Forgot your password?
typodupeerror
Bug Security Software Windows Apache Technology

Serious Apache Exploit Discovered 160

Posted by Soulskill
from the time-to-update dept.
bennyboy64 writes "An IT security company has discovered a serious exploit in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache's core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit." Note: according to the advisory, this exploit is exclusive to Windows.
This discussion has been archived. No new comments can be posted.

Serious Apache Exploit Discovered

Comments Filter:
  • Windows? (Score:2, Insightful)

    by jspenguin1 (883588)

    What percentage of Apache hosts run on Windows? I'd guess maybe 10%, a generous estimate. This isn't something that's going to bring the entire web down. Also, wouldn't you have to enable mod_isapi manually?

    • Re: (Score:2, Informative)

      by Bright Apollo (988736)

      Your guess would be wrong. Apache is the core webserver for lots of application servers; i.e. you're getting Apache every time you install Oracle IAS or WebSphere. Dunno about WebLogic but I'd guess that applies as well. Your 10% goes up, way up.

      --#

      • And don't hold your breath waiting for a patch from Oracle.

      • by Alex Belits (437) *

        And who in his right mind would run those on Windows?

        • by jjohnson (62583)

          Any company that's a Microsoft shop, which includes a really large number of Fortune 500 companies. That's why Oracle and IBM offer those products on Windows.

  • Windows only (Score:5, Informative)

    by Albanach (527650) on Monday March 08, 2010 @10:04AM (#31400118) Homepage

    This would have been useful in the summary. From the linked page:

    Platform. Microsoft Windows

    Details.
    The Apache HTTP Server, commonly referred to as Apache, is a
    popular open source web server software. mod_isapi is a core
    module of the Apache package that implements the Internet Server
    extension API. The extension allows Apache to serve Internet
    Server extensions (ISAPI .dll modules) for Microsoft Windows
    based hosts.

    While I'm sure it will impact many people, I'd still imagine the majority of Apache users are running it on a platform other than Windows

    • by data64 (300466)

      mod_isapi is a core module of the Apache package that implements the Internet Server extension API. The extension allows Apache to serve Internet Server extensions (ISAPI .dll modules) for Microsoft Windows based hosts.

      So are you only vulnerable if you use ISAPI ? It does look like that module is enabled by default though. I wonder why ?

      • Re: (Score:3, Informative)

        by kunakida (886654)

        So are you only vulnerable if you use ISAPI ? It does look like that module is enabled by default though. I wonder why ?

        Actually, according to the advisory, it seems you are only vulnerable if you actually load an ISAPI .dll module.

        "it is possible to trigger a vulnerability in Apache mod_isapi that will unload the target ISAPI module from memory. However function pointers still remain in memory"

        Even so, it's probably a good idea to comment out mod_isapi if you're not actively using it.

      • Good point! I had just assumed it was required to run php/mysql, but seems that it is only needed if you're going to run ISAPI extensions intended for IIS. I just disabled it on my WAMP servers with no side effects.

        There seems to be very little need for this extension - it should be disabled by default.

        • by Yvanhoe (564877)
          It is a prerequisite and business-practice that any software on windows has as many vulnerable modules load by default as possible.
    • by julesh (229690)

      Does anyone else think it ironic that the most severe security error found in Apache for quite a while now is in an IIS compatibility module?

  • by Anonymous Coward

    Only affects Windows, though.
    I wonder how many big deployments of Apache+Windows are out there.

  • Platform. Microsoft Windows

    But is this the final nail in the Apache 1.3 coffin?
    Now the boss is going to be upset even when you tell them your version is not vulnerable.

  • by ipquickly (1562169) on Monday March 08, 2010 @10:14AM (#31400206) Homepage

    7 out of the first 8 posts agree that this is Windows only.

  • by blai (1380673)
    But I don't want to restart my Windows :\
  • Perhaps the editor is worried updating his Windows servers.
  • Not Apache's problem (Score:2, Informative)

    by Anonymous Coward

    http://httpd.apache.org/docs/2.0/mod/mod_isapi.html

    ISAPI extension modules (.dll files) are written by third parties. The Apache Group does not author these modules, so we provide no support for them. Please contact the ISAPI's author directly if you are experiencing problems running their ISAPI extension. Please do not post such problems to Apache's lists or bug reporting pages.

    • by dsharp (117993)

      I believe that refers to 3rd-party ISAPI modules, not mod-isapi itself. Presumeably, Apache *is* responsible for maintaining mod-isapi.

    • by WPIDalamar (122110) on Monday March 08, 2010 @10:29AM (#31400346) Homepage

      The extension module DLL's are third party.

      The core isapi apache module is all apache, and that's where the bug is.

    • Sure, vulnerable DLLs are not Apache's problem, but isn't the vuln here within the mod_isapi module, which presumably is supplied by Apache?
    • Re: (Score:3, Informative)

      The problem isn't in the dlls per se, the exploit works by causing mod_isapi to unload a dll and leave dangling pointers to the api that can be invoked. The fix is an apache.org change to mod_isapi that prevents such unloading:

      2.2.15 Release Notes [apache.org]

      Changes with Apache 2.2.15

      *) SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [Brett Gervasoni brettg senseofsecurity.com, Jeff Trawick]

  • by SlappyBastard (961143) on Monday March 08, 2010 @10:31AM (#31400372) Homepage
    I had to read the article to see it was Windows only . . . whew.
    • I saw that title and said Holy Crap Now I have to go search for patches pronto!
      Can we add a feature to /. allowing us annoyed readers to electro-shock the submitters whenever they post such scary headlines?
    • I had to read the article to see it was Windows only . . . whew.

