Apache/Tomcat Denial Of Service And Information Leakage Vulnerability

From: alias@securityfocus.com
Date: 12/04/02

  • Next message: Martin Schulze: "[SECURITY] [DSA 204-1] New kdlibs packages fix arbitrary program execution"
    Date: 4 Dec 2002 22:42:21 -0000
    From: alias@securityfocus.com
    To: undisclosed-recipients: ;
    

    --
    ______________________________________________________________________
                Qualys Security Advisory QSA-2002-12-04
                            December 4th, 2002
    Apache/Tomcat Denial Of Service And Information Leakage Vulnerability
    ______________________________________________________________________
    SYSTEMS AFFECTED:
    - mod_jk 1.2 using Apache Jserv Protocol 1.3
    - Apache 1.3.x 
    - Tomcat 4.x Server
    ______________________________________________________________________
    SYNOPSIS:
    The Apache HTTP Server Project is an effort to develop and maintain an 
    open-source HTTP server for operating systems including UNIX and 
    Windows NT. Apache has been the most popular web server on the Internet 
    for the last 5 years.
    The Jakarta Project (http://jakarta.apache.org) creates and maintains 
    open source solutions on the Java platform for distribution to the 
    public at no charge. Tomcat 4 is the official Reference Implementation 
    of the Servlet 2.3 and JavaServer Pages 1.2 technologies.
    Mod_jk is an apache module which allows apache to deliver web requests 
    transparently to the tomcat engine. It supports serveral protocols, in 
    particular the Apache Jserv Protocol 1.3 (AJP13).
    When these components are combined there exists an inconsistency in the 
    communcation protocols implemented by mod_jk which allows amalicious 
    user to desynchronise Apache-Tomcat communications and render the 
    Tomcat service useless until the operator can intervene. The nature of 
    the desynchronisation may also result in information leakage which may 
    be used to collect private data from legitimate users of the site.
    RISK FACTOR: HIGH
    ______________________________________________________________________
    VULNERABILITY DETAILS:
    A client may connect to the target machine and deliver several requests 
    with an invalid chunked encoded body e.g.
    GET /index.jsp HTTP/1.1
    Host: victim.com
    Transfer-Encoding: Chunked
    53636f7474
    The request path is not relevant, after several requests like this are 
    made the server becomes desynchronised and other users of the site will 
    begin to see responses mixed between users. The site responses get 
    desynchronised with the requests and the server becomes useless until 
    either apache or tomcat are restarted.
    The reason this happens is that mod_jk misinterprets the chunked 
    request,  after sending the request to Tomcat via AJP13 it immediately 
    sends a second zero length AJP13 packet (4 bytes - magic number + zero 
    size). The tomcat server receives the first request and sends the 
    response back over the connection. Upon receiving the second zero size 
    packet it repeats the query, and again sends a second response back to 
    mod_jk.
    Mod_jk is only expecting one valid response, so it pulls it off the 
    wire and leaves the second response untouched. The next request which 
    is sent over this connection (valid or invalid) will generate another 
    response,  however mod_jk pulls the old duplicate response off the wire 
    and sends this back to the requesting agent. Essentially this 
    desynchronises the queries and responses leaving the communication 
    channel useless, furthermore, repeated requests will eventually fill up 
    the network buffers resulting in the requests blocking and the server 
    completely failing to respond.
    Mod_jk uses a pool of workers so a full scale denial of service would 
    require desyncrhonising all of the workers using multiple requests. The
    Number of requests required to block a worker completely will depend on 
    the size of the response and the network buffers.
    The potential for information leakage is great but the risk is 
    mitigated somewhat by the unpredictability of the query-response 
    desynchronisation. Depending on the target site this may be somewhat 
    exploitable by a malicious user to redirect  other users to a specific 
    response by saturating the communcation channels with a desired response.
    ______________________________________________________________________
    RESOLUTION:
    Upgrade to mod_jk 1.2.1
    http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.1/
    ______________________________________________________________________
    CREDITS:
    The issue was analysed and documented by the Qualys Security Research 
    Team based on a discovery by Grand Central Communications 
    (www.grandcentral.com) while using the QualysGuard vulnerability 
    detection Service.
    ______________________________________________________________________
    CONTACT:
    For more information about the Qualys Security Research Team, visit 
    our website at http://www.qualys.com or send email to 
    research@qualys.com
    ______________________________________________________________________
    LEGAL NOTICE:
    The information contained within this advisory is Copyright (C) 2002
    Qualys Inc.  It may be redistributed provided that no fee is charged 
    for distribution and that the advisory is not modified in any way. 
                                                                            
    ______________________________________________________________________
    


    Relevant Pages

    • Re: Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1
      ... "Expect" header. ... In Apache 2.0.x and 2.2.x, the 417 response will be sent by the server ...
      (Bugtraq)
    • [UNIX] Apache/Tomcat Denial of Service and Information Leakage Vulnerability
      ... Beyond Security would like to welcome Tiscali World Online ... Apache has been the most popular web server on the Internet for the ... A client may connect to the target machine and deliver several requests ... and again sends a second response back to mod_jk. ...
      (Securiteam)
    • Re: "libexpat.so.5" not found
      ... # Based upon the NCSA server configuration files ... # This is the main Apache server configuration file. ... # configuration directives that give the server its ... # which responds to requests that aren't handled ...
      (freebsd-questions)
    • httpd.conf problem
      ... This probably is a stupid question but i did a reinstall of my server ... # This is the main Apache server configuration file. ... # configuration directives that give the server its instructions. ... which allow Web requests to be sent to ...
      (Fedora)
    • Re: mod_rexx vs. mod_php
      ... Moreover I've just realized that after an apache restart (apachectl ... Internal Server Error ... # such as the number of concurrent requests it can handle or where it ... # directives contained in it are actually available _before_ they are ...
      (comp.lang.rexx)