NCSA HTTPD 1.3 Security Problem

Keith Robison robison at golgi.harvard.edu
Thu Feb 16 09:39:28 EST 1995


For those webmasters who haven't seen it yet, there is a security hole
in NCSA HTTPD 1.3 which can apparently be exploited by an automated
script.  NCSA has not yet provided fixed source or binaries, but
the CIAC folks recommend a simple fix in the source.  I have recompiled
NCSA httpd 1.3 for SunOS 4.x using gcc, and this binary is available 
via anonymous FTP

	ftp://golgi.harvard.edu/pub/robison/httpd


Replace your existing httpd binary with this one and restart the server.


CIAC advisory attached.


Keith Robison
Harvard University
Department of Cellular and Developmental Biology
Department of Genetics / HHMI

robison at mito.harvard.edu 


>             _____________________________________________________
>                        The U.S. Department of Energy
>                     Computer Incident Advisory Capability
>                            ___  __ __    _     ___
>                           /       |     /_\   /
>                           \___  __|__  /   \  \___
>             _____________________________________________________

>                                ADVISORY NOTICE

>                         Unix NCSA httpd Vulnerability

> February 14, 1995 1030 PST                                        Number F-11
> _____________________________________________________________________________

> PROBLEM:       A vulnerability has been discovered in the NCSA WWW server
>                software (httpd).
> PLATFORMS:     Unix systems running NCSA httpd version 1.3.
> DAMAGE:        Remote users may gain unauthorized access.
> SOLUTION:      Implement workaround as described below.
> _____________________________________________________________________________

> VULNERABILITY  This vulnerability, along with an automated exploitation
> ASSESSMENT:    script, has been announced in public forums on the Internet.
>                CIAC recommends that sites install the workaround on affected 
>                systems as soon as possible.
> _____________________________________________________________________________

>           Critical Information about the NCSA httpd Vulnerability

> CIAC has learned of a serious vulnerability in the NCSA WWW server software,
> httpd.  By sending a carefully constructed request to the WWW server, an
> intruder can cause an internal buffer overflow and push arbitrary 
> instructions onto the program stack.  These new instructions may allow the
> intruder unauthorized access to the WWW server.

> Until official patches are available from NCSA, CIAC recommends the following
> temporary fix be installed.  In the file httpd.h, change the string length
> definitions from:

>       /* The default string lengths */
>       #define MAX_STRING_LEN 256
>       #define HUGE_STRING_LEN 8192

> to:

>       /* The default string lengths */
>       #define HUGE_STRING_LEN 8192
>       #define MAX_STRING_LEN  HUGE_STRING_LEN

> Then rebuild, install, and restart the new httpd server.

> It is likely that these attacks will generate unusual server log entries.  
> The httpd access_log file should be examined for unusual requests, especially
> those containing control characters.

> Note that while this workaround addresses the vulnerability currently being
> exploited, there are likely to be other similar vulnerabilities present in
> this and other WWW server software.  To lessen the chance of compromise, it
> is strongly recommended that WWW servers run as unprivileged users (e.g.
> user "nobody") and that they be locked into a restricted filesystem via the
> chroot() system call.  For more information, please see CIAC Document 2308, 
> "Securing Internet Information Servers," which is available via anonymous
> FTP from ciac.llnl.gov in the directory /pub/ciac/ciacdocs/.




More information about the Bio-www mailing list