Apache 2.0 r00ted on NetWare, Windows, OS/2 58
An anonymous reader writes "A flaw in Apache 2.0's interpretation of the backslash delimiter allows for a remote r00ting on NetWare, Windows, and OS/2. InfoWorld has an overview; the attack was discoverd by PivX's Auriemma Luigi, and he describes it in this technical document. I don't know whether there is such a thing as an OS/2 shop anymore, and most Microsoft shops probably run IIS, but Apache now ships as the default web server for NetWare 6, so Novell shops: Take note. A patch is available from Apache, and Luigi describes a workaround in his article."
Re:running apache as root? (Score:2, Funny)
First off, how can you get root on windows?
Turn it on.
Re:running apache as root? (Score:2)
Re:running apache as root? (Score:1)
Re:running apache as root? (Score:1)
Re:running apache as root? (Score:1)
Re:running apache as root? (Score:1)
It needs LOCALSYSTEM so it can switch to another users security context (eg IUSR_MACHINENAME for anonymous access).
A buffer overflow in IIS will get you LOCALSYSTEM
Excuses for Apache, blame for Windows (Score:3, Interesting)
MINIMIZING BREAK-IN DAMAGE
Yes
Yes, services on Windows *can* run as all different users, a la UNIX -- I have ftp, pdnsd, apache, junkbust, squid, xfs, postfix, and sshd set up on my Linux box by default. However, in Windows, *usually*, and *by default* they don't.
Dunno whether Apache for Windows is set up as its own user by default, but most services for Windows don't take advantage of this. You could say that this isn't MS's fault, that there's just less of a multi-user culture around Windows than UNIX, but the fact is that Windows boxes are generally more vulnerable to full compromise in a break-in.
Second, Windows has no concept of "chroot". If I lock something in a chroot jail on UNIX, a hole in a server means next to nothing to me. You broke the server? The files served by the server had better be valuable in and of themself, since you can't get at or see anything else. This doesn't affect most out-of-box distros, since most distros don't go to the trouble of using chroot -- but sites that really value security do use chroot. On Windows, there is no such available option.
Basically, UNIX has a better ability to sandbox, and its capabilities are much more widely used than on Windows -- your average server software developer takes advantage of them on UNIX -- but not on Windows.
KEEPING APPLICATIONS FROM BEING BUGGY
This is a Windows-specific pathname issue. There have been more Windows-specific pathname exploits in Windows servers than I can count. The MS approach of having an extremely convoluted pathname system (particularly files having non-unique names with the backwards compatible 8.3 support) has led to many, many issues with servers. IIS has had numerous holes involving this, and it seems like just about every Windows FTP or Web server has suffered from this at one point or another.
Next, people often complain that UNIX doesn't have ACLs, whereas Windows does. ACLs seem really attractive -- a very easy way to do security work. The problem is that they are much more complicated, and orders of magnitude harder to audit for holes, than the minimalist UNIX security model. Most break-ins are not due to someone literally not having fine-grained enough security -- they're almost always the fault of misconfiguration, which a simpler security model makes massive improvements in. If anyone's every admined a VMS box, you know what I'm talking about -- trying to assure that your box has *no* routes for someone to gain control of the box can be interesting, despite VMS's very fine-grained security model.
Out of box Windows file and registry permissions still hurt the security of Windows boxes -- they aren't as insanely bad as in NT 4.0 out of box any more, but most application vendors are still living in a 9x world, and are focused on adding features, not on maintaining the security model.
Too many Windows subsystems break the Windows security model. I wouldn't trust DirectX and all the non-core stuff on Windows not to have holes -- any yet they post a threat to local security.
As mentioned a while ago in the "shatter attack" article on Slashdot, the windowing model for Windows that worked so well for writing GUI applications easily (well, easily compared to raw Xlib, though Lord knows gtk knocks Win32 into a cocked hat) isn't a very good system from a security standpoint.
KEEPING BUGGY APPLICATIONS FROM BEING ATTACKED
Linux has powerful (granted, not very easy to use, at least without a wrapper) firewalling/routing capabilities through iptables. If your box is ignoring everying from port 22 from outside the computers on your three-person-team at your company, it's rather harder to exploit, say, SSH buffer overflows, or even find a vulnerable server.
Windows has Zone Alarm (and probably other local firewalls, but this is definitely the popular one). Now, this is probably nice for a workstation, but it doesn't compare with iptables in performance, and it doesn't provide the level of control that iptables does. If my internal web server running Apache isn't exposed to people not in my workgroup, then there isn't going to be much exploitation of the server.
