The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Новость: Русское зеркало chkrootlit.com
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

[SECURITY] Remote exploit for 32-bit Apache HTTP Server known


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Fri, 21 Jun 2002 00:54:53 -0400 (EDT)
From: jwoolley@apache.org
To: announce@apache.org, announce@httpd.apache.org
Subject: [SECURITY] Remote exploit for 32-bit Apache HTTP Server known
Cc: bugtraq@securityfocus.com


 [[ Note: this issue affects both 32-bit and 64-bit platforms; the
    subject of this message emphasizes 32-bit platforms since that
    is the most important information not announced in our previous
    advisory. ]]


SUPERSEDES: http://httpd.apache.org/info/security_bulletin_20020617.txt

Date: June 20, 2002
Product: Apache Web Server
Versions: Apache 1.3 all versions including 1.3.24; Apache 2.0 all versions
up to 2.0.36; Apache 1.2 all versions.

CAN-2002-0392 (mitre.org) [CERT VU#944335]

----------------------------------------------------------
         ------------UPDATED ADVISORY------------
----------------------------------------------------------
Introduction:

While testing for Oracle vulnerabilities, Mark Litchfield discovered a
denial of service attack for Apache on Windows.  Investigation by the
Apache Software Foundation showed that this issue has a wider scope, which
on some platforms results in a denial of service vulnerability, while on
some other platforms presents a potential remote exploit vulnerability.

This follow-up to our earlier advisory is to warn of known-exploitable
conditions related to this vulnerability on both 64-bit platforms and
32-bit platforms alike.  Though we previously reported that 32-bit
platforms were not remotely exploitable, it has since been proven by
Gobbles that certain conditions allowing exploitation do exist.

Successful exploitation of this vulnerability can lead to the execution of
arbitrary code on the server with the permissions of the web server child
process.  This can facilitate the further exploitation of vulnerabilities
unrelated to Apache on the local system, potentially allowing the intruder
root access.

Note that early patches for this issue released by ISS and others do not
address its full scope.

Due to the existence of exploits circulating in the wild for some platforms,
the risk is considered high.

The Apache Software Foundation has released versions 1.3.26 and 2.0.39
that address and fix this issue, and all users are urged to upgrade
immediately; updates can be downloaded from http://httpd.apache.org/ .

As a reminder, we respectfully request that anyone who finds a potential
vulnerability in our software reports it to security@apache.org.

----------------------------------------------------------

The full text of this advisory including additional details is available
at http://httpd.apache.org/info/security_bulletin_20020620.txt .

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
RB2 Network. RB2 Network.