Vulnerability in NCSA and Apache httpd Servers
Privacy and Legal Notice
INFORMATION BULLETIN
G-20: Vulnerability in NCSA and Apache httpd Servers
April 16, 1996 18:00 GMT
PROBLEM: A vulnerability exists in the httpd servers provided by NCSA
and the Apache organization
PLATFORM: All systems capable of running either httpd
DAMAGE: A user can potentially gain the same access privileges as the
httpd server
SOLUTION: For NCSA httpd, upgrade to the lates version; For Apache httpd,
install the patch described below
VULNERABILITY This vulnerability can lead to compromise of a web server
ASSESSMENT:
[ Start IBM Bulletin ]
======= ============ ====== ======
======= ============== ======= =======
=== === ==== ====== ======
=== =========== ======= =======
=== =========== === ======= ===
=== === ==== === ===== ===
======= ============== ===== === =====
======= ============ ===== = =====
EMERGENCY RESPONSE SERVICE
SECURITY VULNERABILITY ALERT
16 April 1996 16:00 GMT Number: ERS-SVA-E01-1996:002.2
===============================================================================
UPDATE TO ERS-SVA-E01-1996:002.1
I. Description
This Security Vulnerability Alert provides updated information about
the NCSA HTTPD and Apache HTTPD Common Gateway Interface vulnerability
described in ERS-SVA-E01-1996:002.1, which was released on 26 February
1996.
ERS-SVA-E01-1996:002.1 described a vulnerabilty in the
escape_shell_cmd() function contained in the Common Gateway Interface
sample code file "cgi-src/util.c", provided with NCSA HTTPD Version
1.5 and earlier, or Apache HTTPD Version 1.0.3 and earlier. This
vulnerabilty allowed a malicious user to embed the newline character
(Hexadecimal 0A) in a query, allowing an arbitrary shell command to be
executed by the HTTPD server.
IBM-ERS has learned that the escape_shell_command() function is also
contained in the server source code file, "src/util.c". Note that the files
"src/util.c" and "cgi-src/util.c" are not identical, however they contain
identical copies of the escape_shell_command() function. The file
"src/util.c" is used to build the HTTPD server; therefore the "newline"
vulnerability exists in the server itself.
II. Impact
A malicious user who knows how to exercise this vulnerability may have
the ability to:
1. Execute arbitrary commands on the server host using the same
user-id as the user running the "httpd" server. If "httpd" is
being run as "root," the unauthorized commands are also run as
"root."
2. Access any file on the system that is accessible to the user-id
that is running the "httpd" server. If the "httpd" server
user-id has read access to the file, the attacker can also read
the file. If the "httpd" server user-id has write access to the
file, the attacker can change or destroy the contents of the
file. If the "httpd" server is being run as "root," the attacker
can read, modify, or destroy any file on the server host.
3. Given an X11-based terminal emulator ("xterm" or equivalent)
installed on the "httpd" server host, gain full interactive
access to the server host just as if he were logging in locally.
III. Solutions
IBM-ERS recommends that you consider taking the following actions
(subject to any licensing restrictions that may apply to your copies
of the programs):
1. If are using NCSA HTTPD, upgrade to Version 1.5.1, which does not
contain this vulnerability.
NCSA HTTPD Version 1.5 is available from:
ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/current/httpd_1.5.1-export_source.tar.Z
2. If you are using Apache HTTPD, locate the escape_shell_command()
function in the file "src/util.c" (approximately line 430). In
that function, the line that reads
if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
should be changed to read
if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){
The server should then be recompiled, reinstalled, and restarted.
IV. Acknowledgements
IBM-ERS would like to thank the NASA Automated Systems Incident
Response Capability (NASIRC) for providing the information contained
in this update. NASIRC in turn acknowledges Ken Bell of NASA Goddard
Institute for Sapce Studies for bringing this vulnerability to their
attention, and the NCSA HTTPD Development Team for confirming the
problem and the fix.
IBM-ERS would also like to thank Jennifer Myers, a post-doctoral
fellow at Northwestern University, who originally discovered the
vulnerability described in ERS-SVA-E01-1996:002.1, and made public the
description of the problem and its solution. This acknowledgement was
omitted from the original alert.
===============================================================================
Copyright 1996 International Business Machines Corporation.
[ End IBM Bulletin ]
CIAC wishes to acknowledge the contributions of the IBM Emergency
Response Service (IBM-ERS) for the information contained in this
bulletin.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]