      I may be a little out of date, but I thought isapi was the IIS interface, meaning it was inherently Windows only. And isapi was mentioned as part of the summary.

      OTOH, at least it means you actually RTFA.

      • It's been so long since I have used Windows for a server. I can see my last Windows server, a whopping 300 MHz killing machine, sitting at the bottom of a shelf in my office, waiting for the day I finally blank the hard drive and send it off to the Solid Waste Authority.

        There was that inkling in the back of my head, but I had to read on for it to move forward in my brain.

        • It's been so long since I have used Windows for a server. I can see my last Windows server, a whopping 300 MHz killing machine, sitting at the bottom of a shelf in my office, waiting for the day I finally blank the hard drive and send it off to the Solid Waste Authority.

          There was that inkling in the back of my head, but I had to read on for it to move forward in my brain.

          Do yourself a favor and try to forget, again. :-)

    • by julesh (229690)

      I had to read the article to see it was Windows only . . . whew.

      No you didn't. Even before the update, the summary clearly said it was mod_isapi that contains the bug, and mod_isapi is a Windows-only component.

  • There are many reasons why I wouldn't deploy a production (i.e. www-facing) webserver of any stripe running on Microsoft Windows, security being a big one of them.[1]

    On the other hand, for some purposes (corporate intranet, for example), Apache on Windows has been a godsend--it's allowed us, for example, to migrate our internal apps to a Free platform gradually, while depreciating our existing Windows machines (and advocates) into oblivion.

    ---------------
    1. Lots of people do, though. I'm pretty sure IBM a

    • by gazbo (517111)
      DEPRECATING.

      Unless you really meant you have a team of people chipping away at the Windows machines (and advocates) with hammers to accelerate their loss of monetary value?

      • Unless you really meant you have a team of people chipping away at the Windows machines (and advocates) with hammers to accelerate their loss of monetary value?

        How would that decrease their value?

  • by dannydawg5 (910769) on Monday March 08, 2010 @10:40AM (#31400454)

    At a place I used to work, one of my coworkers reported a simple potential security problem: the username for the admin account on all our machines is the same as the computer's name. This just eliminates one less thing for a hacker to figure out. He was accused of "snooping", whatever that means, and almost lost his job. The only thing that saved him is a higher-up with a brain.

    Whenever I hear a story about a person\firm reporting security risks, I am reminded of the story of my coworker, and I have heard too many similiar stories. It has trained to me keep my mouth shut about these problems.

    • by 1s44c (552956)

      Whenever I hear a story about a person\firm reporting security risks, I am reminded of the story of my coworker, and I have heard too many similiar stories. It has trained to me keep my mouth shut about these problems.

      That's really bad. I know it's all too easy to tell someone to change job but that company is dysfunctional and You will do better elsewhere.

  • by ArundelCastle (1581543) on Monday March 08, 2010 @10:44AM (#31400484)

    I would really like to make a shirt that says: "This T-shirt has a serious exploit that allows a remote attacker to gain complete control."
    It should be printed around the bottom hem for maximum effect.
    Could also work on tighty whiteys.

    I said I'd like to make it, not wear it. :-)

  • Play on words here... Maybe its Lipstick on a pigs platform, as IIS SUCKS balls.

    ISAPI == worthless in the context of using it for Apache. Most of its 'features' are well implemented in Apache with no need for ISAPI unless you're running very specialized apps that make extensive use of ISAPI.

    Changing request data (URLs or headers) sent by the client # mod_rewrite
    Controlling which physical file gets mapped to the URL # mod_rewrite
    Controlling the user name and password used with anonymous or basic authent

    • Makes it easier to migrate from IIS to Apache. Install Apache and let it use your current ISAPI modules, so your website basically works the same. Then gradually turn off each ISAPI module as you configure it the Apache way.

      There are piles of ISAPI filters in use, and it's unlikely that someone going through a conversion is going to dump all of the ISAPI they paid for immediately. Or rewrite what they implemented in-house. This reduces the amount of testing and debugging that has to be done up-front, an

  • Not that I'd discourage anyone from keeping their Apache up-to-date, but I decided to see what would happen if I prevented the Windows Apache on my machine from loading mod_isapi. The answer? Nothing, apparently. The only thing I really feared was that it might interfere with the Zend debugger, but no, it's fine.

  • by CAIMLAS (41445) on Monday March 08, 2010 @11:22AM (#31400876) Homepage

    Thanks, jackass. Just what I wanted on a Monday morning: to update a half dozen Internet-facing source-based systems. Of course, it was a false alarm: submitter was too much of a toolbag to mention it was Windows-only.

    (And, it being a Monday morning, I didn't initially notice the mention of mod_isapi. Of course.)

  • Dumb question, but are there any Windows apps that serve pages to a browser front end that might have borrowed the Apache code in question?
  • by citylivin (1250770) on Monday March 08, 2010 @04:54PM (#31405134)

    If you cant upgrade, simply go into \conf\apache.conf and comment out the line that loads aspi:

    #LoadModule isapi_module modules/mod_isapi.so

    restart apache service and you should be good to go.

    And to all those people who are like 'lolz! who runs apache on windows lolz!', i would say plenty of people. Because apache is far far far far far superior to ISS. Hopefully they have done it like me and made a low privilege local user to run it. It takes a bit more work but not much.

"It is better to have tried and failed than to have failed to try, but the result's the same." - Mike Dennison

Working...