1 / 15

Apache Web Server Security Issues

Apache Web Server Security Issues. CSIS 4490 – UNIX Administration and Security Summer 2002 Dr. Ken Hoganson By: Tracy C. Guthrie July 16, 2002. Brief History of Apache Web Server. From the Apache HTTP Server Project page at http://httpd:apache.org/ABOUT_APACHE.html

teigra
Télécharger la présentation

Apache Web Server Security Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Apache Web Server Security Issues CSIS 4490 – UNIX Administration and Security Summer 2002 Dr. Ken Hoganson By: Tracy C. Guthrie July 16, 2002

  2. Brief History of Apache Web Server • From the Apache HTTP Server Project page at http://httpd:apache.org/ABOUT_APACHE.html • March 1995, Rob McCool leaves the National Center for Supercomputing Applications to start the Apache project. • Apache name comes from the fact that this server is built from NCSA code patches, “a patchy” server. • April 1995, the first public release of Apache Web Server is made available. • March 1996, Apache Web Server 1.1 is released with increased server functionality. • In less than a years time the Apache Web Server becomes the most widely used web server software according to a survey by Netcraft and has remained in that position since.

  3. Developer May 2002 Percent June 2002 Percent Change Apache 10411000 65.11 10964734 64.42 -0.69 Microsoft 4121697 25.78 4243719 24.93 -0.85 iPlanet 247051 1.55 281681 1.66 0.11 Zeus 214498 1.34 227857 1.34 0.00 Web Server Statistic http://www.netcraft.com/survey/

  4. Some Known Apache Security Issues In Earlier Releases • Apache chunked encoding problems allow possible system abuse, DNS attacks, and remote execution of code. • Win32 port problem on Apache provides the ability for remote infiltrators to execute commands using values that are sent through CGI batch scripts. • The handling of Host: headers in Mass virtual hosting setups can allow access to any file on the server. • Cross-site scripting can reveal private session informationthrough the use of embedded HTML tags in a client requests with insufficient encoding that could lead to the release of private cookies used to verify a users identity at other sites. • Other known issues include multiple issues relating to bugs that have been used to perform DNS attacks and situations that have caused web server requests to return directory and directory listings rather than the requested web page. http://www.apacheweek.com/features/security-13

  5. Recent Security Issues All Releases • February 2002 - Security Problem in mod_ssl and Apache-SSL • June 2002 - Chunked Encoding Handling Issue

  6. Security Problem in mod_ssl and Apache-SSL • February 23, 2002 a buffer overflow problem is identified in Secure Socket Layer code or more specifically the mod_ssl and Apache_ssl. • The specific problem causing the buffer overflow issue deals with dbm and shm session cache instructions that do not initialize memory properly. • This bug affected all versions of the web server software. • Only servers that are allowing signed or secure client certificates are vulnerable. • This opens the possibility of a perpetrator running code that is supposedly signed by a trusted client. • Since the server believes that the code is being executed by a trusted source then this rouge code is executed from the server with the rights assigned to that source. • This particular problem offered limited exposure due to the fact that a perpetrator would need to obtain a valid security certificate to take advantage of this problem. http://www.apacheweek.com/issues/02-03-01#security

  7. Latest Security Warning Issued June 2002 • June 17, 2002, ISS and the Apache Software Foundation issued an advisory about possible exploit code that could issue denial of service attacks. • It was initially stated that this problem only affected version 1.3 and earlier releases of the Apache HTTP Server Software. • June 20, 2002, Apache software issued another alert stating that this exploit could affect all versions of the Apache HTTP Web Server, and that the problem could involve more than DNS attacks. • After more careful analysis of the bug the experts determined that the issues revolve around the way that the Apache software handles encoded requests using chunked encoding routines. Note: According to the site www.truesecure.com, chunked encoding is used to transfer pieces of data of unknown size between the web server and the web client. Apache has issues in the math that is used to calculate the buffer size and allocates a buffer that is too small leading to buffer overflows that can lead to a host of security issues. http://www.apacheweek.com/issues/02-06-21#security, http://httpd.apache.org, http://httpd.apache.org/info/security_bulletin_20020620.txt, http://www.trusecure.com/knowledge/hypeorhot/2002/tsa02009.shtml

  8. What can it do? • In the security bulletin issued by the Apache Software Foundation, http://httpd.apache.org/info/security_bulletin_20020620.txt, the known or identified issues with this bug to date are: • Execution of code on the server with the permission level of a child process which is a sub-process or a thread of the original process. • Can lead to further vulnerabilities including the ability to gain root access. • The very least that the process can do is provide an avenue for performing a denial of service attack.

