Serious Apache Exploit Discovered 160
Posted
by
Soulskill
from the time-to-update dept.
from the time-to-update dept.
bennyboy64 writes "An IT security company has discovered a serious exploit in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache's core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit."
Note: according to the advisory, this exploit is exclusive to Windows.
Windows only (Score:5, Informative)
This would have been useful in the summary. From the linked page:
While I'm sure it will impact many people, I'd still imagine the majority of Apache users are running it on a platform other than Windows
Not Apache's problem (Score:2, Informative)
http://httpd.apache.org/docs/2.0/mod/mod_isapi.html
ISAPI extension modules (.dll files) are written by third parties. The Apache Group does not author these modules, so we provide no support for them. Please contact the ISAPI's author directly if you are experiencing problems running their ISAPI extension. Please do not post such problems to Apache's lists or bug reporting pages.
Re:It's unanimous! (Score:2, Informative)
Re:Note: Apache ON WINDOWS (Score:5, Informative)
Re:I was slightly worried, until I read this: (Score:0, Informative)
But is this the final nail in the Apache 1.3 coffin?
No because it affects apache version 2.2.14
Re:Not Apache's problem (Score:5, Informative)
The extension module DLL's are third party.
The core isapi apache module is all apache, and that's where the bug is.
Apache on Windows--More common than you think? (Score:2, Informative)
There are many reasons why I wouldn't deploy a production (i.e. www-facing) webserver of any stripe running on Microsoft Windows, security being a big one of them.[1]
On the other hand, for some purposes (corporate intranet, for example), Apache on Windows has been a godsend--it's allowed us, for example, to migrate our internal apps to a Free platform gradually, while depreciating our existing Windows machines (and advocates) into oblivion.
---------------
1. Lots of people do, though. I'm pretty sure IBM and Oracle Websphere/Weblogic services all use Apache httpd at some level. Happy patching, boys and girls!
Re:Not Apache's problem (Score:3, Informative)
The problem isn't in the dlls per se, the exploit works by causing mod_isapi to unload a dll and leave dangling pointers to the api that can be invoked. The fix is an apache.org change to mod_isapi that prevents such unloading:
2.2.15 Release Notes [apache.org]
Changes with Apache 2.2.15
*) SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request
processing is completed, avoiding orphaned callback pointers.
[Brett Gervasoni brettg senseofsecurity.com, Jeff Trawick]
Re:Note: Apache ON WINDOWS (Score:4, Informative)
Apache on linux (at least in all the setups i've seen) starts as root so it can bind port 80 but then switches down to a lower privilage user to do the actual serving. Some damage could still be done of course but hopefully it's limited compared to the damage root can do.
Apache on windows defaults to running as "localsystem" (roughly the windows equivilent of root)
You can run it as another user but apparently ( http://httpd.apache.org/docs/2.0/platform/windows.html [apache.org] ) that user has to have "Act as part of the operating system" privilages. MS describes said privilages as "This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.".
So it seems either way to run Apache on windows you have to give it what ammounts to root privilages.
Re:Note: Apache ON WINDOWS (Score:4, Informative)
MS bashing isn't really appropriate here.
You must either be new here or have a very short memory.
The same bug in a module that ran on Linux would result in a remote root exploit.
Apache does not normally run as root on Linux. Only on Windows.
Re:Windows only (Score:3, Informative)
So are you only vulnerable if you use ISAPI ? It does look like that module is enabled by default though. I wonder why ?
Actually, according to the advisory, it seems you are only vulnerable if you actually load an ISAPI .dll module.
"it is possible to trigger a vulnerability in Apache mod_isapi that will unload the target ISAPI module from memory. However function pointers still remain in memory"
Even so, it's probably a good idea to comment out mod_isapi if you're not actively using it.
Re:Windows? (Score:2, Informative)
Your guess would be wrong. Apache is the core webserver for lots of application servers; i.e. you're getting Apache every time you install Oracle IAS or WebSphere. Dunno about WebLogic but I'd guess that applies as well. Your 10% goes up, way up.
--#
ISAPI = Lipstick on Ferrari (Score:2, Informative)
Play on words here... Maybe its Lipstick on a pigs platform, as IIS SUCKS balls.
ISAPI == worthless in the context of using it for Apache. Most of its 'features' are well implemented in Apache with no need for ISAPI unless you're running very specialized apps that make extensive use of ISAPI.
Changing request data (URLs or headers) sent by the client # mod_rewrite .htaccess/apache.conf/conf.d
Controlling which physical file gets mapped to the URL # mod_rewrite
Controlling the user name and password used with anonymous or basic authentication #.htacess
Modifying or analyzing a request after authentication is complete # mod_rewrite
Modifying a response going back to the client #mod_rewrite
Running custom processing on "access denied" responses #mod_rewrite/mod_redirect...
Running processing when a request is complete # #/bin/bash-sh-perl-python-etc...