MS BUG RESPONSE APPROACH
It's not really all that fair to compare the "46 minute" response time of open-source developers to MS's response time. Yes, in extreme situations someone could get the patch and apply it, in cases of something like the Internet Worm II. Most companies are going to wait for their vendor, be it Red Hat or SuSE or whatever, to come out with a packaged, QAed and supported update. That being said, these fixes still usually come out before MS's fixes. Furthermore, MS eliminates a bunch of their quality guarantees that they provide on Service Packs when you're using HotFixes. Red Hat (at least -- I haven't checked with other vendors) doesn't do that. Their bugfixes are just as fully supported, just as guaranteed to roll back, as their release software. That means that their updates better compare to Service Packs, which take forever and a day to come out after an exploit. So MS usually takes a long time to fix bugs.
Also, MS's primary to-end-user bugfix distribution format is Windows Update. Windows Update is one of the least impressive update systems I've seen yet -- it's used to update system software, yet it relies on a huge amount of application and system software. If it screws up, you're dead. And I've had a number of unpleasant experiences with Windows Update failing one way or another -- for example, once I had a bluescreen on a reboot after updating and trying to run MSIE (keep in mind that this is an NT-line kernel, not 9x). I've seen error dialogs during updates, and other semi-disturbing blemishes. After two incidents where Windows Update rendered boxes unbootable, I've taken to not running Windows Update (even to fix security issues) unless I have a known free two days to reinstall the OS and get everything running wrinkle-free again if something goes hideously wrong.
Furthermore, because of the way Windows does file and DLL locking (stupid, stupid -- ever try moving/deleting/renaming an open file under Windows? Combined with Explorer sometimes leaking file handles, this is a royal PITA), low-level updates usually require a reboot. The only Linux update that requires a reboot is a kernel update (though updating a desktop environment or a WM requires logging out and back in again to see the changes). Finally, I've ripped out much of my RPM-based Linux system and put in back in (bits of different distros, bits of devel-branch software) and always had smooth moves, nothing that could make my system unbootable. I feel a lot more confident in an RPM installation or uninstallation than I do in a Windows update.
Anyway, just my two cents -- just wanted to point out that this issue can still be partly blamed on Windows security issues, and not wanting people to lose sight of the areas in which MS needs to improve.
Yet Another Slashdot Repeat... (Score:2, Informative)
This has been fixed for a month now (Score:5, Informative)
Re:This has been fixed for a month now (Score:5, Insightful)
Learn what, how to use apostrophes? ;-)
Seriously though, keeping on the bleeding edge of updates isn't always feasible. A lot of companies might be running third party software that is explicitly not supported unless you're running a particular version of Apache, or a particular version of the Linux kernel, C libraries, etc. (And likewise for Windows software, etc.)
Please be generous and accept that negligence isn't the only explanation for failure to keep up with the latest patches of all the major & minor components of a modern computer system...
Re:This has been fixed for a month now (Score:2)
Re:This has been fixed for a month now (Score:1)
Experimental version of what? (Score:2)
Re:This has been fixed for a month now (Score:2)
Re:A little apostrophe history (Score:2)
My only reply is that this breaks down because, especially in this context, the word 'administrator' is commonly abbreviated to 'admin', without having to use punctuation e.g. "admin." So, because the term is commonly & familiarly abbreviated without punctuation, and because using the apostrophe raises ambiguity over whether the writer meant possession, abbreviation, or was just being sloppy, I still stand by my point that the word is better expressed without the apostrophe.
But still, you make a very entertaining argument and I won't try to change your mind about it if you're that set on it :-)
Not Important (Score:2, Insightful)
Move along. Nothing here
Re:Not Important (Score:1)
The Rare OS/2 (Score:1)
Re:The Rare OS/2 (Score:1)
Re:The Rare OS/2 (Score:1)
Just to add some qualification to that.
OS/2 is freaking bulletproof. It's too bad it requires 512MB ram to run slow.
*sigh*
Re:The Rare OS/2 (Score:2)
OS/2 did a whole lot better running on a 486 with 20 MB than Windows NT. [yes, I did this
It's fairly easy to optimise: I burnt cdroms under OS/2 on my 486, using a specially modified (ie thinned out) version of OS/2 3.0,
Also, there is a neat little program called allocmem, which unloads unused dlls in core to the swap file, giving heaps more usable ram..
Re:The Rare OS/2 (Score:1)
Re:The Rare OS/2 (Score:2)
Re:The Rare OS/2 (Score:1)
I also remember watching an OS/2 ATM showing a Trap e.
Re:The Rare OS/2(STARDOCK PROCESS COMMANDER!!!) (Score:1)
Why raising goats is fun (Score:1)
It is very rewarding to see a goat you have raised from a baby grow up and have kids and grandkids of her own. With goats that doesn't have to take too long, maybe about 3 or 4 years at most, because they are able to breed when they are just a year old. It's also neat to learn how to milk or trim hooves and other things that you wouldn't ordinarily be able to do.
