[574] in WWW Security List Archive
Re: NCSA httpd 1.3 vulnerability still unsolved? (And where to go to solve it?)
daemon@ATHENA.MIT.EDU (Paul Phillips)
Sun Apr 9 05:50:57 1995
Date: Sat, 8 Apr 1995 22:56:31 -0700 (PDT)
From: Paul Phillips <psphilli@sdcc8.UCSD.EDU>
To: www-security@ns1.rutgers.edu
In-Reply-To: <20055.9504041146@macbeth.cogsci.ed.ac.uk>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 4 Apr 1995 robert@cogsci.ed.ac.uk wrote:
> I've seen a number of postings discussing the status of a bug
> with NCSA's httpd 1.3.
>
> Pardon a very basic question, but what are the consequences of this bug?
This bug -- and others like it -- allow people to execute arbitrary
commands on the server machine under the server's euid. If the server is
running chrooted then only files in the chrooted area can be executed,
but this usually to often includes such things as perl (for CGI) so
that's not terribly comforting.
> The most likely consequence would seem to be that the demon would crash.
> Would this disable the site, or only abort the offending request?
If the client is overwriting the stack with random data, the worst that
will happen is a server crash, but the real danger is data designed to
execute code, as in Thomas's exploit.
> In other words, if all the permissions on my system are set up right,
> so that ``nobody'' cannot do any damage, should I be bothered?
Yes. You might be amazed at the damage that nobody can cause. For
example, nobody might set up a telnet server so the hacker can log into
the machine. Then Mr. Nobody can glean all sorts of data about your
internal net, and almost certainly find some more serious holes on the
server machine or some others. Or, Mr. Nobody might set up the machine
as a warez distribtuion site. Or, Mr. Nobody might spam Usenet.
(Continue with others as your imagination sees fit.)
The level of your vulnerability depends on the presence or absence of a
firewall and various other factors, but I promise holes like this are not
harmless.
--
Paul Phillips EMAIL: psp@ucsd.edu PHONE: (619) 220-0850
WWW: http://www.primus.com/staff/paulp/ FAX: (619) 220-0873
