Signature Detail

HTTP: Chunk Overflow

This protocol anomaly triggers when an invalid data chunk length in an HTTP request that uses chunked encoding is detected. The chunked encoding transfer method sends data length requests followed by data chunks that match the negotiated data lengths. Attackers can cause a stack overflow and execute arbitrary code on the server.

Extended Description

When processing requests coded with the 'Chunked Encoding' mechanism, Apache fails to properly calculate required buffer sizes. This is believed to be due to improper (signed) interpretation of an unsigned integer value. Consequently, several conditions that have security implications may occur. Reportedly, a buffer overrun and signal race condition occur. Exploiting these conditions may allow arbitrary code to run. **Update**: Reportedly, at least one worm is exploiting this vulnerability to propagate in the wild. The worm targets FreeBSD 4.5 systems running Apache 1.3.22-24 and 1.3.20. Other versions may also be affected.

Affected Products

• Apache_software_foundation apache 1.0.0
• Apache_software_foundation apache 1.0.2
• Apache_software_foundation apache 1.0.3
• Apache_software_foundation apache 1.0.5
• Apache_software_foundation apache 1.1.0
• Apache_software_foundation apache 1.1.1
• Apache_software_foundation apache 1.2.0
• Apache_software_foundation apache 1.2.5
• Apache_software_foundation apache 1.3.0
• Apache_software_foundation apache 1.3.1
• Apache_software_foundation apache 1.3.11
• Apache_software_foundation apache 1.3.12
• Apache_software_foundation apache 1.3.13
• Apache_software_foundation apache 1.3.14
• Apache_software_foundation apache 1.3.14 Mac
• Apache_software_foundation apache 1.3.15
• Apache_software_foundation apache 1.3.16
• Apache_software_foundation apache 1.3.17
• Apache_software_foundation apache 1.3.18
• Apache_software_foundation apache 1.3.19
• Apache_software_foundation apache 1.3.20
• Apache_software_foundation apache 1.3.22
• Apache_software_foundation apache 1.3.23
• Apache_software_foundation apache 1.3.24
• Apache_software_foundation apache 1.3.3
• Apache_software_foundation apache 1.3.4
• Apache_software_foundation apache 1.3.9
• Apache_software_foundation apache 2.0.0
• Apache_software_foundation apache 2.0.28
• Apache_software_foundation apache 2.0.32
• Apache_software_foundation apache 2.0.35
• Apache_software_foundation apache 2.0.36
• Apache_software_foundation apache 2.0.37
• Apache_software_foundation apache 2.0.38
• Hp compaq_secure_web_server_for_openvms 1.0.0 -1
• Hp compaq_secure_web_server_for_openvms 1.1.0 -1
• Hp compaq_secure_web_server_for_openvms 1.2.0
• Hp hp-ux 11.0.0
• Hp hp-ux 11.0.0 4
• Hp hp-ux 11.11.0
• Hp hp-ux 11.20.0
• Hp hp-ux 11.22.0
• Hp hp-ux_(vvos) 11.0.0 4
• Hp internet_express_eak 2.0.0
• Hp openview_network_node_manager 6.1.0
• Hp openview_network_node_manager 6.10.0
• Hp openview_network_node_manager 6.2.0
• Hp openview_network_node_manager 6.31.0
• Hp openview_service_information_portal 1.0.0
• Hp openview_service_information_portal 2.0.0
• Hp openview_service_information_portal 3.0.0
• Hp tru64_unix_compaq_secure_web_server 5.8.1
• Hp tru64_unix_compaq_secure_web_server 5.8.2
• Hp tru64_unix_internet_express 5.9.0
• Hp virtualvault 4.5.0
• Hp virtualvault 4.6.0
• Ibm http_server 1.3.19
• Macromedia coldfusion_server MX Developer
• Macromedia coldfusion_server MX Enterprise
• Macromedia coldfusion_server MX Professional
• Macromedia jrun 4.0.0
• Oracle oracle_http_server 1.0.2 .0
• Oracle oracle_http_server 1.0.2 .1
• Oracle oracle_http_server 1.0.2 .2
• Oracle oracle_http_server 1.0.2 .2 Roll up 2
• Oracle oracle_http_server 8.1.7
• Oracle oracle_http_server 9.0.1
• Oracle oracle_http_server 9.0.2
• Oracle oracle_http_server 9.1.0
• Oracle oracle_http_server 9.2.0 .0
• Oracle oracle_http_server_for_apps_only 1.0.2 .1s
• Red_hat secure_web_server 3.2.0 i386

References

• BugTraq: 37966
• BugTraq: 5033
• CERT: CA-2002-17
• CVE: CVE-2002-0392
• CVE: CVE-2010-0010
• CVE: CVE-2002-0079
• URL: http://httpd.apache.org/info/security_bulletin_20020620.txt