On NetWare? (Score:2, Interesting)
The term "Apache 2.0 r00ted on NetWare" implies that NetWare is an operating system- I was under the impression NetWare ran as a bunch of services on top of Win NT or something like that. Is that the case, or does NetWare run as an OS, directly on the hardware?
If it is the former, is there a special version of Apache that uses NetWare on top of Windows? If this is the case, I assume that it is using the IPX protocol instead of TCP/IP... what is the advantage of this? If it's not this, what is the difference? What makes Apache on NetWare different than Apache on Windows?
Any insight would be much appreciated-
Re:On NetWare? (Score:1)
Re:On NetWare? (Score:4, Informative)
NetWare is an operating system and has nothing to do with Windows at all. Last time I used it, it did still require you to boot into MSDOS first, but once you ran its EXE, it kicked DOS out and completely took over. It used to be the most popular network operating system, but NT has pretty much killed it. It's still around though....
History: Netware on 68000 (Score:2)
The 68000 file servers were needed in the days when PCs weren't quite powerful enough to serve large networks.
Re:On NetWare? (Score:2)
The old bindery netware (3.x generation) _has_ been ported to run as a process under a host operating system; OS/2, Linux come to mind (but never windows; perhaps you are thinking of Banyan Vines). To further confuse the issue, it was possible to have a DOS FAT partition on your server marked as primary, boot into a DOS, then run a utility (usually named "server.exe" to boot into netware. This was a popular option as it gave you an MS/PC/DR-DOS partition to run external recovery tools if something "bad" happened your Netware server. However, Netware never ran _under_ DOS. Netware 2 and higher could boot with no DOS partition whatsoever, if desired.
---snip
If this is the case, I assume that it is using the IPX protocol instead of TCP/IP
---snip
Nope, Apache uses TCP/IP under netware, just like other modern netware apps.
---snip
What makes Apache on NetWare different than Apache on Windows?
---snip
Uptime and speed (better asked as "What makes Apache on Windows different from Apache on any other OS?")
Netware is an ultra-simple, text-mode only (for years anyway, somewhere along the line they added the rarely used option to run a stripped clone of X with a very simple window manager; I don't think anyone actually uses it though), quite peppy file server (with mature directory services, to boot). Netware 3.2 (the free, y2k compliant, bindery only version) for example, runs fine quite adequately on a 386 (although if anyone were to use this, I would recommend at least a 486, as then VLB/PCI becomes available for disk and network subsystems). With a small foot print, simple design, it gives great uptimes, and great speed.
That said, I personally have not deployed Netware in years, and probably never will again.
Re:On NetWare? (Score:1)
It is still very relevant to todays networked world. It is fast, reliable and secure with the best directory service available in the market today (something MS has just recently realised they need with AD).
Read what you can do with Netware, download a trial version. You will be suprised.
Dead embarassing... (Score:2)
The first bug was a "helpful" error message, giving you the _exact_ path of the apache installation, when asking for a file in the error-directory. This is really the kind of fault we expect from Microsoft (always trying to be more "user-friendly" then secure).
The second bug was even worse. Apache didn't interpret '\' as a "dangerous" character in urls. And neither was \..\..\..\WINNT\system32\ looked at as especially suspicious. With all the press nimda and code red got, it wouldn't be so hard to think that Apache wouldn't do the same mistake AFTER Microsoft, but did they do... Oh, yes...
In IIS, the final nail in the coffin when it comes to security is the fact that it runs under the privileges of SYSTEM. Anyone knows what Apache on NT/2k runs as?
Re:Dead embarassing... (Score:1)
I had to set up a seperate user, '.\Apache', - you'd expect Apache to create a restrictive user by default on install.
tlhf
Re:Dead embarassing... (Score:1)
Wrong. All accesses via IIS are in the context of the IUSR_ unless explicitly defined otherwise. The IUSR account has minimal permissions, although a lot of admins forget to lock down the file permissions (IUSR being a part of the Everyone group)
Netware (Score:2)
Now, Apache does offer a 2.x version that does also run on Netware. So, it is possible for someone to upgrade their Netware server from 1.3.22 to 2.x but, this is not how Novell ships it. Additionally, most Netware shops will take their updates only from Novell therefore, I would be surprised if there were many Apache 2.x servers running on Netware.
Slashdot is getting repetitious. (Score:1)
The infoworld article is a month old.
Slashdot had it two weeks ago.
NetWare ships with Apache 1.3.x
Try to check your sources next time!
For the record... (Score:1)
"Due to the fact that Apache 2.0 for NetWare has not received the same level of testing as on other platforms, the binaries for Apache 2.0 have been made available for testing purposes only. We DO NOT recommend that Apache 2.0 for NetWare be used in a production environment at this point."
See this [apache.org] for reference.
-bk