  9. F-Secure Notice of Problem • F-Secure has identified the root cause of this problem as a worm known as Scalper, Scalper.A or another alias is Unix/Scalper.A. • As of June 29, 2002 F-Secure had not received any notice of actual infected servers running the FreeBSD Apache HTTP Web Server software. • In test that were perfomed by F-Secure if the worm finds access to the server it: 1. Creates an un-encoded worm file in the /tmp directory called .uua that is decoded and executed as /tmp/.a and this also deletes the original unencoded .uua file. 2. After execution the rouge program creates a backdoor at UDP Port 2001 and scans the server to see if it is running Apache server software. If the answer is yes, the virus attempts to infect the server. 3. If the server is successfully infected then the problems listed in the previous slide are possible and the remote processes can be submitted at the same level or privilege class as the server itself. 4. The worm creates no known changes to the system configuration files and is not hidden in the process list. http://www.f-secure.com/v-descs/scalper.shtml

  10. Effects to Date • The findings listed below are mentioned in the article, Worm exploits Apache vulnerability on FreeBSD, from Computerworld on July 1, 2002, which is over 2-weeks from the initial introduction or discovery of the bug. • There have been no reported major problems at this time. • This worm apparently only attacks Open and FreeBSD versions of the code. • FreeBSD is the third most popular Apache web software distribution with Linux and Solaris leading the way. • 6-million servers have already updated with the security patch, but 14-million are still exposed. http://www.computerworld.com/printthis/2002/0,4814,72373,00.html

  11. What’s the Big Stink • One of the major issues to surface from this problem is the fact that ISS or Internet Security Services apparently broke protocol by going public with the problem before contacting the Apache Software Foundation. • This allowed the problem to be broadcast before the Apache group had produced a patch to correct the situation. • ISS that is based in Atlanta did provide their own patch with their news release, but it was proven to be ineffective in correcting the problem. • The Apache Software Foundation was aware of the issue and working with CERT to establish the proper level of the security alert and in providing an effective patch. They issued their own security notice not long after ISS and provided a working patch that was effective in closing the vulnerability. http://lwn.net/Articles/2756/, http://www.zdnet.com/filters/printerfriendly/0,6061,2873254-10,00.html, http://www.vnunet.com/News/1133151, http://news.com.com/2102-1001-936924.html

  12. Lessons Learned • Robert Vamosi reporting for CNET/ZDNet Reviews, http://www.zdnet.com/anchordesk/stories/story/0,10738,2873254,00.html, asked whether this bug could have been prevented in the first place because apparently this security or insecure access had been identified by a group up to 2 months before the security alerts were issued. • On June 19th Gobbles Security after viewing the ISS security alert set out to prove that more platforms than ISS had named were open to attack from this breach. • Gobbles then released or published program code called Apache-scalp.c that is used to attack the chunked encoding issue on the OpenBSD version of the Apache web server software. A hacker or malicious user used this source to create the Scalper worm that is currently crawling the networks. • According to the article, Gobbles stated that they also had code that would breach this hole in the Solaris, OpenBSD, FreeBSD, and Linux GNU systems. They apparently had spent 2 months working on these programs which meant that the breach had been identified well before the security release.

