[VulnWatch] iDEFENSE Security Advisory 04.08.03: Denial of Service in Apache HTTP Server 2.x
From: iDEFENSE Labs (labs@idefense.com)
Date: 04/08/03
- Previous message: Berend-Jan Wever: "[VulnWatch] Coppermine Photo Gallery remote compromise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "iDEFENSE Labs" <labs@idefense.com> To: vulnwatch@vulnwatch.org Date: Tue, 8 Apr 2003 12:44:39 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 04.08.03:
http://www.idefense.com/advisory/04.08.03.txt
Denial of Service in Apache HTTP Server 2.x
April 8, 2003
I. BACKGROUND
The Apache Software Foundation's HTTP Server Project is an effort to
develop and maintain an open-source web server for modern operating
systems including Unix and Microsoft Corp.'s Windows. More information is
available at http://httpd.apache.org/ .
II. DESCRIPTION
Remote exploitation of a memory leak in the Apache HTTP Server causes the
daemon to over utilize system resources on an affected system. The problem
is HTTP Server's handling of large chunks of consecutive linefeed
characters. The web server allocates an eighty-byte buffer for each
linefeed character without specifying an upper limit for allocation.
Consequently, an attacker can remotely exhaust system resources by
generating many requests containing these characters.
III. ANALYSIS
While this type of attack is most effective in an intranet setting, remote
exploitation over the Internet, while bandwidth intensive, is feasible.
Remote exploitation could consume system resources on a targeted system
and, in turn, render the Apache HTTP daemon unavailable. iDEFENSE has
performed research using proof of concept exploit code to demonstrate the
impact of this vulnerability. A successful exploitation scenario requires
between two and seven megabytes of traffic exchange.
IV. DETECTION
Both the Windows and Unix implementations of Apache HTTP Server 2.0.44 are
vulnerable; all 2.x versions up to and including 2.0.44 are most likely
vulnerable as well.
V. VENDOR FIX/RESPONSE
Apache HTTP Server 2.0.45, which fixes this vulnerability, can be
downloaded at http://httpd.apache.org/download.cgi . This release
introduces a limit of 100 blank lines accepted before an HTTP connection
is discarded.
VI. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has
assigned the identification number CAN-2003-0132 to this issue.
VII. DISCLOSURE TIMELINE
01/23/2003 Issue disclosed to iDEFENSE
03/06/2003 security@apache.org contacted
03/06/2003 Response from Lars Eilebrecht
03/11/2003 Status request from iDEFENSE
03/13/2003 Response received from Mark J Cox
03/23/2003 Response received from Brian Pane
03/25/2003 iDEFENSE clients notified
04/08/2003 Coordinated Public Disclosure
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPpL7k/rkky7kqW5PEQKSEQCfbqX0EJWYTE1oqFUwpBqGWiFI5esAoMZI
P/F2T7UtpHxj1aaJqnJzSyFa
=1dI8
-----END PGP SIGNATURE-----
- Previous message: Berend-Jan Wever: "[VulnWatch] Coppermine Photo Gallery remote compromise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
