Signature Detail

WORM: Apache "Transfer-Encoding: chunked" Worm Infection Attempt

This signature detects attempts to infect Apache Web servers with the Apache Worm. Apache versions 1.3.26, 2.0.38 and prior are vulnerable. Apache improperly calculates required buffer sizes for chunked encoded requests due to a signed interpretation of an unsigned integer value. The worm sends POST requests containing malicious chunked encoded data to exploit the Apache daemon.

Extended Description

When processing requests coded with the 'Chunked Encoding' mechanism, Apache fails to properly calculate required buffer sizes. This is believed to be due to improper (signed) interpretation of an unsigned integer value. Consequently, several conditions that have security implications may occur. Reportedly, a buffer overrun and signal race condition occur. Exploiting these conditions may allow arbitrary code to run. **Update**: Reportedly, at least one worm is exploiting this vulnerability to propagate in the wild. The worm targets FreeBSD 4.5 systems running Apache 1.3.22-24 and 1.3.20. Other versions may also be affected.

Affected Products

• Apache Software Foundation Apache 1.0.0
• Apache Software Foundation Apache 1.0.2
• Apache Software Foundation Apache 1.0.3
• Apache Software Foundation Apache 1.0.5
• Apache Software Foundation Apache 1.1.0
• Apache Software Foundation Apache 1.1.1
• Apache Software Foundation Apache 1.2.0
• Apache Software Foundation Apache 1.2.5
• Apache Software Foundation Apache 1.3.0
• Apache Software Foundation Apache 1.3.1
• Apache Software Foundation Apache 1.3.11
• Apache Software Foundation Apache 1.3.12
• Apache Software Foundation Apache 1.3.13
• Apache Software Foundation Apache 1.3.14
• Apache Software Foundation Apache 1.3.14 Mac
• Apache Software Foundation Apache 1.3.15
• Apache Software Foundation Apache 1.3.16
• Apache Software Foundation Apache 1.3.17
• Apache Software Foundation Apache 1.3.18
• Apache Software Foundation Apache 1.3.19
• Apache Software Foundation Apache 1.3.20
• Apache Software Foundation Apache 1.3.22
• Apache Software Foundation Apache 1.3.23
• Apache Software Foundation Apache 1.3.24
• Apache Software Foundation Apache 1.3.3
• Apache Software Foundation Apache 1.3.4
• Apache Software Foundation Apache 1.3.9
• Apache Software Foundation Apache 2.0.0
• Apache Software Foundation Apache 2.0.28
• Apache Software Foundation Apache 2.0.32
• Apache Software Foundation Apache 2.0.35
• Apache Software Foundation Apache 2.0.36
• Apache Software Foundation Apache 2.0.37
• Apache Software Foundation Apache 2.0.38
• HP Compaq Secure Web Server for OpenVMS 1.0.0 -1
• HP Compaq Secure Web Server for OpenVMS 1.1.0 -1
• HP Compaq Secure Web Server for OpenVMS 1.2.0
• HP HP-UX 11.0.0
• HP HP-UX 11.0.0 4
• HP HP-UX 11.11.0
• HP HP-UX 11.20.0
• HP HP-UX 11.22.0
• HP HP-UX (VVOS) 11.0.0 4
• HP INTERNET EXPRESS EAK 2.0.0
• HP OpenView Network Node Manager 6.1.0
• HP OpenView Network Node Manager 6.10.0
• HP OpenView Network Node Manager 6.2.0
• HP OpenView Network Node Manager 6.31.0
• HP OpenView Service Information Portal 1.0.0
• HP OpenView Service Information Portal 2.0.0
• HP OpenView Service Information Portal 3.0.0
• HP Tru64 UNIX Compaq Secure Web Server 5.8.1
• HP Tru64 UNIX Compaq Secure Web Server 5.8.2
• HP Tru64 UNIX INTERNET EXPRESS 5.9.0
• HP VirtualVault 4.5.0
• HP VirtualVault 4.6.0
• IBM HTTP Server 1.3.19
• Macromedia ColdFusion Server MX Developer
• Macromedia ColdFusion Server MX Enterprise
• Macromedia ColdFusion Server MX Professional
• Macromedia JRun 4.0.0
• Oracle Oracle HTTP Server 1.0.2 .0
• Oracle Oracle HTTP Server 1.0.2 .1
• Oracle Oracle HTTP Server 1.0.2 .2
• Oracle Oracle HTTP Server 1.0.2 .2 Roll up 2
• Oracle Oracle HTTP Server 8.1.7
• Oracle Oracle HTTP Server 9.0.1
• Oracle Oracle HTTP Server 9.0.2
• Oracle Oracle HTTP Server 9.1.0
• Oracle Oracle HTTP Server 9.2.0 .0
• Oracle Oracle HTTP Server for Apps only 1.0.2 .1s
• Red Hat Secure Web Server 3.2.0 i386

References

• BugTraq: 5033
• CERT: CA-2002-17
• CVE: CVE-2002-0392
• URL: http://www.mycert.org.my/advisory/MA-044.072002.html
• URL: http://httpd.apache.org/info/security_bulletin_20020617.txt