Slashdot Mirror
Serious Apache Exploit Discovered
bennyboy64 writes "An IT security company has discovered a serious exploit in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache's core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit."
Note: according to the advisory, this exploit is exclusive to Windows.
What percentage of Apache hosts run on Windows? I'd guess maybe 10%, a generous estimate. This isn't something that's going to bring the entire web down. Also, wouldn't you have to enable mod_isapi manually?
This would have been useful in the summary. From the linked page:
While I'm sure it will impact many people, I'd still imagine the majority of Apache users are running it on a platform other than Windows
Platform. Microsoft Windows
But is this the final nail in the Apache 1.3 coffin?
Now the boss is going to be upset even when you tell them your version is not vulnerable.
7 out of the first 8 posts agree that this is Windows only.
But I don't want to restart my Windows :\
In soviet Russia, God creates you!
http://httpd.apache.org/docs/2.0/mod/mod_isapi.html
ISAPI extension modules (.dll files) are written by third parties. The Apache Group does not author these modules, so we provide no support for them. Please contact the ISAPI's author directly if you are experiencing problems running their ISAPI extension. Please do not post such problems to Apache's lists or bug reporting pages.
MS bashing isn't really appropriate here. The module only runs on Windows (although there were some efforts to make it call out into WINE so you could run ISAPI modules on *NIX), but the vulnerability is entirely Apache's fault. It isn't doing any privilege separation or exploit mitigation, and it's running code at the highest possible privilege level, which makes this bug into a serious exploit. The same bug in a module that ran on Linux would result in a remote root exploit.
I am TheRaven on Soylent News
> The same bug in a module that ran on Linux would result in a remote root exploit.
Really?
ps -aef | grep apach
root 3029 1 0 08:10 ? 00:00:00 /usr/sbin/apache2 -k start /usr/sbin/apache2 -k start /usr/sbin/apache2 -k start
www-data 3072 3029 0 08:10 ? 00:00:00
www-data 3073 3029 0 08:10 ? 00:00:00
A Pirate and a Puritan look the same on a balance sheet.
I had to read the article to see it was Windows only . . . whew.
I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
There are many reasons why I wouldn't deploy a production (i.e. www-facing) webserver of any stripe running on Microsoft Windows, security being a big one of them.[1]
On the other hand, for some purposes (corporate intranet, for example), Apache on Windows has been a godsend--it's allowed us, for example, to migrate our internal apps to a Free platform gradually, while depreciating our existing Windows machines (and advocates) into oblivion.
---------------
1. Lots of people do, though. I'm pretty sure IBM and Oracle Websphere/Weblogic services all use Apache httpd at some level. Happy patching, boys and girls!
"Beware of bugs in the above code; I have only proved it correct, not tried it." -- Donald Knuth
PFew... for a second i was worried wether my centos VPS with tomcat (apache based, you never know), would be vulnerable to this Thanks for putting my mind at ease :)
People, what a bunch of bastards
At a place I used to work, one of my coworkers reported a simple potential security problem: the username for the admin account on all our machines is the same as the computer's name. This just eliminates one less thing for a hacker to figure out. He was accused of "snooping", whatever that means, and almost lost his job. The only thing that saved him is a higher-up with a brain.
Whenever I hear a story about a person\firm reporting security risks, I am reminded of the story of my coworker, and I have heard too many similiar stories. It has trained to me keep my mouth shut about these problems.
I would really like to make a shirt that says: "This T-shirt has a serious exploit that allows a remote attacker to gain complete control."
It should be printed around the bottom hem for maximum effect.
Could also work on tighty whiteys.
I said I'd like to make it, not wear it. :-)
Apache on linux (at least in all the setups i've seen) starts as root so it can bind port 80 but then switches down to a lower privilage user to do the actual serving. Some damage could still be done of course but hopefully it's limited compared to the damage root can do.
Apache on windows defaults to running as "localsystem" (roughly the windows equivilent of root)
You can run it as another user but apparently ( http://httpd.apache.org/docs/2.0/platform/windows.html ) that user has to have "Act as part of the operating system" privilages. MS describes said privilages as "This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.".
So it seems either way to run Apache on windows you have to give it what ammounts to root privilages.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
I don't know whose fault it is but the idea of running ISS plugins under Apache on Windows scares me. Whose fault is it when you run naked through the "hot" ward snogging the e-bola patients? It's ironic that you end up getting sick because the pretty nurse you kissed had mono, but ... good lord, people...
