SecureMac, Inc.

OSX -CGI Flaw

June 2, 2001

A fatal bug in MacOS X Server renders Apple’s new operating system practically useless as a web server. The problem is particularly critical since it affects MacOS Server X release 1.0 in one of its key features.

During a server load test at c’t Labs, the Apache web server built into the OS caused the machine to halt with a fatal “System Panic” error following successive CGI script queries.

CGI scripts (Common Gateway Interface) are a common server extension, frequently used for web queries. The test stopped the system cold whenever 32 …

OSX -CGI Flaw

A fatal bug in MacOS X Server renders Apple’s new operating system practically useless as a web server. The problem is particularly critical since it affects MacOS Server X release 1.0 in one of its key features.

During a server load test at c’t Labs, the Apache web server built into the OS caused the machine to halt with a fatal “System Panic” error following successive CGI script queries.

CGI scripts (Common Gateway Interface) are a common server extension, frequently used for web queries. The test stopped the system cold whenever 32 or more processes repeatedly requested CGI scripts from the server — this corresponds to the activity usually caused by several hundred surfers. It was always necessary to do a hard reboot via the reset switch. Neither the restart feature (“press R to Reboot”) nor the low-level debugger (“press M to Monitor”) built into MacOS X would work at this point.

It doesn’t matter whether the processes are started locally or by an user request through the Web. Every owner of MacOS X Server can reproduce this problem — even without connecting the machine to the Internet.

c’t editor J�rgen Schmidt has written a shell script (CGI Panic) which will launch the Apache Benchmark (“ab”) built into the server and crash the machine after 32 successive calls. Similar applications such as WebBench should cause the same reaction. The exploit offers crackers an easy way to sabotage servers: They can repeatedly call a CGI script and thereby paralyze every web site operating under MacOS X Server.

The fact that Apache can single-handedly crash the entire system puts Apple’s implementation of the Unix system in question. Even with 512 or 1024 processes processed in parallel, the server should at worst slow down or issue error messages. The problem might be caused by an error in the MacOS X Mach Kernel which is triggered by a large number of simultaneous processes. It might not be limited to CGI scripts.

Apple employees were able to reproduce the crash after being contacted by c’t magazine. As long as there is no patch for the problem, MacOS X server administrators should deactivate the execution of CGI scripts.

Get the latest security news and deals