|
|
Apache AB.C Web Benchmarking存在远程缓冲溢出漏洞
发布时间:2002-10-09
更新时间:2002-10-09
严重程度:中
威胁程度:远程拒绝服务
错误类型:边界检查错误
利用方式:客户机模式
BUGTRAQ ID:5887
CVE(CAN) ID:CAN-2002-0843
受影响系统Apache Software Foundation Apache 1.3
- Microsoft Windows 2000 Workstation
- Microsoft Windows NT 4.0
Apache Software Foundation Apache 1.3.1
Apache Software Foundation Apache 1.3.3
+ RedHat Linux 5.2 alpha
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 sparc
Apache Software Foundation Apache 1.3.4
+ BSDI BSD/OS 4.0
Apache Software Foundation Apache 1.3.6
+ Sun Cobalt ManageRaQ3 3000R-mr
+ Sun Cobalt RaQ3 3000R
+ Sun Cobalt Velociraptor
Apache Software Foundation Apache 1.3.9
+ Debian Linux 2.2
+ Debian Linux 2.2 68k
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 sparc
+ Netscreen NetScreen-Global PRO Express Policy Manager Server
+ Netscreen NetScreen-Global PRO Policy Manager Server
- Sun Solaris 8.0
- Sun Solaris 8.0 _x86
Apache Software Foundation Apache 1.3.11
Apache Software Foundation Apache 1.3.12
+ Netscreen NetScreen-Global PRO Express Policy Manager Server
+ Netscreen NetScreen-Global PRO Policy Manager Server
+ OpenBSD OpenBSD 2.8
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 sparc
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0 i386
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 7.0 sparc
+ Sun Cobalt ManageRaQ v2 3599BD
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ4 3001R
Apache Software Foundation Apache 1.3.14
+ EnGarde Secure Linux 1.0.1
+ MandrakeSoft Linux Mandrake 7.1
+ MandrakeSoft Linux Mandrake 7.2
- MandrakeSoft Single Network Firewall 7.2
Apache Software Foundation Apache 1.3.17
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Linux Mandrake 8.0
+ MandrakeSoft Linux Mandrake 8.0 ppc
+ OpenBSD OpenBSD 2.8
+ S.u.S.E. Linux 7.1
Apache Software Foundation Apache 1.3.18
Apache Software Foundation Apache 1.3.19
- Apple MacOS X 10.0.3
- Caldera eDesktop 2.4
- Caldera eServer 2.3.1
- Caldera OpenLinux 2.4
+ Debian Linux 2.3
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 f
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 g
- Digital (Compaq) TRU64/DIGITAL UNIX 5.0
+ EnGarde Secure Linux 1.0.1
- FreeBSD FreeBSD 3.5.1
- FreeBSD FreeBSD 4.2
- HP HP-UX 10.20
- HP HP-UX 11.0
- HP HP-UX 11.0 4
- HP HP-UX 11.11
+ HP Secure OS software for Linux 1.0
- HP VirtualVault 4.5
- MandrakeSoft Linux Mandrake 7.1
- MandrakeSoft Linux Mandrake 7.2
- MandrakeSoft Linux Mandrake 8.0
+ MandrakeSoft Linux Mandrake 8.1
- NetBSD NetBSD 1.5
- NetBSD NetBSD 1.5.1
- OpenBSD OpenBSD 2.8
+ OpenBSD OpenBSD 2.9
+ OpenBSD OpenBSD 3.0
- RedHat Linux 6.2
- RedHat Linux 7.0
- RedHat Linux 7.1
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.2 i386
- SGI IRIX 6.5.8
- SGI IRIX 6.5.9
- Sun Solaris 7.0
- Sun Solaris 8.0
Apache Software Foundation Apache 1.3.20
- HP HP-UX 11.20
- HP HP-UX 11.22
+ MandrakeSoft Single Network Firewall 7.2
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 sparc
+ SGI IRIX 6.5.12
+ SGI IRIX 6.5.12 f
+ SGI IRIX 6.5.12 m
+ SGI IRIX 6.5.13
+ SGI IRIX 6.5.13 f
+ SGI IRIX 6.5.13 m
+ SGI IRIX 6.5.14
+ SGI IRIX 6.5.14 f
+ SGI IRIX 6.5.14 m
+ SGI IRIX 6.5.15
+ SGI IRIX 6.5.16
+ Slackware Linux 8.0
+ Sun Cobalt Control Station 4100CS
Apache Software Foundation Apache 1.3.22
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Conectiva Linux 6.0
+ Conectiva Linux 7.0
+ Conectiva Linux 8.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Linux Mandrake 7.2
+ MandrakeSoft Linux Mandrake 8.0
+ MandrakeSoft Linux Mandrake 8.0 ppc
+ MandrakeSoft Linux Mandrake 8.1
+ MandrakeSoft Linux Mandrake 8.1 ia64
+ OpenPKG OpenPKG 1.0
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 sparc
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 ia64
+ Sun Solaris 8.0
