win32系统下, 远程攻击者可能利用这一漏洞执行任意代码。在UNIX系统下,也已经证实至少在OpenBSD系统下可以利用这一漏洞执行代码。据报告称下列系统也可以成功的利用:
*      Sun Solaris 6-8 (sparc/x86)
*      FreeBSD 4.3-4.5 (x86)
*      OpenBSD 2.6-3.1 (x86)
*      Linux (GNU) 2.4 (x86)

对于Apache 2.0到2.0.36(含2.0.36),尽管存在同样的问题代码,但它会检测错误出现的条件并使子进程退出。

根据不同因素,包括受影响系统支持的线程模式的影响,本漏洞可导致各种操作系统下运行的Apache Web服务器拒绝服务。


<*来源:Mark Litchfield (mark@ngssoftware.com
  
  链接:http://archives.neohapsis.com/archives/bugtraq/2002-06/0176.html
        http://httpd.apache.org/info/security_bulletin_20020617.txt
        http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502
        http://www.cert.org/advisories/CA-2002-17.html
        https://www.redhat.com/support/errata/RHSA-2002-103.html
        http://www.debian.org/security/2002/dsa-131
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:04.asc
        http://www.suse.com/de/support/security/2002_022_apache.html
*>

建议:
临时解决方法:

此安全漏洞没有好的临时解决方案,由于已经有一个有效的攻击代码被发布,我们建议您立刻升级到Apache最新版本。

厂商补丁:

Apache Group
------------
Apache Group已经为此发布了一个安全公告(SB-20020617)以及相应的升级程序:
SB-20020617:Apache httpd: vulnerability with chunked encoding
链接:http://httpd.apache.org/info/security_bulletin_20020617.txt

您可以在下列地址下载最新版本:

Apache 1.3.26:
Apache 2.0.39:
http://www.apache.org/dist/httpd/

Debian
------
Debian已经为此发布了一个安全公告(DSA-131-1)以及相应补丁:
DSA-131-1:Apache chunk handling vulnerability
链接:http://www.debian.org/security/2002/dsa-131

补丁下载:
Source archives:
http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9-14.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9-14.1.dsc
http://security.debian.org/dists/stable/updates/main/source/apache_1.3.9.orig.tar.gz

Architecture independent archives:
http://security.debian.org/dists/stable/updates/main/binary-all/apache-doc_1.3.9-14.1_all.deb

Alpha architecture:
http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-common_1.3.9-14.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/apache-dev_1.3.9-14.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/apache_1.3.9-14.1_alpha.deb

ARM architecture:
http://security.debian.org/dists/stable/updates/main/binary-arm/apache-common_1.3.9-14.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/apache-dev_1.3.9-14.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/apache_1.3.9-14.1_arm.deb

Intel IA-32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/apache-common_1.3.9-14.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/apache-dev_1.3.9-14.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/apache_1.3.9-14.1_i386.deb

Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-common_1.3.9-14.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/apache-dev_1.3.9-14.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/apache_1.3.9-14.1_m68k.deb

PowerPC architecture:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-common_1.3.9-14.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/apache-dev_1.3.9-14.1_powerpc.deb
http://security.debian.org/dists/stable/up


补丁安装方法:

1. 手工安装补丁包:

  首先,使用下面的命令来下载补丁软件:
  # wget url  (url是补丁下载链接地址)

  然后,使用下面的命令来安装补丁:  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包:

   首先,使用下面的命令更新内部数据库:
   # apt-get update
  
   然后,使用下面的命令安装更新软件包:
   # apt-get upgrade

FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(FreeBSD-SN-02:04)以及相应补丁:
FreeBSD-SN-02:04:security issues in ports
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:04 .asc

为了升级一个修复后的port包,可以采用下列两种方法中的任意一种:

1) 更新您的“Ports Collection”,然后重建、重新安装port.您可以使用下列几个工具来使升级工作更简单:

  /usr/ports/devel/portcheckout
  /usr/ports/misc/porteasy
  /usr/ports/sysutils/portupgrade

2) 卸载旧的port软件包,从下列地址获取并安装一个新的包:

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/

OpenBSD
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/005_httpd.patch

更多信息可以参考如下链接:
http://www.openbsd.org/errata.html#httpd

RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2002:103-13)以及相应补丁:
RHSA-2002:103-13:Updated Apache packages fix chunked encoding issue
链接:https://www.redhat.com/support/errata/RHSA-2002-103.html

补丁下载:
Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/apache-1.3.22-5.6.src.rpm

alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/apache-1.3.22-5.6.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/apache-devel-1.3.22-5.6.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/apache-manual-1.3.22-5.6.alpha.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/apache-1.3.22-5.6.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/apache-devel-1.3.22-5.6.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/apache-manual-1.3.22-5.6.i386.rpm

sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/apache-1.3.22-5.6.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/apache-devel-1.3.22-5.6.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/apache-manual-1.3.22-5.6.sparc.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/apache-1.3.22-5.7.1.src.rpm

alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/apache-1.3.22-5.7.1.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/apache-devel-1.3.22-5.7.1.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/apache-manual-1.3.22-5.7.1.alpha.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/apache-1.3.22-5.7.1.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/apache-devel-1.3.22-5.7.1.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/apache-manual-1.3.22-5.7.1.i386.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/apache-1.3.22-5.7.1.src.rpm

alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/apache-1.3.22-5.7.1.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/apache-devel-1.3.22-5.7.1.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/apache-manual-1.3.22-5.7.1.alpha.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/apache-1.3.22-5.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/apache-devel-1.3.22-5.7.1.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/apache-manual-1.3.22-5.7.1.i386.rpm

ia64:
ftp://updates.redhat.com/7.1/en/os/ia64/apache-1.3.22-5.7.1.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/apache-devel-1.3.22-5.7.1.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/apache-manual-1.3.22-5.7.1.ia64.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/apache-1.3.22-6.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/apache-1.3.22-6.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/apache-devel-1.3.22-6.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/apache-manual-1.3.22-6.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/apache-1.3.22-6.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/apache-devel-1.3.22-6.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/apache-manual-1.3.22-6.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/apache-1.3.23-14.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/apache-1.3.23-14.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/apache-devel-1.3.23-14.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/apache-manual-1.3.23-14.i386.rpm
可使用下列命令安装补丁:

rpm -Fvh [文件名]

S.u.S.E.
--------
S.u.S.E.已经为此发布了一个安全公告(SuSE-SA:2002:022)以及相应补丁:
SuSE-SA:2002:022:apache
链接:http://www.suse.com/de/support/security/2002_022_apache.html

补丁下载:
i386 Intel Platform:

SuSE-8.0
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/apache-1.3.23-120.i386.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/apache-1.3.23-120.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n3/apache-devel-1.3.23-120.i386.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n3/apache-devel-1.3.23-120.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n3/apache-doc-1.3.23-120.i386.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n3/apache-doc-1.3.23-120.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec2/mod_ssl-2.8.7-88.i386.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec2/mod_ssl-2.8.7-88.i386.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/apache-1.3.23-120.src.rpm

SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/apache-1.3.20-66.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/apache-devel-1.3.20-66.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/apache-doc-1.3.20-66.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec2/mod_ssl-2.8.4-66.i386.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/apache-1.3.20-66.src.rpm

SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/apache-1.3.19-116.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/apache-devel-1.3.19-116.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/apache-doc-1.3.19-116.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec2/mod_ssl-2.8.3-56.i386.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/apache-1.3.19-116.src.rpm

SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/apache-1.3.19-115.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec2/mod_ssl-2.8.1-0.i386.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/apache-1.3.19-115.src.rpm

SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/apache-1.3.19-115.i386.rpm
ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/mod_ssl-2.8.2-33.i386.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/apache-1.3.19-115.src.rpm

SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/apache-1.3.19-115.i386.rpm
ftp://ftp.suse.de/pub/suse/i386/update/6.4/sec1/mod_ssl-2.8.1-0.i386.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/apache-1.3.19-115.src.rpm


PPC Platform:

SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/apache-1.3.20-52.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/apache-devel-1.3.20-52.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/apache-doc-1.3.20-52.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec2/mod_ssl-2.8.4-52.ppc.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/apache-1.3.20-52.src.rpm

SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/apache-1.3.19-56.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec2/mod_ssl-2.8.1-0.ppc.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/apache-1.3.19-56.src.rpm

SuSE-7.0
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/apache-1.3.19-56.ppc.rpm
ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/mod_ssl-2.8.2-15.ppc.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/apache-1.3.19-56.src.rpm

SuSE-6.4
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/apache-1.3.19-56.ppc.rpm
ftp://ftp.suse.de/pub/suse/ppc/update/6.4/sec1/mod_ssl-2.8.1-0.ppc.rpm
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/apache-1.3.19-56.src.rpm

补丁安装方法:

用“rpm -Fhv file.rpm”命令安装文件。

浏览次数:7206
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
法律声明 联系我们 在线客服
  ©2010 绿盟科技京ICP备05004765号