Apache Web Server Security IssuesBrief History of Apache Web ServerWeb Server StatisticSome Known Apache Security Issues In Earlier ReleasesRecent Security Issues All ReleasesSecurity Problem in mod_ssl and Apache-SSLLatest Security Warning Issued June 2002What can it do?F-Secure Notice of ProblemEffects to DateWhat’s the Big StinkLessons LearnedWhat does this mean?ReferencesPowerPoint PresentationApache Web Server Security IssuesCSIS 4490 – UNIX Administration and SecuritySummer 2002Dr. Ken HogansonBy: Tracy C. GuthrieJuly 16, 2002Brief History of Apache Web ServerFrom the Apache HTTP Server Project page at http://httpd:apache.org/ABOUT_APACHE.htmlMarch 1995, Rob McCool leaves the National Center for Supercomputing Applications to start the Apache project.Apache name comes from the fact that this server is built from NCSA code patches, “a patchy” server.April 1995, the first public release of Apache Web Server is made available.March 1996, Apache Web Server 1.1 is released with increased server functionality.In less than a years time the Apache Web Server becomes the most widely used web server software according to a survey by Netcraft and has remained in that position since.Web Server StatisticDeveloperMay 2002PercentJune 2002Percent ChangeApache 10411000 65.11 10964734 64.42 -0.69Microsoft 4121697 25.78 4243719 24.93 -0.85iPlanet 247051 1.55 281681 1.66 0.11Zeus 214498 1.34 227857 1.34 0.00http://www.netcraft.com/survey/Some Known Apache Security Issues In Earlier ReleasesApache chunked encoding problems allow possible system abuse, DNS attacks, and remote execution of code.Win32 port problem on Apache provides the ability for remote infiltrators to execute commands using values that are sent through CGI batch scripts. The handling of Host: headers in Mass virtual hosting setups can allow access to any file on the server.Cross-site scripting can reveal private session information through the use of embedded HTML tags in a client requests with insufficient encoding that could lead to the release of private cookies used to verify a users identity at other sites.Other known issues include multiple issues relating to bugs that have been used to perform DNS attacks and situations that have caused web server requests to return directory and directory listings rather than the requested web page.http://www.apacheweek.com/features/security-13Recent Security Issues All ReleasesFebruary 2002 - Security Problem in mod_ssl and Apache-SSLJune 2002 - Chunked Encoding Handling IssueSecurity Problem in mod_ssl and Apache-SSLFebruary 23, 2002 a buffer overflow problem is identified in Secure Socket Layer code or more specifically the mod_ssl and Apache_ssl.The specific problem causing the buffer overflow issue deals with dbm and shm session cache instructions that do not initialize memory properly.This bug affected all versions of the web server software. Only servers that are allowing signed or secure client certificates are vulnerable.This opens the possibility of a perpetrator running code that is supposedly signed by a trusted client.Since the server believes that the code is being executed by a trusted source then this rouge code is executed from the server with the rights assigned to that source.This particular problem offered limited exposure due to the fact that a perpetrator would need to obtain a valid security certificate to take advantage of this problem.http://www.apacheweek.com/issues/02-03-01#securityLatest Security Warning Issued June 2002June 17, 2002, ISS and the Apache Software Foundation issued an advisory about possible exploit code that could issue denial of service attacks.It was initially stated that this problem only affected version 1.3 and earlier releases of the Apache HTTP Server Software.June 20, 2002, Apache software issued another alert stating that this exploit could affect all versions of the Apache HTTP Web Server, and that the problem could involve more than DNS attacks.After more careful analysis of the bug the experts determined that the issues revolve around the way that the Apache software handles encoded requests using chunked encoding routines.Note: According to the site www.truesecure.com, chunked encoding is used to transfer pieces of data of unknown size between the web server and the web client. Apache has issues in the math that is used to calculate the buffer size and allocates a buffer that is too small leading to buffer overflows that can lead to a host of security issues. http://www.apacheweek.com/issues/02-06-21#security, http://httpd.apache.org, http://httpd.apache.org/info/security_bulletin_20020620.txt, http://www.trusecure.com/knowledge/hypeorhot/2002/tsa02009.shtmlWhat can it do?In the security bulletin issued by the Apache Software Foundation, http://httpd.apache.org/info/security_bulletin_20020620.txt, the known or identified issues with this bug to date are:1. Execution of code on the server with the permission level of a child process which is a sub-process or a thread of the original process.2. Can lead to further vulnerabilities including the ability to gain root access.3. The very least that the process can do is provide an avenue for performing a denial of service attack.F-Secure Notice of ProblemF-Secure has identified the root cause of this problem as a worm known as Scalper, Scalper.A or another alias is Unix/Scalper.A.As of June 29, 2002 F-Secure had not received any notice of actual infected servers running the FreeBSD Apache HTTP Web Server software.In test that were perfomed by F-Secure if the worm finds access to the server it:1. Creates an un-encoded worm file in the /tmp directory called .uua that is decoded and executed as /tmp/.a and this also deletes the original unencoded .uua file.2. After execution the rouge program creates a backdoor at UDP Port 2001 and scans the server to see if it is running Apache server software. If the answer is yes, the virus attempts to infect the server.3. If the server is successfully infected then the problems listed in the previous slide are possible and the remote processes can be submitted at the same level or privilege class as the server itself.4. The worm creates no known changes to the system configuration files and is not hidden in the process list.http://www.f-secure.com/v-descs/scalper.shtmlEffects to DateThe findings listed below are mentioned in the article, Worm exploits