logo Home

Untitled Document

Home > Archives Advisories > Articles


Untitled Document

Untitled Document

Denial of Service in Apache HTTP Server
Date: 2003-04-10

Author : IDEFENSE <dendler@idefense.com>
Version Fran├žaise : http://www.k-otik.com/bugtraq/04.08.apache.php

iDEFENSE Security Advisory 04.08.03:
http://www.idefense.com/advisory/04.08.03.txt
Denial of Service in Apache HTTP Server 2.x
April 8, 2003

I. BACKGROUND

The Apache Software Foundation's HTTP Server Project is an effort to
develop and maintain an open-source web server for modern operating
systems including Unix and Microsoft Corp.'s Windows. More information is
available at http://httpd.apache.org/ .

II. DESCRIPTION

Remote exploitation of a memory leak in the Apache HTTP Server causes the
daemon to over utilize system resources on an affected system. The problem
is HTTP Server's handling of large chunks of consecutive linefeed
characters. The web server allocates an eighty-byte buffer for each
linefeed character without specifying an upper limit for allocation.
Consequently, an attacker can remotely exhaust system resources by
generating many requests containing these characters.

III. ANALYSIS

While this type of attack is most effective in an intranet setting, remote
exploitation over the Internet, while bandwidth intensive, is feasible.
Remote exploitation could consume system resources on a targeted system
and, in turn, render the Apache HTTP daemon unavailable. iDEFENSE has
performed research using proof of concept exploit code to demonstrate the
impact of this vulnerability. A successful exploitation scenario requires
between two and seven megabytes of traffic exchange.

IV. DETECTION

Both the Windows and Unix implementations of Apache HTTP Server 2.0.44 are
vulnerable; all 2.x versions up to and including 2.0.44 are most likely
vulnerable as well.

V. VENDOR FIX/RESPONSE

Apache HTTP Server 2.0.45, which fixes this vulnerability, can be
downloaded at http://httpd.apache.org/download.cgi . This release
introduces a limit of 100 blank lines accepted before an HTTP connection
is discarded.

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has
assigned the identification number CAN-2003-0132 to this issue.

VII. DISCLOSURE TIMELINE

01/23/2003 Issue disclosed to iDEFENSE
03/06/2003 security@apache.org contacted
03/06/2003 Response from Lars Eilebrecht
03/11/2003 Status request from iDEFENSE
03/13/2003 Response received from Mark J Cox
03/23/2003 Response received from Brian Pane
03/25/2003 iDEFENSE clients notified
04/08/2003 Coordinated Public Disclosure


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .



 

arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy