xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

Apache Web Server Scoreboard内存段覆盖SIGUSR1发送漏洞


发布时间:2002-10-09
更新时间:2002-10-09
严重程度:
威胁程度:普通用户访问权限
错误类型:设计错误
利用方式:服务器模式

BUGTRAQ ID:5884
CVE(CAN) ID:CAN-2002-0839

受影响系统
Apache Software Foundation Apache 1.3.19
   - Apple MacOS X 10.0.3
   - Caldera eDesktop 2.4
   - Caldera eServer 2.3.1
   - Caldera OpenLinux 2.4
   + Debian Linux 2.3
   - Digital (Compaq) TRU64/DIGITAL UNIX 4.0 f
   - Digital (Compaq) TRU64/DIGITAL UNIX 4.0 g
   - Digital (Compaq) TRU64/DIGITAL UNIX 5.0
   + EnGarde Secure Linux 1.0.1
   - FreeBSD FreeBSD 3.5.1
   - FreeBSD FreeBSD 4.2
   - HP HP-UX 10.20
   - HP HP-UX 11.0
   - HP HP-UX 11.0 4
   - HP HP-UX 11.11
   + HP Secure OS software for Linux 1.0
   - HP VirtualVault 4.5
   - MandrakeSoft Linux Mandrake 7.1
   - MandrakeSoft Linux Mandrake 7.2
   - MandrakeSoft Linux Mandrake 8.0
   + MandrakeSoft Linux Mandrake 8.1
   - NetBSD NetBSD 1.5
   - NetBSD NetBSD 1.5.1
   - OpenBSD OpenBSD 2.8
   + OpenBSD OpenBSD 2.9
   + OpenBSD OpenBSD 3.0
   - RedHat Linux 6.2
   - RedHat Linux 7.0
   - RedHat Linux 7.1
   + S.u.S.E. Linux 6.4
   + S.u.S.E. Linux 6.4 alpha
   + S.u.S.E. Linux 6.4 i386
   + S.u.S.E. Linux 6.4 ppc
   + S.u.S.E. Linux 7.0
   + S.u.S.E. Linux 7.0 alpha
   + S.u.S.E. Linux 7.0 i386
   + S.u.S.E. Linux 7.0 ppc
   + S.u.S.E. Linux 7.0 sparc
   + S.u.S.E. Linux 7.1
   + S.u.S.E. Linux 7.1 alpha
   + S.u.S.E. Linux 7.1 ppc
   + S.u.S.E. Linux 7.1 sparc
   + S.u.S.E. Linux 7.1 x86
   + S.u.S.E. Linux 7.2
   + S.u.S.E. Linux 7.2 i386
   - SGI IRIX 6.5.8
   - SGI IRIX 6.5.9
   - Sun Solaris 7.0
   - Sun Solaris 8.0
Apache Software Foundation Apache 1.3.20
   - HP HP-UX 11.20
   - HP HP-UX 11.22
   + MandrakeSoft Single Network Firewall 7.2
   + S.u.S.E. Linux 7.3
   + S.u.S.E. Linux 7.3 i386
   + S.u.S.E. Linux 7.3 ppc
   + S.u.S.E. Linux 7.3 sparc
   + SGI IRIX 6.5.12
   + SGI IRIX 6.5.12 f
   + SGI IRIX 6.5.12 m
   + SGI IRIX 6.5.13
   + SGI IRIX 6.5.13 f
   + SGI IRIX 6.5.13 m
   + SGI IRIX 6.5.14
   + SGI IRIX 6.5.14 f
   + SGI IRIX 6.5.14 m
   + SGI IRIX 6.5.15
   + SGI IRIX 6.5.16
   + Slackware Linux 8.0
   + Sun Cobalt Control Station 4100CS
Apache Software Foundation Apache 1.3.22
   + Caldera OpenLinux Server 3.1
   + Caldera OpenLinux Server 3.1.1
   + Caldera OpenLinux Workstation 3.1
   + Caldera OpenLinux Workstation 3.1.1
   + Conectiva Linux 6.0
   + Conectiva Linux 7.0
   + Conectiva Linux 8.0
   + MandrakeSoft Corporate Server 1.0.1
   + MandrakeSoft Linux Mandrake 7.2
   + MandrakeSoft Linux Mandrake 8.0
   + MandrakeSoft Linux Mandrake 8.0 ppc
   + MandrakeSoft Linux Mandrake 8.1
   + MandrakeSoft Linux Mandrake 8.1 ia64
   + OpenPKG OpenPKG 1.0
   + RedHat Linux 6.2 alpha
   + RedHat Linux 6.2 i386
   + RedHat Linux 6.2 sparc
   + RedHat Linux 7.0 alpha
   + RedHat Linux 7.0 i386
   + RedHat Linux 7.1 alpha
   + RedHat Linux 7.1 i386
   + RedHat Linux 7.1 ia64
   + RedHat Linux 7.2 i386
   + RedHat Linux 7.2 ia64
   + Sun Solaris 8.0
   + Sun Solaris 8.0 _x86
   + Sun Solaris 9.0
Apache Software Foundation Apache 1.3.23
   - IBM AIX 4.3
   + MandrakeSoft Linux Mandrake 8.2
   + RedHat Linux 7.3
   + RedHat Linux 7.3 i386
   + S.u.S.E. Linux 8.0
   + S.u.S.E. Linux 8.0 i386
   + Trustix Secure Linux 1.1
   + Trustix Secure Linux 1.2
   + Trustix Secure Linux 1.5
Apache Software Foundation Apache 1.3.24
   + OpenBSD OpenBSD 3.1
   + Oracle Oracle 9i Application Server 1.0.2
   + Oracle Oracle 9i Application Server 1.0.2 .1s
   + Oracle Oracle 9i Application Server 1.0.2 .2
   + Oracle Oracle 9i Application Server 9.0.2
   + Oracle Oracle HTTP Server 9.0.1
   + Oracle Oracle HTTP Server 9.2 .0
   + Slackware Linux 8.1
   + Unisphere Networks SDX-300 2.0.3
Apache Software Foundation Apache 1.3.25
Apache Software Foundation Apache 1.3.26
   + Conectiva Linux 6.0
   + Conectiva Linux 7.0
   + Conectiva Linux 8.0
   + OpenPKG OpenPKG 1.1
   + Trustix Secure Linux 1.1
   + Trustix Secure Linux 1.2
   + Trustix Secure Linux 1.5
Oracle Internet Application Server 1.0.2 .1
Oracle Internet Application Server 1.0.2 .0
   - Oracle Oracle 8i Enterprise Edition 8.1.7 .0.0
Oracle Oracle 8i Enterprise Edition 8.1.7 .1.0
Oracle Oracle 8i Enterprise Edition 8.1.7 .0.0
Oracle Oracle 9i Application Server
   - Compaq Tru64 4.0 g
   - Compaq Tru64 5.0
   - Compaq Tru64 5.0 a
   - Compaq Tru64 5.0 f
   - Compaq Tru64 5.1
   - HP HP-UX 7.0
   - HP HP-UX 7.2
   - HP HP-UX 7.4
   - HP HP-UX 7.6
   - HP HP-UX 7.8
   - HP HP-UX 8.0
   - HP HP-UX 8.1
   - HP HP-UX 8.2
   - HP HP-UX 8.4
   - HP HP-UX 8.5
   - HP HP-UX 8.6
   - HP HP-UX 8.7
   - HP HP-UX 8.8
   - HP HP-UX 8.9
   - HP HP-UX 9.0
   - HP HP-UX 9.1
   - HP HP-UX 9.3
   - HP HP-UX 9.4
   - HP HP-UX 9.5
   - HP HP-UX 9.6
   - HP HP-UX 9.7
   - HP HP-UX 9.8
   - HP HP-UX 9.9
   - HP HP-UX 9.10
   - HP HP-UX 10.0
   - HP HP-UX 10.0 1
   - HP HP-UX 10.1
   - HP HP-UX 10.8
   - HP HP-UX 10.9
   - HP HP-UX 10.10
   - HP HP-UX 10.16
   - HP HP-UX 10.20
   - HP HP-UX 10.26
   - HP HP-UX 10.30
   - HP HP-UX 10.34
   - HP HP-UX 11.0
   - HP HP-UX 11.0 4
   - HP HP-UX 11.11
   - IBM AIX 1.2.1
   - IBM AIX 1.3
   - IBM AIX 2.2.1
   - IBM AIX 3.0 x
   - IBM AIX 3.1
   - IBM AIX 3.2
   - IBM AIX 3.2.4
   - IBM AIX 3.2.5
   - IBM AIX 4.0
   - IBM AIX 4.1
   - IBM AIX 4.1.1
   - IBM AIX 4.1.2
   - IBM AIX 4.1.3
   - IBM AIX 4.1.4
   - IBM AIX 4.1.5
   - IBM AIX 4.2
   - IBM AIX 4.2.1
   - IBM AIX 4.3
   - IBM AIX 4.3.1
   - IBM AIX 4.3.2
   - IBM AIX 4.3.3
   - IBM AIX 5.1
   - Microsoft Windows 2000 Workstation
   - Microsoft Windows 2000 Workstation SP1
   - Microsoft Windows 2000 Workstation SP2
   - Microsoft Windows NT 4.0
   - Microsoft Windows NT 4.0 SP1
   - Microsoft Windows NT 4.0 SP2
   - Microsoft Windows NT 4.0 SP3
   - Microsoft Windows NT 4.0 SP4
   - Microsoft Windows NT 4.0 SP5
   - Microsoft Windows NT 4.0 SP6a
   - Sun Solaris 1.1
   - Sun Solaris 1.1.1
   - Sun Solaris 1.1.2
   - Sun Solaris 1.1.3
   - Sun Solaris 1.1.3 _U1
   - Sun Solaris 1.1.4
   - Sun Solaris 1.1.4 -JL
   - Sun Solaris 1.2
   - Sun Solaris 2.0
   - Sun Solaris 2.1
   - Sun Solaris 2.2
   - Sun Solaris 2.3
   - Sun Solaris 2.4
   - Sun Solaris 2.4 _x86
   - Sun Solaris 2.5
   - Sun Solaris 2.5 _x86
   - Sun Solaris 2.5.1
   - Sun Solaris 2.5.1 _x86
   - Sun Solaris 2.6
   - Sun Solaris 2.6 _x86
   - Sun Solaris 2.6 _x86HW3/98
   - Sun Solaris 2.6 _x86HW5/98
   - Sun Solaris 2.6 HW3/98
   - Sun Solaris 2.6 HW5/98
   - Sun Solaris 7.0
   - Sun Solaris 7.0 _x86
   - Sun Solaris 8.0
   - Sun Solaris 8.0 _x86
Oracle Oracle 9i Application Server 1.0.2 .2
Oracle Oracle 9i Application Server 1.0.2 .1s
Oracle Oracle 9i Application Server 1.0.2
Oracle Oracle 9i Application Server 9.0.2 release 2
Oracle Oracle 9i Application Server 9.0.2
Oracle Oracle 9iAS Reports 9.0.2 .1
Oracle Oracle8 8.1.7
   - Microsoft Windows 2000 Workstation
Oracle Oracle8i 8.1.7 .1
Oracle Oracle8i 8.1.7
Oracle Oracle9i Release 2 9.2 .2
Oracle Oracle9iAS Reports 9.0.2
详细描述
<Apache Web Server Scoreboard Memory Segment Overwriting SIGUSR1 Sending Vulnerability>

Apache是免费开放源代码WEB服务程序,目前很广泛的使用。

Apache HTTP服务程序在共享内存记分板(scoreboard)处理上存在漏洞,攻击者可以在APACHE UID权利下执行任意命令,以ROOT权限发送SIGUSR1信号到任意进程,或者进行拒绝服务攻击。

攻击者可以通过attach HTTPD守护进程的'scoreboard'-存储在APACHE拥有的共享内存段,通过持续的以NULL值填充这个表导致拒绝服务。

攻击者也可以以ROOT权利发送SIGUSR1给任意进程,这可以通过持续覆盖parent[].pid 和parent[].last_rtime共享内存段做到。通过这个方法可以终止任意进程和把用户踢出系统。

测试代码


解决方案
升级程序:

Apache Software Foundation Apache 1.3.19:

EnGarde Secure Linux RPM apache-1.3.27-1.0.32.i386.rpm
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i386/apache-1.3.27-1.0.32.i386.rpm

EnGarde Secure Linux RPM apache-1.3.27-1.0.32.i686.rpm
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i686/apache-1.3.27-1.0.32.i686.rpm

Apache Software Foundation Apache 1.3.20:

Apache Software Foundation Upgrade apache_1.3.27.tar.gz
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz

Apache Software Foundation Apache 1.3.22:

Apache Software Foundation Upgrade apache_1.3.27.tar.gz
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz

OpenPKG Upgrade apache-1.3.22-1.0.5.src.rpm
ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.5.src.rpm

Apache Software Foundation Apache 1.3.23:

Apache Software Foundation Upgrade apache_1.3.27.tar.gz
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz

Apache Software Foundation Apache 1.3.24:

Apache Software Foundation Upgrade apache_1.3.27.tar.gz
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz

Apache Software Foundation Apache 1.3.25:

Apache Software Foundation Upgrade apache_1.3.27.tar.gz
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz

Apache Software Foundation Apache 1.3.26:

Apache Software Foundation Upgrade apache_1.3.27.tar.gz
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz

OpenPKG Upgrade apache-1.3.26-1.1.1.src.rpm
ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.1.src.rpm

相关信息
zen-parse <zen-parse@gmx.net>.
参考:http://online.securityfocus.com/advisories/4532
http://online.securityfocus.com/archive/1/294119
http://online.securityfocus.com/archive/1/294026
http://otn.oracle.com/deploy/security/pdf/2002alert45rev1.pdf
相关
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved