[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

iDEFENSE Security Advisory 04.08.03: Denial of Service in Apache HTTP Server 2.x



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 04.08.03:
http://www.idefense.com/advisory/04.08.03.txt
Denial of Service in Apache HTTP Server 2.x
April 8, 2003

I. BACKGROUND

The Apache Software Foundation's HTTP Server Project is an effort to
develop and maintain an open-source web server for modern operating
systems including Unix and Microsoft Corp.'s Windows. More information is
available at http://httpd.apache.org/ .

II. DESCRIPTION

Remote exploitation of a memory leak in the Apache HTTP Server causes the
daemon to over utilize system resources on an affected system. The problem
is HTTP Server's handling of large chunks of consecutive linefeed
characters. The web server allocates an eighty-byte buffer for each
linefeed character without specifying an upper limit for allocation.
Consequently, an attacker can remotely exhaust system resources by
generating many requests containing these characters.

III. ANALYSIS

While this type of attack is most effective in an intranet setting, remote
exploitation over the Internet, while bandwidth intensive, is feasible.
Remote exploitation could consume system resources on a targeted system
and, in turn, render the Apache HTTP daemon unavailable. iDEFENSE has
performed research using proof of concept exploit code to demonstrate the
impact of this vulnerability. A successful exploitation scenario requires
between two and seven megabytes of traffic exchange.

IV. DETECTION

Both the Windows and Unix implementations of Apache HTTP Server 2.0.44 are
vulnerable; all 2.x versions up to and including 2.0.44 are most likely
vulnerable as well.

V. VENDOR FIX/RESPONSE

Apache HTTP Server 2.0.45, which fixes this vulnerability, can be
downloaded at http://httpd.apache.org/download.cgi . This release
introduces a limit of 100 blank lines accepted before an HTTP connection
is discarded.

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has
assigned the identification number CAN-2003-0132 to this issue.

VII. DISCLOSURE TIMELINE

01/23/2003	Issue disclosed to iDEFENSE
03/06/2003	security@xxxxxxxxxx contacted
03/06/2003	Response from Lars Eilebrecht
03/11/2003	Status request from iDEFENSE
03/13/2003	Response received from Mark J Cox
03/23/2003	Response received from Brian Pane
03/25/2003	iDEFENSE clients notified
04/08/2003	Coordinated Public Disclosure


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@xxxxxxxxxxxx, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world ? from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide 
decision-makers, frontline security professionals and network 
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPpL7k/rkky7kqW5PEQKSEQCfbqX0EJWYTE1oqFUwpBqGWiFI5esAoMZI
P/F2T7UtpHxj1aaJqnJzSyFa
=1dI8
-----END PGP SIGNATURE-----