Note: This is an archival copy of Security Sun Alert 201369 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001042.1.
Article ID : 1001042.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-12-13
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the Apache Web Server "mod_alias" and "mod_rewrite" Modules



Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 8 Operating System

Bug Id
4948830

Date of Workaround Release
10-FEB-2004

Date of Resolved Release
11-OCT-2004

Impact

A local or remote unprivileged user may be able to execute arbitrary code with the privileges of the Apache HTTP process on Solaris 8 and Solaris 9 systems when running the bundled version of Apache. This is due to a buffer overflow in the Apache modules "mod_alias" and "mod_rewrite".

This issue is described at the following sites:

The Apache 1.3.29 and the 2.0.48 release announcements:

CAN-2003-0542:


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 116973-02 (See Note 1)
  • Solaris 9 without patch 113146-03

x86 Platform

  • Solaris 8 without patch 116974-02 (See Note 1)
  • Solaris 9 without patch 114145-02

Note 1 This Sun Alert originally reported that Solaris 8 systems without patch 116973-01 or 116974-01 were impacted by these issues. However, as per Sun Alert 101841 (at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101841-1), these issues may still occur on Solaris 8 systems with patches 116973-01 or 116974-01.

A system is only vulnerable to this issue if the Apache web server has been configured and is running on the system. The following command can be executed to check if the Apache(1M) httpd daemon is running on the system:

$ /usr/bin/ps -ef | grep httpd
nobody 103892 102307  0   Jan 20 ?        0:27 /usr/apache/bin/httpd

Apache was not bundled with Solaris prior to Solaris 8. However, customers who have built and/or installed a vulnerable version of Apache on any version of Solaris are at risk. See the Apache URL referenced above for information on where to download the latest Apache versions which address this issue.

This vulnerability involving the Apache "mod_alias" and "mod_rewrite" modules is present in Apache web servers versions 1.3 through 1.3.28 and 2.0 through 2.0.47.

To determine the version of Apache installed, the following command can be executed:

$ /usr/apache/bin/httpd -v
Server version: Apache/1.3.27 (Unix)
Server built:   Nov  1 2002 16:16:4

Symptoms

There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized uid "nobody" access to a host.


Workaround

Some relief to the buffer overflow is available by enabling non-executable user stacks (although this does not provide 100 percent protection against exploitation of this vulnerability, it makes the likelihood of a successful exploit much smaller). This workaround is only effective on the following architectures:

  • sun4u
  • sun4m
  • sun4d

Note: This workaround will not work on Intel platforms.

To determine a systems architecture, use the "uname -m" command.

To enable non-executable program stacks add the following lines to the "/etc/system" file and reboot the system:

    set noexec_user_stack = 1
set noexec_user_stack_log = 1

The above tunable parameters are described in the Solaris Tunable Parameters Reference Manual at: http://docs.sun.com.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 116973-02 or later (See Note 1)
  • Solaris 9 with patch 113146-03 or later

x86 Platform

  • Solaris 8 with patch 116974-02 or later (See Note 1)
  • Solaris 9 with patch 114145-02 or later

Note 1: This Sun Alert originally reported that the Solaris 8 patches 116973-01 or later and 116974-01 or later addressed these issues. However, as per Sun Alert 101841 (at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101841-1), the complete resolution is available in Solaris 8 patches 116973-02 or later and 116974-02 or later.



Modification History
Date: 11-OCT-2004
  • State: Resolved
  • Updated Contributing Factors and Resolution sections

Date: 20-SEP-2004
  • Updated Relief/Workaround with T- patches for Solaris 8

Date: 12-AUG-2005
  • Updated Contributing Factors and Resolution sections


References

113146-03
114145-02
116974-01
116973-01




Attachments
This solution has no attachment