From owner-freebsd-security@FreeBSD.ORG Tue Apr 8 10:42:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0C0A37B41C for ; Tue, 8 Apr 2003 10:42:01 -0700 (PDT) Received: from users.munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91F2943F3F for ; Tue, 8 Apr 2003 10:41:58 -0700 (PDT) (envelope-from munk@users.munk.nu) Received: from users.munk.nu (munk@localhost [127.0.0.1]) by users.munk.nu (8.12.9/8.12.8) with ESMTP id h38HhP3U019496 for ; Tue, 8 Apr 2003 18:43:25 +0100 (BST) (envelope-from munk@users.munk.nu) Received: (from munk@localhost) by users.munk.nu (8.12.9/8.12.8/Submit) id h38HhPkq019495 for security@freebsd.org; Tue, 8 Apr 2003 18:43:25 +0100 (BST) Date: Tue, 8 Apr 2003 18:43:24 +0100 From: Jez Hancock To: FreeBSD Security List Message-ID: <20030408174324.GB18965@users.munk.nu> Mail-Followup-To: FreeBSD Security List Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="0F1p//8PRICkK4MW" Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.4.1i Subject: [labs@idefense.com: iDEFENSE Security Advisory 04.08.03: Denial of Service in Apache HTTP Server 2.x] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2003 17:42:02 -0000 --0F1p//8PRICkK4MW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline FYI --0F1p//8PRICkK4MW Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Received: from outgoing.securityfocus.com (outgoing2.securityfocus.com [205.206.231.26]) by users.munk.nu (8.12.9/8.12.8) with ESMTP id h38HAF3U018956 for ; Tue, 8 Apr 2003 18:10:15 +0100 (BST) (envelope-from bugtraq-return-9111-munk=munk.nu@securityfocus.com) Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing.securityfocus.com (Postfix) with QMQP id 11C158F2C0; Tue, 8 Apr 2003 10:59:26 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 8970 invoked from network); 8 Apr 2003 16:42:15 -0000 From: "iDEFENSE Labs" To: bugtraq@securityfocus.com Date: Tue, 8 Apr 2003 12:44:39 -0400 Subject: iDEFENSE Security Advisory 04.08.03: Denial of Service in Apache HTTP Server 2.x Reply-To: labs@idefense.com Message-ID: <3E92C437.22201.645BF98@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 04.08.03: http://www.idefense.com/advisory/04.08.03.txt Denial of Service in Apache HTTP Server 2.x April 8, 2003 I. BACKGROUND The Apache Software Foundation's HTTP Server Project is an effort to develop and maintain an open-source web server for modern operating systems including Unix and Microsoft Corp.'s Windows. More information is available at http://httpd.apache.org/ . II. DESCRIPTION Remote exploitation of a memory leak in the Apache HTTP Server causes the daemon to over utilize system resources on an affected system. The problem is HTTP Server's handling of large chunks of consecutive linefeed characters. The web server allocates an eighty-byte buffer for each linefeed character without specifying an upper limit for allocation. Consequently, an attacker can remotely exhaust system resources by generating many requests containing these characters. III. ANALYSIS While this type of attack is most effective in an intranet setting, remote exploitation over the Internet, while bandwidth intensive, is feasible. Remote exploitation could consume system resources on a targeted system and, in turn, render the Apache HTTP daemon unavailable. iDEFENSE has performed research using proof of concept exploit code to demonstrate the impact of this vulnerability. A successful exploitation scenario requires between two and seven megabytes of traffic exchange. IV. DETECTION Both the Windows and Unix implementations of Apache HTTP Server 2.0.44 are vulnerable; all 2.x versions up to and including 2.0.44 are most likely vulnerable as well. V. VENDOR FIX/RESPONSE Apache HTTP Server 2.0.45, which fixes this vulnerability, can be downloaded at http://httpd.apache.org/download.cgi . This release introduces a limit of 100 blank lines accepted before an HTTP connection is discarded. VI. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0132 to this issue. VII. DISCLOSURE TIMELINE 01/23/2003 Issue disclosed to iDEFENSE 03/06/2003 security@apache.org contacted 03/06/2003 Response from Lars Eilebrecht 03/11/2003 Status request from iDEFENSE 03/13/2003 Response received from Mark J Cox 03/23/2003 Response received from Brian Pane 03/25/2003 iDEFENSE clients notified 04/08/2003 Coordinated Public Disclosure Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world — from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com . -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPpL7k/rkky7kqW5PEQKSEQCfbqX0EJWYTE1oqFUwpBqGWiFI5esAoMZI P/F2T7UtpHxj1aaJqnJzSyFa =1dI8 -----END PGP SIGNATURE----- --0F1p//8PRICkK4MW--