Slashdot Mirror
Apache 2.0 r00ted on NetWare, Windows, OS/2
An anonymous reader writes "A flaw in Apache 2.0's interpretation of the backslash delimiter allows for a remote r00ting on NetWare, Windows, and OS/2. InfoWorld has an overview; the attack was discoverd by PivX's Auriemma Luigi, and he describes it in this technical document. I don't know whether there is such a thing as an OS/2 shop anymore, and most Microsoft shops probably run IIS, but Apache now ships as the default web server for NetWare 6, so Novell shops: Take note. A patch is available from Apache, and Luigi describes a workaround in his article."
First off, how can you get root on windows?
Turn it on.
Cough, another repeat. http://apache.slashdot.org/article.pl?sid=02/08/10 /0058246&mode=thread&tid=148
Well, most people start up apache as root, since it's the easiest way to run apache as 'nobody/nogroup'...
"Can of worms? The can is open... the worms are everywhere."
Apache 2.0.40 was released August 9th, fixing the hole. You can read the advisory, but you should have upgraded already. The real news is that many Apache web servers are still unpatched. Won't admin's ever learn?
The bug only provides information about the target server, that's not a root exploit last time I checked. Also it's a repeat story
Move along. Nothing here
In SOVIET RUSSIA the hot grits profit you!
What is the deal with NetWare, exactly?
:)
The term "Apache 2.0 r00ted on NetWare" implies that NetWare is an operating system- I was under the impression NetWare ran as a bunch of services on top of Win NT or something like that. Is that the case, or does NetWare run as an OS, directly on the hardware?
If it is the former, is there a special version of Apache that uses NetWare on top of Windows? If this is the case, I assume that it is using the IPX protocol instead of TCP/IP... what is the advantage of this? If it's not this, what is the difference? What makes Apache on NetWare different than Apache on Windows?
Any insight would be much appreciated-
Working toward a usable PDA environment in the spirit of Newton OS: Dynapad
Having worked for a handful of years in a small office that ran OS/2 on all machines, I had quite a chuckle when I walked past an ATM machine one day and immediately recognised the old "Trap D" blue screen. It happens. OS/2 is (was) pretty nice, but no OS is immune from lockups. This was in May of 1998, in the lobby of an airport in Munich.
The first bug was a "helpful" error message, giving you the _exact_ path of the apache installation, when asking for a file in the error-directory. This is really the kind of fault we expect from Microsoft (always trying to be more "user-friendly" then secure).
The second bug was even worse. Apache didn't interpret '\' as a "dangerous" character in urls. And neither was \..\..\..\WINNT\system32\ looked at as especially suspicious. With all the press nimda and code red got, it wouldn't be so hard to think that Apache wouldn't do the same mistake AFTER Microsoft, but did they do... Oh, yes...
In IIS, the final nail in the coffin when it comes to security is the fact that it runs under the privileges of SYSTEM. Anyone knows what Apache on NT/2k runs as?
Apache 2.0? It's been marked for release for months now. In fact, if you go to the Apache download page linked in the article header you'll see that they list 2.0.40 as the 'best available version'.
Bleh!
While I'm sure this will look like anti-MS propoganda, there are certain points to be made here. I have strong negative feelings about the quality of MS's security approach in (1) minimizing local break-in damage, (2) keeping software from having holes, (3) keeping software from being attacked, and (4) vendor bug response approach.
MINIMIZING BREAK-IN DAMAGE
Yes
Yes, services on Windows *can* run as all different users, a la UNIX -- I have ftp, pdnsd, apache, junkbust, squid, xfs, postfix, and sshd set up on my Linux box by default. However, in Windows, *usually*, and *by default* they don't.
Dunno whether Apache for Windows is set up as its own user by default, but most services for Windows don't take advantage of this. You could say that this isn't MS's fault, that there's just less of a multi-user culture around Windows than UNIX, but the fact is that Windows boxes are generally more vulnerable to full compromise in a break-in.
Second, Windows has no concept of "chroot". If I lock something in a chroot jail on UNIX, a hole in a server means next to nothing to me. You broke the server? The files served by the server had better be valuable in and of themself, since you can't get at or see anything else. This doesn't affect most out-of-box distros, since most distros don't go to the trouble of using chroot -- but sites that really value security do use chroot. On Windows, there is no such available option.
Basically, UNIX has a better ability to sandbox, and its capabilities are much more widely used than on Windows -- your average server software developer takes advantage of them on UNIX -- but not on Windows.
KEEPING APPLICATIONS FROM BEING BUGGY
This is a Windows-specific pathname issue. There have been more Windows-specific pathname exploits in Windows servers than I can count. The MS approach of having an extremely convoluted pathname system (particularly files having non-unique names with the backwards compatible 8.3 support) has led to many, many issues with servers. IIS has had numerous holes involving this, and it seems like just about every Windows FTP or Web server has suffered from this at one point or another.
Next, people often complain that UNIX doesn't have ACLs, whereas Windows does. ACLs seem really attractive -- a very easy way to do security work. The problem is that they are much more complicated, and orders of magnitude harder to audit for holes, than the minimalist UNIX security model. Most break-ins are not due to someone literally not having fine-grained enough security -- they're almost always the fault of misconfiguration, which a simpler security model makes massive improvements in. If anyone's every admined a VMS box, you know what I'm talking about -- trying to assure that your box has *no* routes for someone to gain control of the box can be interesting, despite VMS's very fine-grained security model.
