98082 2003-04-08 19:12 /92 rader/ iDEFENSE Labs <labs@idefense.com> Importerad: 2003-04-08 19:12 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Externa svar till: labs@idefense.com Mottagare: Bugtraq (import) <4418> Ärende: iDEFENSE Security Advisory 04.08.03: Denial of Service in Apache HTTP Server 2.x ------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 04.08.03: http://www.idefense.com/advisory/04.08.03.txt Denial of Service in Apache HTTP Server 2.x April 8, 2003 I. BACKGROUND The Apache Software Foundation's HTTP Server Project is an effort to develop and maintain an open-source web server for modern operating systems including Unix and Microsoft Corp.'s Windows. More information is available at http://httpd.apache.org/ . II. DESCRIPTION Remote exploitation of a memory leak in the Apache HTTP Server causes the daemon to over utilize system resources on an affected system. The problem is HTTP Server's handling of large chunks of consecutive linefeed characters. The web server allocates an eighty-byte buffer for each linefeed character without specifying an upper limit for allocation. Consequently, an attacker can remotely exhaust system resources by generating many requests containing these characters. III. ANALYSIS While this type of attack is most effective in an intranet setting, remote exploitation over the Internet, while bandwidth intensive, is feasible. Remote exploitation could consume system resources on a targeted system and, in turn, render the Apache HTTP daemon unavailable. iDEFENSE has performed research using proof of concept exploit code to demonstrate the impact of this vulnerability. A successful exploitation scenario requires between two and seven megabytes of traffic exchange. IV. DETECTION Both the Windows and Unix implementations of Apache HTTP Server 2.0.44 are vulnerable; all 2.x versions up to and including 2.0.44 are most likely vulnerable as well. V. VENDOR FIX/RESPONSE Apache HTTP Server 2.0.45, which fixes this vulnerability, can be downloaded at http://httpd.apache.org/download.cgi . This release introduces a limit of 100 blank lines accepted before an HTTP connection is discarded. VI. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0132 to this issue. VII. DISCLOSURE TIMELINE 01/23/2003 Issue disclosed to iDEFENSE 03/06/2003 security@apache.org contacted 03/06/2003 Response from Lars Eilebrecht 03/11/2003 Status request from iDEFENSE 03/13/2003 Response received from Mark J Cox 03/23/2003 Response received from Brian Pane 03/25/2003 iDEFENSE clients notified 04/08/2003 Coordinated Public Disclosure Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com . -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPpL7k/rkky7kqW5PEQKSEQCfbqX0EJWYTE1oqFUwpBqGWiFI5esAoMZI P/F2T7UtpHxj1aaJqnJzSyFa =1dI8 -----END PGP SIGNATURE----- (98082) /iDEFENSE Labs <labs@idefense.com>/(Ombruten)