Web server products range from extremely simple and lightweight software which does little more than serve up static pages, to highly complex application platforms that can handle a large variety of tasks. Historically, web server software has been subject to a wide range of serious security vulnerabilities, which have resulted in arbitrary code execution, file disclosure, and privilege escalation.
Buffer Overflow Vulnerabilities
Buffer overflows are among the most serious flaws that can affect any kind of software, because they normally allow an attacker to take control of execution in the vulnerable process. Achieving arbitrary code execution within a web server will usually enable an attacker to compromise any application that it is hosting.
The following sections present a tiny sample of web server buffer overflows; however, they illustrate the pervasiveness of this flaw, which has arisen in a wide range of different web server products and components.
Microsoft IIS ISAPI Extensions
Microsoft IIS versions 4 and 5 contained a range of ISAPI extensions that were enabled by default. Several of these were found to contain buffer overflows, such as the Internet Printing Protocol extension and the Index Server extension, both of which were discovered in 2001. These flaws enabled an attacker to execute arbitrary code within the Local System context, thereby fully com- promising the whole computer, and provided the means of propagation of the Nimda and Code Red worms, which began circulating shortly afterwards. The following Microsoft TechNet bulletins detail these flaws:
Apache Chunked Encoding Overflow
A buffer overflow resulting from an integer signedness error was discovered in 2002 in the Apache web server. The affected code had been reused in numerous other web sever products, which were also affected. For more details, see www.securityfocus.com/bid/5033/discuss .
Microsoft IIS WebDav Overflow
A buffer overflow in a core component of the Windows operating system was discovered in 2003. There were various attack vectors by which this bug could be exploited, the most significant of which for many customers was the Web-DAV support built in to IIS 5. The vulnerability was being actively exploited in the wild at the time a fix was produced. This vulnerability is detailed at www.microsoft.com/technet/security/bulletin/MS03-007.mspx.
iPlanet Search Overflow
The search component of the iPlanet web server was found to be vulnerable to a stack overflow in 2002. By supplying an overlong parameter value, an attacker could achieve execution of arbitrary code, by default with Local System privi- leges. For more details, see www.ngssoftware.com/advisories/sun-iws.txt .