Out of box Windows file and registry permissions still hurt the security of Windows boxes -- they aren't as insanely bad as in NT 4.0 out of box any more, but most application vendors are still living in a 9x world, and are focused on adding features, not on maintaining the security model.
Too many Windows subsystems break the Windows security model. I wouldn't trust DirectX and all the non-core stuff on Windows not to have holes -- any yet they post a threat to local security.
As mentioned a while ago in the "shatter attack" article on Slashdot, the windowing model for Windows that worked so well for writing GUI applications easily (well, easily compared to raw Xlib, though Lord knows gtk knocks Win32 into a cocked hat) isn't a very good system from a security standpoint.
KEEPING BUGGY APPLICATIONS FROM BEING ATTACKED
Linux has powerful (granted, not very easy to use, at least without a wrapper) firewalling/routing capabilities through iptables. If your box is ignoring everying from port 22 from outside the computers on your three-person-team at your company, it's rather harder to exploit, say, SSH buffer overflows, or even find a vulnerable server.
Windows has Zone Alarm (and probably other local firewalls, but this is definitely the popular one). Now, this is probably nice for a workstation, but it doesn't compare with iptables in performance, and it doesn't provide the level of control that iptables does. If my internal web server running Apache isn't exposed to people not in my workgroup, then there isn't going to be much exploitation of the server.
MS BUG RESPONSE APPROACH
It's not really all that fair to compare the "46 minute" response time of open-source developers to MS's response time. Yes, in extreme situations someone could get the patch and apply it, in cases of something like the Internet Worm II. Most companies are going to wait for their vendor, be it Red Hat or SuSE or whatever, to come out with a packaged, QAed and supported update. That being said, these fixes still usually come out before MS's fixes. Furthermore, MS eliminates a bunch of their quality guarantees that they provide on Service Packs when you're using HotFixes. Red Hat (at least -- I haven't checked with other vendors) doesn't do that. Their bugfixes are just as fully supported, just as guaranteed to roll back, as their release software. That means that their updates better compare to Service Packs, which take forever and a day to come out after an exploit. So MS usually takes a long time to fix bugs.
Also, MS's primary to-end-user bugfix distribution format is Windows Update. Windows Update is one of the least impressive update systems I've seen yet -- it's used to update system software, yet it relies on a huge amount of application and system software. If it screws up, you're dead. And I've had a number of unpleasant experiences with Windows Update failing one way or another -- for example, once I had a bluescreen on a reboot after updating and trying to run MSIE (keep in mind that this is an NT-line kernel, not 9x). I've seen error dialogs during updates, and other semi-disturbing blemishes. After two incidents where Windows Update rendered boxes unbootable, I've taken to not running Windows Update (even to fix security issues) unless I have a known free two days to reinstall the OS and get everything running wrinkle-free again if something goes hideously wrong.
Furthermore, because of the way Windows does file and DLL locking (stupid, stupid -- ever try moving/deleting/renaming an open file under Windows? Combined with Explorer sometimes leaking file handles, this is a royal PITA), low-level updates usually require a reboot. The only Linux update that requires a reboot is a kernel update (though updating a desktop environment or a WM requires logging out and back in again to see the changes). Finally, I've ripped out much of my RPM-based Linux system and put in back in (bits of different distros, bits of devel-branch software) and always had smooth moves, nothing that could make my system unbootable. I feel a lot more confident in an RPM installation or uninstallation than I do in a Windows update.
Anyway, just my two cents -- just wanted to point out that this issue can still be partly blamed on Windows security issues, and not wanting people to lose sight of the areas in which MS needs to improve.
May we never see th
Netware 6 ships with Apache 1.3.22 and Tomcat 3.3. It is NOT vulnerable to this particular exploit. Note that some Netware 6 services also uses the Netware-Enterprise-Web-Server 5.1 from defunct Novonyx, a joint effort of Novell and Netscape.
Now, Apache does offer a 2.x version that does also run on Netware. So, it is possible for someone to upgrade their Netware server from 1.3.22 to 2.x but, this is not how Novell ships it. Additionally, most Netware shops will take their updates only from Novell therefore, I would be surprised if there were many Apache 2.x servers running on Netware.
My only reply is that this breaks down because, especially in this context, the word 'administrator' is commonly abbreviated to 'admin', without having to use punctuation e.g. "admin." So, because the term is commonly & familiarly abbreviated without punctuation, and because using the apostrophe raises ambiguity over whether the writer meant possession, abbreviation, or was just being sloppy, I still stand by my point that the word is better expressed without the apostrophe.
But still, you make a very entertaining argument and I won't try to change your mind about it if you're that set on it :-)
DO NOT LEAVE IT IS NOT REAL
The 68000 file servers were needed in the days when PCs weren't quite powerful enough to serve large networks.
Yes, I have seen OS/2 GPF screens too.
:)] It also runs quite nicely without having a paging file greater than installed memory. That is, you can run OS/2 quite nicely with a 10M swapper.dat.
OS/2 did a whole lot better running on a 486 with 20 MB than Windows NT. [yes, I did this
It's fairly easy to optimise: I burnt cdroms under OS/2 on my 486, using a specially modified (ie thinned out) version of OS/2 3.0,
Also, there is a neat little program called allocmem, which unloads unused dlls in core to the swap file, giving heaps more usable ram..
OS/2 - because choice is a terrible thing to waste.