MS bashing isn't really appropriate here.
You must either be new here or have a very short memory.
The same bug in a module that ran on Linux would result in a remote root exploit.
Apache does not normally run as root on Linux. Only on Windows.
Play on words here... Maybe its Lipstick on a pigs platform, as IIS SUCKS balls.
ISAPI == worthless in the context of using it for Apache. Most of its 'features' are well implemented in Apache with no need for ISAPI unless you're running very specialized apps that make extensive use of ISAPI.
Changing request data (URLs or headers) sent by the client # mod_rewrite .htaccess/apache.conf/conf.d
Controlling which physical file gets mapped to the URL # mod_rewrite
Controlling the user name and password used with anonymous or basic authentication #.htacess
Modifying or analyzing a request after authentication is complete # mod_rewrite
Modifying a response going back to the client #mod_rewrite
Running custom processing on "access denied" responses #mod_rewrite/mod_redirect...
Running processing when a request is complete # #/bin/bash-sh-perl-python-etc...
Run processing when a connection with the client is closed # #/bin/bash-sh-perl-python-etc...
Performing special logging or traffic analysis. # tcpdump/webalyzer
Performing custom authentication. #
Handling encryption and compression. # mod_ssl/mod_gzip
Bought the ticket, taking the ride.
You can still have undesirable security issues on dedicate web hosting servers, for three reasons. One: a remote root exploit allows the intruder to replace all of the data on your site with whatever malware/adware they feel like, or even post content to slander you. Two: they can still turn your web server into a spambot, something which is undesirable (or use it as a starting point for whatever other malicious attacks they feel like.)
It doesn't matter if "its just as bad". It isn't a "root exploit". It's highly inaccurate to call it one.
Muddling terms is how you end up with nonsense like not being able to tell programs from data.
Distinctions are important for just this reason.
Yes it still sucks.
A Pirate and a Puritan look the same on a balance sheet.
Why would Apache run as an Administrator on Windows? Even IIS doesn't do that these days.
99% huh? Bullshit.
I would be skeptical of any claim that even a "majority" of such websites were based on Windows. For a hosting provider, the extra hardware cost AND still lower performance of Windows just isn't worth it. Toss in higher licensing fees and a "pray to the black box" method of support, and you have yourself a losing business.
Now it's true that a SLIGHT majority of *parked/empty domains* might resolve to Windows webservers. I think that's what you meant, but spinning it the way you have done is... well, incredibly dishonest of you.
Thanks, jackass. Just what I wanted on a Monday morning: to update a half dozen Internet-facing source-based systems. Of course, it was a false alarm: submitter was too much of a toolbag to mention it was Windows-only.
(And, it being a Monday morning, I didn't initially notice the mention of mod_isapi. Of course.)
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I bought a netbook last week and tried to get on the internet with it at my favorite bar; the bar's router had something wrong with it and Windows couldn't find the DNS server. There seemed to be no way to tell Windows networking what the server address was. Meanwhile, a woman with an iPhone had no trouble using the wifi there. With earlier versions of Windows I had no trouble specifying a DNS server, and the help system is no help at all.
I'm more familiar with XP (which I know you can easily specify DNS with). Was this a Windows 7 Reduced Functionality for Netbooks (TM) version? I've noticed annoying things like that on my parents' computers. The worst is that "Users and Groups" is gone in the Computer Management MMC, so those tasks have to be done via command line. Windows 7 Enterprise is better than XP (wow, remote _and_ local IP settings and outgoing/incoming rules for Firewall? finally.), but the "home" versions are crippled in ways that make security difficult.
However, in regards to MS (and we're close to being offtopic here) when was the last time you heard about an Apache vuln? Apache is relatively solid
Both Apache and IIS are pretty secure, although I have no idea why you would run Apache on a Windows server.
My problems with MS, however, are philosophical. MS seems to revel in giving the finger to standards, from the backslash to everything else.
