| Denial of Service in Apache HTTP Server
Author : IDEFENSE <firstname.lastname@example.org>
Version Française : http://www.k-otik.com/bugtraq/04.08.apache.php
iDEFENSE Security Advisory 04.08.03:
Denial of Service in Apache HTTP Server 2.x
April 8, 2003
The Apache Software Foundation's HTTP Server Project is an effort to
develop and maintain an open-source web server for modern operating
systems including Unix and Microsoft Corp.'s Windows. More information
available at http://httpd.apache.org/ .
Remote exploitation of a memory leak in the Apache HTTP Server causes
daemon to over utilize system resources on an affected system. The problem
is HTTP Server's handling of large chunks of consecutive linefeed
characters. The web server allocates an eighty-byte buffer for each
linefeed character without specifying an upper limit for allocation.
Consequently, an attacker can remotely exhaust system resources by
generating many requests containing these characters.
While this type of attack is most effective in an intranet setting, remote
exploitation over the Internet, while bandwidth intensive, is feasible.
Remote exploitation could consume system resources on a targeted system
and, in turn, render the Apache HTTP daemon unavailable. iDEFENSE has
performed research using proof of concept exploit code to demonstrate
impact of this vulnerability. A successful exploitation scenario requires
between two and seven megabytes of traffic exchange.
Both the Windows and Unix implementations of Apache HTTP Server 2.0.44
vulnerable; all 2.x versions up to and including 2.0.44 are most likely
vulnerable as well.
V. VENDOR FIX/RESPONSE
Apache HTTP Server 2.0.45, which fixes this vulnerability, can be
downloaded at http://httpd.apache.org/download.cgi . This release
introduces a limit of 100 blank lines accepted before an HTTP connection
VI. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2003-0132 to this issue.
VII. DISCLOSURE TIMELINE
01/23/2003 Issue disclosed to iDEFENSE
03/06/2003 email@example.com contacted
03/06/2003 Response from Lars Eilebrecht
03/11/2003 Status request from iDEFENSE
03/13/2003 Response received from Mark J Cox
03/23/2003 Response received from Brian Pane
03/25/2003 iDEFENSE clients notified
04/08/2003 Coordinated Public Disclosure
Get paid for security research
Subscribe to iDEFENSE Advisories:
send email to firstname.lastname@example.org, subject line: "subscribe"
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .