Security Vulnerability in the Apache Web Server "mod_alias" and "mod_rewrite" Modules

StatusIssued

DescriptionTop
Sun(sm) Alert Notification
  • Sun Alert ID: 101444 (formerly 57496)
  • Synopsis: Security Vulnerability in the Apache Web Server "mod_alias" and "mod_rewrite" Modules
  • Category: Security
  • Product: Solaris 9 Operating System, Solaris 8 Operating System
  • BugIDs: 4948830
  • Avoidance: Patch
  • State: Resolved
  • Date Released: 10-Feb-2004, 11-Oct-2004
  • Date Closed: 11-Oct-2004
  • Date Modified: 11-Oct-2004, 20-Sep-2004, 12-Aug-2005

1. Impact

A local or remote unprivileged user may be able to execute arbitrary code with the privileges of the Apache HTTP process on Solaris 8 and Solaris 9 systems when running the bundled version of Apache. This is due to a buffer overflow in the Apache modules "mod_alias" and "mod_rewrite".

This issue is described at the following sites:

The Apache 1.3.29 and the 2.0.48 release announcements:

CAN-2003-0542:

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

x86 Platform

Note 1 This Sun Alert originally reported that Solaris 8 systems without patch 116973-01 or 116974-01 were impacted by these issues. However, as per Sun Alert 101841 (at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101841-1), these issues may still occur on Solaris 8 systems with patches 116973-01 or 116974-01.

A system is only vulnerable to this issue if the Apache web server has been configured and is running on the system. The following command can be executed to check if the Apache(1M) httpd daemon is running on the system:

    $ /usr/bin/ps -ef | grep httpd
    nobody 103892 102307  0   Jan 20 ?        0:27 /usr/apache/bin/httpd

Apache was not bundled with Solaris prior to Solaris 8. However, customers who have built and/or installed a vulnerable version of Apache on any version of Solaris are at risk. See the Apache URL referenced above for information on where to download the latest Apache versions which address this issue.

This vulnerability involving the Apache "mod_alias" and "mod_rewrite" modules is present in Apache web servers versions 1.3 through 1.3.28 and 2.0 through 2.0.47.

To determine the version of Apache installed, the following command can be executed:

    $ /usr/apache/bin/httpd -v
    Server version: Apache/1.3.27 (Unix)
    Server built:   Nov  1 2002 16:16:4

3. Symptoms

There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized uid "nobody" access to a host.


Solution SummaryTop

4. Relief/Workaround

Some relief to the buffer overflow is available by enabling non-executable user stacks (although this does not provide 100 percent protection against exploitation of this vulnerability, it makes the likelihood of a successful exploit much smaller). This workaround is only effective on the following architectures:

  • sun4u
  • sun4m
  • sun4d

Note: This workaround will not work on Intel platforms.

To determine a systems architecture, use the "uname -m" command.

To enable non-executable program stacks add the following lines to the "/etc/system" file and reboot the system: 

    set noexec_user_stack = 1
    set noexec_user_stack_log = 1

The above tunable parameters are described in the Solaris Tunable Parameters Reference Manual at: http://docs.sun.com.


5. Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 116973-02 or later (See Note 1)
  • Solaris 9 with patch 113146-03 or later

x86 Platform

  • Solaris 8 with patch 116974-02 or later (See Note 1)
  • Solaris 9 with patch 114145-02 or later

Note 1: This Sun Alert originally reported that the Solaris 8 patches 116973-01 or later and 116974-01 or later addressed these issues. However, as per Sun Alert 101841 (at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101841-1), the complete resolution is available in Solaris 8 patches 116973-02 or later and 116974-02 or later.


Change History

11-Oct-2004:
  • State: Resolved
  • Updated Contributing Factors and Resolution sections
20-Sep-2004:
  • Updated Relief/Workaround with T- patches for Solaris 8
12-Aug-2005:
  • Updated Contributing Factors and Resolution sections

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
 
Sun support customers:
more support information is available after you sign in.
 
»   Login
»   Register
»   Lost UserName/Password
 
Login Required

You must login and have a valid contract to access Sun's Premium content which includes:

  • Sun Alerts
  • Bugs
  • Patches
  • Solutions
  • White Papers
  • Documentation
  • Support Knowledge

Login Required

You must login and have a valid contract to access Sun's contracted features

Access Legend:

(Login to access)   Sun Contracted Content
(Login to access)   Sun Contracted Feature

Please make use of SunSolve Feedback application by selecting the floating [+] to provide feedback about this specific document.

Search
Article Details
Article ID : 101444
Article Type : Sun Alert Notifications
Last reviewed : 2005-08-12
Audience : PUBLIC
Keywords :
Provide feedback  (help)
Page Tools
»  Print This Page
»  Email This Article
»  Bookmark This Article
Security Support
»   Security Center
»   Report Security Vulnerabilities
»   Security PGP Key
»   Sun Alert Notifications - RSS Feeds
»   Sun Alert Notifications - eNewsletter
»   Solaris Fingerprint Database
 
SunSolve Navigation
»   Forums for contracted customers
»   Licenses
»   Log a Service Request
»   Patches and Updates
»   Product Download Center
»   SunSystem Handbook
»   SunSolve Japan
SunSolve Feedback, Help and Updates
»   Blog
»   Community
»   Feedback
»   Help
»   Learn about SunSolve
»   Twitter
Contact About Sun News & Events Employment Site Map Privacy Terms of Use Trademarks Copyright Sun Microsystems, Inc. | SunSolve Version 7.4.0 #1