1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: Apache Chunked Encoding CVE-2002-0392

Web Attack: Apache Chunked Encoding CVE-2002-0392

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects the attempt to overflow a buffer in various servers accepting HTTP connections.

Additional Information

The HTTP protocol specifies a method of data coding called 'Chunked Encoding', designed to facilitate fragmentation of HTTP requests in transit. A vulnerability has been discovered in the many vendors implementations of 'Chunked Encoding'.

When processing requests coded with the 'Chunked Encoding' mechanism, the length given is not sanity checked. Passing a large enough value "wraps" the value into a negative number.

Consequently, several conditions may occur that have security implications. It has been reported that a buffer overflow and signal race condition occur.

Exploitation of these conditions may result in the execution of arbitrary code.

It has been confirmed that this vulnerability may be exploited to execute arbitrary code on both Win32 and UNIX platforms.

NOTE: It has been reported that there is at least one worm exploiting this vulnerability to propagate "in-the-wild". The worm targets FreeBSD 4.5 systems running Apache 1.3.22-24 and 1.3.20. Other versions may also be affected.

Affected

  • Apache Software Foundation Apache 1.0, 1.0.2, 1.0.3, 1.0.5, 1.1, 1.1.1, 1.2, 1.2.5, 1.3, 1.3.1, 1.3.3, 1.3.4, 1.3.9, 1.3.11, 1.3.12, 1.3.14, 1.3.17, 1.3.18, 1.3.19, 1.3.20, 1.3.22, 1.3.23, 1.3.24, 2.0, 2.0.28, 2.0.32, 2.0.35, 2.0.36
  • Apache Software Foundation Apache for Mac 1.3.14 Mac
  • Apache Software Foundation Apache for Windows 1.3.11, 1.3.12, 1.3.13, 1.3.14, 1.3.15, 1.3.16, 1.3.17, 1.3.18, 1.3.19, 1.3.20, 1.3.22, 1.3.23, 1.3.24
  • HP Compaq Secure Web Server for OpenVMS 1.0-1, 1.1-1, 1.2
  • HP HP-UX 11.0, 11.0 4, 11.11, 11.20, 11.22
  • HP INTERNET EXPRESS EAK 2.0
  • HP OpenView Network Node Manager 6.1, 6.2, 6.10, 6.31
  • HP OpenView Service Information Portal 1.0, 2.0, 3.0
  • HP Tru64 UNIX Compaq Secure Web Server 5.8.1, 5.8.2
  • HP Tru64 UNIX INTERNET EXPRESS 5.9
  • HP VirtualVault 4.5, 4.6
  • IBM HTTP Server 1.3.19
  • Macromedia ColdFusion Server MX Developer, MX Enterprise, MX Professional
  • Macromedia JRun 4.0
  • Oracle Oracle HTTP Server 1.0.2.0, 1.0.2.1, 1.0.2.2, 1.0.2.2 Roll up 2, 8.1.7, 9.0.1, 9.0.2, 9.1, 9.2.0
  • Oracle Oracle HTTP Server for Apps only 1.0.2.1s
  • RedHat Secure Web Server 3.2 i386

Response

There are patches available for the known vulnerable components.

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube