For those webmasters who haven't seen it yet, there is a security hole
in NCSA HTTPD 1.3 which can apparently be exploited by an automated
script. NCSA has not yet provided fixed source or binaries, but
the CIAC folks recommend a simple fix in the source. I have recompiled
NCSA httpd 1.3 for SunOS 4.x using gcc, and this binary is available
via anonymous FTP
ftp://golgi.harvard.edu/pub/robison/httpd
Replace your existing httpd binary with this one and restart the server.
CIAC advisory attached.
Keith Robison
Harvard University
Department of Cellular and Developmental Biology
Department of Genetics / HHMI
robison at mito.harvard.edu
> _____________________________________________________
> The U.S. Department of Energy
> Computer Incident Advisory Capability
> ___ __ __ _ ___
> / | /_\ /
> \___ __|__ / \ \___
> _____________________________________________________
> ADVISORY NOTICE
> Unix NCSA httpd Vulnerability
> February 14, 1995 1030 PST Number F-11
> _____________________________________________________________________________
> PROBLEM: A vulnerability has been discovered in the NCSA WWW server
> software (httpd).
> PLATFORMS: Unix systems running NCSA httpd version 1.3.
> DAMAGE: Remote users may gain unauthorized access.
> SOLUTION: Implement workaround as described below.
> _____________________________________________________________________________
> VULNERABILITY This vulnerability, along with an automated exploitation
> ASSESSMENT: script, has been announced in public forums on the Internet.
> CIAC recommends that sites install the workaround on affected
> systems as soon as possible.
> _____________________________________________________________________________
> Critical Information about the NCSA httpd Vulnerability
> CIAC has learned of a serious vulnerability in the NCSA WWW server software,
> httpd. By sending a carefully constructed request to the WWW server, an
> intruder can cause an internal buffer overflow and push arbitrary
> instructions onto the program stack. These new instructions may allow the
> intruder unauthorized access to the WWW server.
> Until official patches are available from NCSA, CIAC recommends the following
> temporary fix be installed. In the file httpd.h, change the string length
> definitions from:
> /* The default string lengths */
> #define MAX_STRING_LEN 256
> #define HUGE_STRING_LEN 8192
> to:
> /* The default string lengths */
> #define HUGE_STRING_LEN 8192
> #define MAX_STRING_LEN HUGE_STRING_LEN
> Then rebuild, install, and restart the new httpd server.
> It is likely that these attacks will generate unusual server log entries.
> The httpd access_log file should be examined for unusual requests, especially
> those containing control characters.
> Note that while this workaround addresses the vulnerability currently being
> exploited, there are likely to be other similar vulnerabilities present in
> this and other WWW server software. To lessen the chance of compromise, it
> is strongly recommended that WWW servers run as unprivileged users (e.g.
> user "nobody") and that they be locked into a restricted filesystem via the
> chroot() system call. For more information, please see CIAC Document 2308,
> "Securing Internet Information Servers," which is available via anonymous
> FTP from ciac.llnl.gov in the directory /pub/ciac/ciacdocs/.
