[UNIX] Apache/Tomcat Denial of Service and Information Leakage Vulnerability
From: support@securiteam.com
Date: 12/05/02
- Previous message: support@securiteam.com: "[NT] Remote Heap malloc/free and Multiple Overflow Vulnerability in WSMP3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 5 Dec 2002 23:51:28 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Apache/Tomcat Denial of Service and Information Leakage Vulnerability
------------------------------------------------------------------------
SUMMARY
The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for operating systems including UNIX and Windows
NT. Apache has been the most popular web server on the Internet for the
last 5 years.
The <http://jakarta.apache.org> Jakarta Project creates and maintains
open source solutions on the Java platform for distribution to the public
at no charge. Tomcat 4 is the official Reference Implementation of the
Servlet 2.3 and JavaServer Pages 1.2 technologies.
Mod_jk is an apache module which allows apache to deliver web requests
transparently to the tomcat engine. It supports several protocols, in
particular the Apache Jserv Protocol 1.3 (AJP13).
When these components are combined there exists an inconsistency in the
communication protocols implemented by mod_jk which allows a malicious
user to desynchronize Apache-Tomcat communications and render the Tomcat
service useless until the operator can intervene. The nature of the
desynchronization may also result in information leakage which may be used
to collect private data from legitimate users of the site.
DETAILS
Vulnerable systems:
* mod_jk 1.2 using Apache Jserv Protocol 1.3
* Apache 1.3.x
* Tomcat 4.x Server
A client may connect to the target machine and deliver several requests
with an invalid chunked encoded body e.g.
GET /index.jsp HTTP/1.1
Host: victim.com
Transfer-Encoding: Chunked
53636f7474
The request path is not relevant, after several requests like this are
made the server becomes desynchronized and other users of the site will
begin to see responses mixed between users. The site responses get
desynchronized with the requests and the server becomes useless until
either apache or tomcat are restarted.
The reason this happens is that mod_jk misinterprets the chunked request,
after sending the request to Tomcat via AJP13 it immediately sends a
second zero length AJP13 packet (4 bytes - magic number + zero size). The
tomcat server receives the first request and sends the response back over
the connection. Upon receiving the second zero size packet it repeats the
query, and again sends a second response back to mod_jk.
Mod_jk is only expecting one valid response, so it pulls it off the wire
and leaves the second response untouched. The next request which is sent
over this connection (valid or invalid) will generate another response,
however mod_jk pulls the old duplicate response off the wire and sends
this back to the requesting agent. Essentially this desynchronizes the
queries and responses leaving the communication channel useless,
furthermore, repeated requests will eventually fill up the network buffers
resulting in the requests blocking and the server completely failing to
respond.
Mod_jk uses a pool of workers so a full scale denial of service would
require desynchronizing all of the workers using multiple requests. The
Number of requests required to block a worker completely will depend on
the size of the response and the network buffers.
The potential for information leakage is great but the risk is mitigated
somewhat by the unpredictability of the query-response desynchronisation.
Depending on the target site this may be somewhat exploitable by a
malicious user to redirect other users to a specific response by
saturating the communication channels with a desired response.
Resolution:
Upgrade to mod_jk 1.2.1:
<http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.1/> http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.1/
ADDITIONAL INFORMATION
The information has been provided by Qualys Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[EXPL] Cobalt RaQ4 Remote Root Exploit (overflow.cgi)"
- Previous message: support@securiteam.com: "[NT] Remote Heap malloc/free and Multiple Overflow Vulnerability in WSMP3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