  13. What does this mean? • With Apache holding the substantial portion or roughly 65% of the web server software usage market according to the Netcraft Web Server Survey at http://www.netcraft.com/survey/, any security vulnerabilities could cause massive failures and problems to the Internet structure. • Problems must be identified and corrected in a very quick and efficient manner to limit possible exposures. • Server administrators must maintain strict control to server access and must be proactive in monitoring and patching their systems when known or possible vulnerabilities are reported. • Open Source Code while having a better track record than more mainstream software companies, still provides the opportunity for malicious computer users to infiltrate and corrupt systems that play a major role in the infrastructure of the Internet and other computer networks. • Parties interested in maintaining the reputation and integrity of open source coding practices would be well served in assisting in the prevention and correction of identified problems rather than creating code to exploit weaknesses.

  14. References • Apache HTTP SERVER PROJECT. (1999 – 2002). Retrieved July 11, 2002 from http://httpd.apache.org/ABOUT_APACHE.html • Common Vulnerabilities and Exposures: The Key to Information Sharing. (2002, June 25). CVE Version: 20020625. Retrieved July 14, 2002 from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0082 • Cox, M. (2001, November 16). Overview of security vulnerabilities in Apache http 1.3. www.apacheweek.com. Retrieved July 15, 2002 from http://www.apacheweek.com/features/security-13 • Cox, M., Orton, J., Tsan, M. (2002, March 1). Security flaw found in mod_ssl and Apache-SSL. Apache Week – Security Reports, Issue 285, 1st March 2002. Retrieved July 10, 2002 from http://www.apacheweek.com/issues/02-03-01 • Evers, J. (2002, July 2). Study: Web more vulnerable now than ever. Itworld.com. Retrieved July 11, 2002 from http://www.itworld.com/Sec/2199/020702webvulnerable/pfindex.html • Evers, J. (2002, July 1). Worm exploits Apache vulnerability on FreeBSD. www.computerworld.com. Retrieved July 14, 2002 from http://www.computerworld.com/printthis/2002/0,4814,72373,00.html • Hype or Hot. (2002, June 20). TruSecure Alert - TSA-02-009. www.trusecure.com. Retreievd July 15, 2002 from http://www.trusecure.com/knowledge/hypeorhot/2002/tsa02009.shtml • In the beginning. (n.d.). Retrieved July 13, 2002 from http://archive.covalent.net/apache-docs/2001/03/0049/history.html • Laurie, B. (2002, March 1). Apache-SSL buffer overflow condition. Retrieved July 13, 2002 from http://www.apache-ssl.org/advisory-20020301.txt • Lemos, R. (2002, June 28). New Apache worm starts to spread. www.news.com.com. Retrieved July 14, 2002 from http://news.com.com/2102-1001-940585.html • Lemos, R. (2002, June 17). Security warning too quick for comfort. www.news.com.com. Retrieved July 13, 2002 from http://news.com.com/2102-1001-936924.html • LWN: The Apache vulnerability, full disclosure, and monocultures. (n.d.), Retrieved July 14, 2002 from http://lwn.net/Articles/2756/ • Millman, R. (2002, July 7). IIS and Apache flaws leave web wide open. www.vnunet.com. Retrieved July 12, 2002 from http://www.vnunet.com/News/1133151 • Netcraft Web Server Survey. (2002, June). Retrieved July 12, 2002 from http://www.netcraft.com/survey/ • Rautiainen, S. Tocheva, K. (2002, June 29). F-Secure Virus Descriptions (Scalper). www.f-secure.com. Retrieved July 14, 2002 from http://www.f-secure.com/v-descs/scalper.shtml • Security Bulletin. (2002, June 20). security_ bulletin_20020617.txt. www.httpd.apache.org. Retrieved July 14, 2002 from http://httpd.apache.org/info/security_bulletin_20020620.txt • Vamosi, R. (2002, July 2). How we could have prevented an Apache worm. www.zdnet.com. Retrieved July 13, 2002 from http://www.zdnet.com/anchordesk/stories/story/0,10738,2873254,00.html • Weiss, T. (2002, June 17). Two security alerts point to Apache Web Server Flaws. www.computerworld.com. Retrieved July 13, 2002 from http://www.computerworld.com/printthis/2002/0,4814,72074,00.html

More Related