Run processing when a connection with the client is closed # #/bin/bash-sh-perl-python-etc...
Performing special logging or traffic analysis. # tcpdump/webalyzer
Performing custom authentication. #
Handling encryption and compression. # mod_ssl/mod_gzip
Re:Apache on Windows--More common than you think? (Score:2, Informative)
WebSphere uses its own HTTP stack.
The IBM HTTP Server included with Websphere is based off of Apache. However, the mod_isapi module is disabled by default in IBM HTTP server installations. Websphere 6.1 uses an Apache 2.0.x based HTTP server, but Websphere 7.0 uses an Apache 2.2.x based HTTP server which could be vulnerable if you specifically enable this module.
Re:Note: Apache ON WINDOWS (Score:4, Informative)
However, in regards to MS (and we're close to being offtopic here) when was the last time you heard about an Apache vuln? Apache is relatively solid
Both Apache and IIS are pretty secure, although I have no idea why you would run Apache on a Windows server.
My problems with MS, however, are philosophical. MS seems to revel in giving the finger to standards, from the backslash to everything else.
Oh dear, you didn't just claim that the forward slash was a standard, did you? MS-DOS 1 used the same conventions as CP/M and VMS for command line arguments: forward slash. When DOS 2.0 added directories, but they had to use backslash to prevent backwards compatibility problems. They couldn't use the Apple Mac's colon separator because they already used that for drive letters, and nobody wanted to be anything like VMS's square brackets []. (See, there really was no standard)
However, they did actually implement the paths using both / and \. You could change an environment variable to set the argument prefix. Then you could happily use "cd /DOS". Even today, both symbols work. You can try:
notepad c:\autoexec.bat
notepad c:/autoexec.bat
The only time where / doesn't work is when it may be interpreted as a command line option. So "cd /Windows" doesn't work, but "cd ./Windows" does work. The point is that there was no standard for directory separators because every operating system did things their own way. And even if they did differ, there was a valid reason to do so. It was not just "giving the finger to standards". There are examples of them not using standards, like the Outlook-Exchange interface (although they probably would have had to extend the interface to get it to work using the standards so there may have been no point).
As for your DNS story, of course Windows can set the DNS manually. Don't ask me to tell you where you set it, because they keep moving around the network configuration with every version of Windows. That really pisses me off. Every upgrade of Windows since Windows for Workgroups 3.11 has made networking harder. I don't know why they have to keep fiddling!
Re:Note: Apache ON WINDOWS (Score:3, Informative)
Whoosh. The output in the posting to which you replied was demonstrating that it's not a root exploit, it's an exploit of the account 'www-data'.
On web servers I run, all executable code (apache, log rotator, etc.) is on a partition mounted readonly and nosuid. Data is on a partition mounted noexec. Nothing in the file system outside of /tmp is writable by www-data. So compromising that account gets you very little. You can't run code (except in the web server's scripting context, which doesn't get you any farther than you were when you compromised it - and doesn't get you any closer to running code as root), you can't change files. All you can hope to do is mess with the database; basically the same as what you could do if you found a hole in the site scripts.
Re:Always worried about reporting. (Score:4, Informative)
That would be a problem, if Windows didn't have a hidden admin account that is always named the same. I propose to you the following formula will work on 80% of Windows XP systems: ...
1. If Welcome-screen in use, hit Ctrl-Alt-Del twice
2. Username "Administrator", empty password
3. Hit OK and use computer with admin privs
4.
5. Profit!!
On a home system maybe, but in corporate, sysadmins nuke the "mandatory user account" in favor of Administrator first thing, then they rename administrator to something else, either via GPO or locally (usually both). Some places like to disable the account while it's in AD too.
FYI, in Vista and Win7, I think you have to boot to safe mode for your trick to work since Administrator is usually disabled by default, but reenabled for safe mode.
Re:Note: Apache ON WINDOWS (Score:3, Informative)
IIS, since version 6, has had fewer vulnerabilities than Apache has, however, neither have been particularly holey.
Are you seriously about the backslash? Microsoft actually WAS following the standard, the standard being CP/M.
As for your DNS problems, i've noticed on some firewalls, the IPv6 implementation seems to interfere with things on occasion. If you disable IPv6, things will work.
As for manually setting them, it works exactly the same way it always has.
Module enabled by default (Score:3, Informative)
If you cant upgrade, simply go into \conf\apache.conf and comment out the line that loads aspi:
#LoadModule isapi_module modules/mod_isapi.so
restart apache service and you should be good to go.
And to all those people who are like 'lolz! who runs apache on windows lolz!', i would say plenty of people. Because apache is far far far far far superior to ISS. Hopefully they have done it like me and made a low privilege local user to run it. It takes a bit more work but not much.
Here's the SSL-enabled 2.2.15 package (Score:2, Informative)
Apparently, there were regressions with the build.
Here's revision 2 of Apache 2.2.15 with OpenSSL [apache.org]. Preliminary reports indicate that it works like it should.