Signature Detail

HTTP: Apache-scalp.c Attempt

This signature detects attempts to exploit a known vulnerability in Apache Web servers. Apache improperly calculates required buffer sizes for chunked encoded requests due to a signed interpretation of an unsigned integer value. Attackers can send chunked encoded requests with the unique Host header value "apache-scalp.c." in the GET request to create a buffer overflow and execute arbitrary code.

Extended Description

When processing requests coded with the 'Chunked Encoding' mechanism, Apache fails to properly calculate required buffer sizes. This is believed to be due to improper (signed) interpretation of an unsigned integer value. Consequently, several conditions that have security implications may occur. Reportedly, a buffer overrun and signal race condition occur. Exploiting these conditions may allow arbitrary code to run. **Update**: Reportedly, at least one worm is exploiting this vulnerability to propagate in the wild. The worm targets FreeBSD 4.5 systems running Apache 1.3.22-24 and 1.3.20. Other versions may also be affected.

Affected Products

• Apache Software Foundation Apache 1.0.0
• Apache Software Foundation Apache 1.0.2
• Apache Software Foundation Apache 1.0.3
• Apache Software Foundation Apache 1.0.5
• Apache Software Foundation Apache 1.1.0
• Apache Software Foundation Apache 1.1.1
• Apache Software Foundation Apache 1.2.0
• Apache Software Foundation Apache 1.2.5
• Apache Software Foundation Apache 1.3.0
• Apache Software Foundation Apache 1.3.1
• Apache Software Foundation Apache 1.3.11
• Apache Software Foundation Apache 1.3.12
• Apache Software Foundation Apache 1.3.13
• Apache Software Foundation Apache 1.3.14
• Apache Software Foundation Apache 1.3.14 Mac
• Apache Software Foundation Apache 1.3.15
• Apache Software Foundation Apache 1.3.16
• Apache Software Foundation Apache 1.3.17
• Apache Software Foundation Apache 1.3.18
• Apache Software Foundation Apache 1.3.19
• Apache Software Foundation Apache 1.3.20
• Apache Software Foundation Apache 1.3.22
• Apache Software Foundation Apache 1.3.23
• Apache Software Foundation Apache 1.3.24
• Apache Software Foundation Apache 1.3.3
• Apache Software Foundation Apache 1.3.4
• Apache Software Foundation Apache 1.3.9
• Apache Software Foundation Apache 2.0.0
• Apache Software Foundation Apache 2.0.28
• Apache Software Foundation Apache 2.0.32
• Apache Software Foundation Apache 2.0.35
• Apache Software Foundation Apache 2.0.36
• Apache Software Foundation Apache 2.0.37
• Apache Software Foundation Apache 2.0.38
• HP Compaq Secure Web Server for OpenVMS 1.0.0 -1
• HP Compaq Secure Web Server for OpenVMS 1.1.0 -1
• HP Compaq Secure Web Server for OpenVMS 1.2.0
• HP HP-UX 11.0.0
• HP HP-UX 11.0.0 4
• HP HP-UX 11.11.0
• HP HP-UX 11.20.0
• HP HP-UX 11.22.0
• HP HP-UX (VVOS) 11.0.0 4
• HP INTERNET EXPRESS EAK 2.0.0
• HP OpenView Network Node Manager 6.1.0
• HP OpenView Network Node Manager 6.10.0
• HP OpenView Network Node Manager 6.2.0
• HP OpenView Network Node Manager 6.31.0
• HP OpenView Service Information Portal 1.0.0
• HP OpenView Service Information Portal 2.0.0
• HP OpenView Service Information Portal 3.0.0
• HP Tru64 UNIX Compaq Secure Web Server 5.8.1
• HP Tru64 UNIX Compaq Secure Web Server 5.8.2
• HP Tru64 UNIX INTERNET EXPRESS 5.9.0
• HP VirtualVault 4.5.0
• HP VirtualVault 4.6.0
• IBM HTTP Server 1.3.19
• Macromedia ColdFusion Server MX Developer
• Macromedia ColdFusion Server MX Enterprise
• Macromedia ColdFusion Server MX Professional
• Macromedia JRun 4.0.0
• Oracle Oracle HTTP Server 1.0.2 .0
• Oracle Oracle HTTP Server 1.0.2 .1
• Oracle Oracle HTTP Server 1.0.2 .2
• Oracle Oracle HTTP Server 1.0.2 .2 Roll up 2
• Oracle Oracle HTTP Server 8.1.7
• Oracle Oracle HTTP Server 9.0.1
• Oracle Oracle HTTP Server 9.0.2
• Oracle Oracle HTTP Server 9.1.0
• Oracle Oracle HTTP Server 9.2.0 .0
• Oracle Oracle HTTP Server for Apps only 1.0.2 .1s
• Red Hat Secure Web Server 3.2.0 i386

References

• BugTraq: 5033
• CERT: CA-2002-17
• CVE: CVE-2002-0392
• URL: http://httpd.apache.org/info/security_bulletin_20020617.txt