Slashdot Mirror
Serious Apache Exploit Discovered
bennyboy64 writes "An IT security company has discovered a serious exploit in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache's core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit."
Note: according to the advisory, this exploit is exclusive to Windows.
This would have been useful in the summary. From the linked page:
While I'm sure it will impact many people, I'd still imagine the majority of Apache users are running it on a platform other than Windows
7 out of the first 8 posts agree that this is Windows only.
MS bashing isn't really appropriate here. The module only runs on Windows (although there were some efforts to make it call out into WINE so you could run ISAPI modules on *NIX), but the vulnerability is entirely Apache's fault. It isn't doing any privilege separation or exploit mitigation, and it's running code at the highest possible privilege level, which makes this bug into a serious exploit. The same bug in a module that ran on Linux would result in a remote root exploit.
I am TheRaven on Soylent News
> The same bug in a module that ran on Linux would result in a remote root exploit.
Really?
ps -aef | grep apach
root 3029 1 0 08:10 ? 00:00:00 /usr/sbin/apache2 -k start /usr/sbin/apache2 -k start /usr/sbin/apache2 -k start
www-data 3072 3029 0 08:10 ? 00:00:00
www-data 3073 3029 0 08:10 ? 00:00:00
A Pirate and a Puritan look the same on a balance sheet.
The extension module DLL's are third party.
The core isapi apache module is all apache, and that's where the bug is.
I had to read the article to see it was Windows only . . . whew.
I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
At a place I used to work, one of my coworkers reported a simple potential security problem: the username for the admin account on all our machines is the same as the computer's name. This just eliminates one less thing for a hacker to figure out. He was accused of "snooping", whatever that means, and almost lost his job. The only thing that saved him is a higher-up with a brain.
Whenever I hear a story about a person\firm reporting security risks, I am reminded of the story of my coworker, and I have heard too many similiar stories. It has trained to me keep my mouth shut about these problems.
I would really like to make a shirt that says: "This T-shirt has a serious exploit that allows a remote attacker to gain complete control."
It should be printed around the bottom hem for maximum effect.
Could also work on tighty whiteys.
I said I'd like to make it, not wear it. :-)
Apache on linux (at least in all the setups i've seen) starts as root so it can bind port 80 but then switches down to a lower privilage user to do the actual serving. Some damage could still be done of course but hopefully it's limited compared to the damage root can do.
Apache on windows defaults to running as "localsystem" (roughly the windows equivilent of root)
You can run it as another user but apparently ( http://httpd.apache.org/docs/2.0/platform/windows.html ) that user has to have "Act as part of the operating system" privilages. MS describes said privilages as "This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.".
So it seems either way to run Apache on windows you have to give it what ammounts to root privilages.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
MS bashing isn't really appropriate here.
You must either be new here or have a very short memory.
The same bug in a module that ran on Linux would result in a remote root exploit.
Apache does not normally run as root on Linux. Only on Windows.
It doesn't matter if "its just as bad". It isn't a "root exploit". It's highly inaccurate to call it one.
Muddling terms is how you end up with nonsense like not being able to tell programs from data.
Distinctions are important for just this reason.
Yes it still sucks.
A Pirate and a Puritan look the same on a balance sheet.
However, in regards to MS (and we're close to being offtopic here) when was the last time you heard about an Apache vuln? Apache is relatively solid
Both Apache and IIS are pretty secure, although I have no idea why you would run Apache on a Windows server.
My problems with MS, however, are philosophical. MS seems to revel in giving the finger to standards, from the backslash to everything else.
Oh dear, you didn't just claim that the forward slash was a standard, did you? MS-DOS 1 used the same conventions as CP/M and VMS for command line arguments: forward slash. When DOS 2.0 added directories, but they had to use backslash to prevent backwards compatibility problems. They couldn't use the Apple Mac's colon separator because they already used that for drive letters, and nobody wanted to be anything like VMS's square brackets []. (See, there really was no standard)
However, they did actually implement the paths using both / and \. You could change an environment variable to set the argument prefix. Then you could happily use "cd /DOS". Even today, both symbols work. You can try:
notepad c:\autoexec.bat
notepad c:/autoexec.bat
The only time where / doesn't work is when it may be interpreted as a command line option. So "cd /Windows" doesn't work, but "cd ./Windows" does work. The point is that there was no standard for directory separators because every operating system did things their own way. And even if they did differ, there was a valid reason to do so. It was not just "giving the finger to standards". There are examples of them not using standards, like the Outlook-Exchange interface (although they probably would have had to extend the interface to get it to work using the standards so there may have been no point).
As for your DNS story, of course Windows can set the DNS manually. Don't ask me to tell you where you set it, because they keep moving around the network configuration with every version of Windows. That really pisses me off. Every upgrade of Windows since Windows for Workgroups 3.11 has made networking harder. I don't know why they have to keep fiddling!
Apache does not run as Administrator on Windows. I'm afraid it is worse than that, it runs as LocalSystem, which is more analogous to root than Administrator is. Even if you configure the service to run as a different account, it requires the "Log on as a service" and "Act as part of the operating system" privileges. Might as well use LocalSystem.
Said, "It's just like dice but it's got more sides And it tells me who lives and who dies"