Oh dear, you didn't just claim that the forward slash was a standard, did you? MS-DOS 1 used the same conventions as CP/M and VMS for command line arguments: forward slash. When DOS 2.0 added directories, but they had to use backslash to prevent backwards compatibility problems. They couldn't use the Apple Mac's colon separator because they already used that for drive letters, and nobody wanted to be anything like VMS's square brackets []. (See, there really was no standard)
However, they did actually implement the paths using both / and \. You could change an environment variable to set the argument prefix. Then you could happily use "cd /DOS". Even today, both symbols work. You can try:
notepad c:\autoexec.bat
notepad c:/autoexec.bat
The only time where / doesn't work is when it may be interpreted as a command line option. So "cd /Windows" doesn't work, but "cd ./Windows" does work. The point is that there was no standard for directory separators because every operating system did things their own way. And even if they did differ, there was a valid reason to do so. It was not just "giving the finger to standards". There are examples of them not using standards, like the Outlook-Exchange interface (although they probably would have had to extend the interface to get it to work using the standards so there may have been no point).
As for your DNS story, of course Windows can set the DNS manually. Don't ask me to tell you where you set it, because they keep moving around the network configuration with every version of Windows. That really pisses me off. Every upgrade of Windows since Windows for Workgroups 3.11 has made networking harder. I don't know why they have to keep fiddling!
Whoosh. The output in the posting to which you replied was demonstrating that it's not a root exploit, it's an exploit of the account 'www-data'.
On web servers I run, all executable code (apache, log rotator, etc.) is on a partition mounted readonly and nosuid. Data is on a partition mounted noexec. Nothing in the file system outside of /tmp is writable by www-data. So compromising that account gets you very little. You can't run code (except in the web server's scripting context, which doesn't get you any farther than you were when you compromised it - and doesn't get you any closer to running code as root), you can't change files. All you can hope to do is mess with the database; basically the same as what you could do if you found a hole in the site scripts.
"Patriotism is your conviction that this country is superior to all other countries because you were born in it." -- GBS
Muddling terms is how you end up with nonsense like not being able to tell programs from data.
But windows admins can't tell data from programs. They put both under c:\program files
Dedicated webservers are actually far more attractive targets to attackers, they are likely to have a lot more upstream bandwidth available to them than a typical end user making them ideal for spam, ddos, and scanning for other machines to infect, or they could merely reuse the existing webserver as a delivery mechanism for malware or phishing sites.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Apache has to run as root at some point or else it can't bind to port 80. What you see from ps is after apache had setuid and forked. You can do the same thing in windows, but don't you agree it falls upon apache to do spawn processes as an unprivileged user? If you remember back in Apache 1 days, it was the same way in Linux, you had to run as root or load it as a plugin for inetd if you wanted to run it on port 80. I remember back in the days when we were using ipfwadm to forward all packets with server port 80 dest to port 8080 just so we could run Apache as a regular user. And even then it didn't work right all the time. In this specific case, I really don't see any reason to blame the OS.
Where is the "Ignorant" mod tag?
although I have no idea why you would run Apache on a Windows server.
Because sometimes you're forced to use a Windows server platform yet at the same time are under budget constraints and can't afford Microsoft's licensing models.
Apache does not run as Administrator on Windows. I'm afraid it is worse than that, it runs as LocalSystem, which is more analogous to root than Administrator is. Even if you configure the service to run as a different account, it requires the "Log on as a service" and "Act as part of the operating system" privileges. Might as well use LocalSystem.
Said, "It's just like dice but it's got more sides And it tells me who lives and who dies"
IIS, since version 6, has had fewer vulnerabilities than Apache has, however, neither have been particularly holey.
Are you seriously about the backslash? Microsoft actually WAS following the standard, the standard being CP/M.
As for your DNS problems, i've noticed on some firewalls, the IPv6 implementation seems to interfere with things on occasion. If you disable IPv6, things will work.
As for manually setting them, it works exactly the same way it always has.
If you need web hosting, you could do worse than here
If you cant upgrade, simply go into \conf\apache.conf and comment out the line that loads aspi:
#LoadModule isapi_module modules/mod_isapi.so
restart apache service and you should be good to go.
And to all those people who are like 'lolz! who runs apache on windows lolz!', i would say plenty of people. Because apache is far far far far far superior to ISS. Hopefully they have done it like me and made a low privilege local user to run it. It takes a bit more work but not much.
As a potential lottery winner, I totally support tax cuts for the wealthy
Apparently, there were regressions with the build.
Here's revision 2 of Apache 2.2.15 with OpenSSL. Preliminary reports indicate that it works like it should.
Use ISO 8601 dates [YYYY-MM-DD]