Apache Chunk Handling Roundup
by Berislav Kucan - revised on 20 June 2002
Internet Security Systems and NGSSoftware found a security issue with chunk encoding in the popular Apache web server. The problems may lead to a remote compromise and denial of service.

1) Apache Chunk Handling advisories

ISS Advisory "Remote Compromise Vulnerability in Apache HTTP Server"

Brief description: ISS X-Force has discovered a serious vulnerability in the default version of Apache HTTP Server. Apache is the most popular Web server and is used on over half of all Web servers on the Internet. It may be possible for remote attackers to exploit this vulnerability to compromise Apache Web servers. Successful exploitation may lead to modified Web content, denial of service, or further compromise.

Affected versions: Many commercial Web Application Servers such as Oracle 9ias and IBM Websphere use Apache HTTP Server to process HTTP requests. Additional products that bundle Apache HTTP Server for Windows may be affected.

Full advisory: http://www.net-security.org/vuln.php?id=1791

Apache Security Bulletin

Brief description: Versions of the Apache web server up to and including 1.3.24 and 2.0 up to and including 2.0.36 contain a bug in the routines which deal with invalid requests which are encoded using chunked encoding. This bug can be triggered remotely by sending a carefully crafted invalid request. This functionality is enabled by default. In most cases the outcome of the invalid request is that the child process dealing with the request will terminate. At the least, this could help a remote attacker launch a denial of service attack as the parent process will eventually have to replace the terminated child process and starting new children uses non-trivial amounts of resources.

We were also notified today by ISS that they had published the same issue which has forced the early release of this advisory. Please note that the patch provided by ISS does not correct this vulnerability.

Full advisory: http://www.net-security.org/vuln.php?id=1793

CERT Advisory CA-2002-17 - Apache Web Server Chunk Handling Vulnerability

Brief description: There is a remotely exploitable vulnerability in the handling of large chunks of data in web servers that are based on Apache source code. This vulnerability is present by default in configurations of Apache web servers versions 1.3 through 1.3.24 and versions 2.0 through 2.0.36. The impact of this vulnerability is dependent upon the software version and the hardware platform the server is running on.

Full advisory http://www.net-security.org/advisory.php?id=775

2) Problem discussion:

David Litchfield - david(a)ngssoftware.com on Bugtraq

Like ISS obviously did, one of the first things NGSSoftware did after the eEye ASP Chunk Transfer Encoding vulnerability came out, was check 'what else' is vulnerable to this kind of issue. Like ISS, NGSSoftware also noted that the Win32 distribution of Apache was vulnerable.

However, our approach to addressing this problem was/is completely different. We alerted Oracle, Apahce and CERT.

Our last response from Mark Fox of Apache was that they "have decided that we need to co-ordinate this issue with CERT so that we can get other vendors who ship Apache in their OS and projects aheads-up to this issue." NGSSoftware, of course agreed that this would be the best plan of action as most people who use the Win32 Apache version do not have a compiler and so can take steps to protect themselves. They're mostly relying on their apache 'supplier' to produce a patch.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th