+ Sun Solaris 8.0 _x86
+ Sun Solaris 9.0
Apache Software Foundation Apache 1.3.23
- IBM AIX 4.3
+ MandrakeSoft Linux Mandrake 8.2
+ RedHat Linux 7.3
+ RedHat Linux 7.3 i386
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 8.0 i386
+ Trustix Secure Linux 1.1
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.5
Apache Software Foundation Apache 1.3.24
+ OpenBSD OpenBSD 3.1
+ Oracle Oracle 9i Application Server 1.0.2
+ Oracle Oracle 9i Application Server 1.0.2 .1s
+ Oracle Oracle 9i Application Server 1.0.2 .2
+ Oracle Oracle 9i Application Server 9.0.2
+ Oracle Oracle HTTP Server 9.0.1
+ Oracle Oracle HTTP Server 9.2 .0
+ Slackware Linux 8.1
+ Unisphere Networks SDX-300 2.0.3
Apache Software Foundation Apache 1.3.25
Apache Software Foundation Apache 1.3.26
+ Conectiva Linux 6.0
+ Conectiva Linux 7.0
+ Conectiva Linux 8.0
+ OpenPKG OpenPKG 1.1
+ Trustix Secure Linux 1.1
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.5
Oracle Oracle 8i Enterprise Edition 8.1.7 .1.0
Oracle Oracle 8i Enterprise Edition 8.1.7 .0.0
Oracle Oracle 9i Application Server 1.0.2 .2
Oracle Oracle 9i Application Server 1.0.2 .1s
Oracle Oracle 9i Application Server 1.0.2
Oracle Oracle 9i Application Server 9.0.2 release 2
Oracle Oracle 9i Application Server 9.0.2
Oracle Oracle 9iAS Reports 9.0.2 .1
Oracle Oracle8 8.1.7
- Microsoft Windows 2000 Workstation
Oracle Oracle8i 8.1.7 .1
Oracle Oracle8i 8.1.7
Oracle Oracle9i Release 2 9.2 .2
Oracle Oracle9iAS Reports 9.0.2 详细描述
由APACHE WEB SERVER提供的ab.c web benchmarking支持工具存在缓冲溢出。
恶意WEB服务器的管理员可以利用这个漏洞,当评测工具对其APACHE服务器进行测试的时候导致产生缓冲溢出,可以以评测系统的进程任意代码。
测试代码
无
解决方案
升级程序:
Apache Software Foundation Apache 1.3:
Apache Software Foundation Apache 1.3.1:
Apache Software Foundation Apache 1.3.3:
Apache Software Foundation Apache 1.3.4:
Apache Software Foundation Apache 1.3.6:
Apache Software Foundation Apache 1.3.9:
Apache Software Foundation Apache 1.3.11:
Apache Software Foundation Apache 1.3.12:
Apache Software Foundation Apache 1.3.14:
Apache Software Foundation Apache 1.3.17:
Apache Software Foundation Apache 1.3.18:
Apache Software Foundation Apache 1.3.19:
EnGarde Secure Linux RPM apache-1.3.27-1.0.32.i386.rpm
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i386/apache-1.3.27-1.0.32.i386.rpm
EnGarde Secure Linux RPM apache-1.3.27-1.0.32.i686.rpm
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/i686/apache-1.3.27-1.0.32.i686.rpm
Apache Software Foundation Apache 1.3.20:
Apache Software Foundation Upgrade apache_1.3.27.tar.gz
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz
Apache Software Foundation Apache 1.3.22:
Apache Software Foundation Upgrade apache_1.3.27.tar.gz
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz
OpenPKG Upgrade apache-1.3.22-1.0.5.src.rpm
ftp://ftp.openpkg.org/release/1.0/UPD/apache-1.3.22-1.0.5.src.rpm
Apache Software Foundation Apache 1.3.23:
Apache Software Foundation Upgrade apache_1.3.27.tar.gz
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz
Apache Software Foundation Apache 1.3.24:
Apache Software Foundation Upgrade apache_1.3.27.tar.gz
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz
Apache Software Foundation Apache 1.3.25:
Apache Software Foundation Upgrade apache_1.3.27.tar.gz
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz
Apache Software Foundation Apache 1.3.26:
Apache Software Foundation Upgrade apache_1.3.27.tar.gz
http://www.apache.org/dist/httpd/apache_1.3.27.tar.gz
OpenPKG Upgrade apache-1.3.26-1.1.1.src.rpm
ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.1.src.rpm
相关信息
参考:http://online.securityfocus.com/advisories/4532
http://online.securityfocus.com/archive/1/294119
http://otn.oracle.com/deploy/security/pdf/2002alert45rev1.pdf
相关主页:http://www.apache.org/dist/httpd/Announcement.txt
|
