SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
About the Archives
Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Web Server/CGI)  >  Apache Vendors:  Apache Software Foundation
Apache Web Server for Windows Lets Remote Users Crash the Web Server Application
Date:  Apr 13 2001
Impact:  Denial of service via network
Exploit Included:  Yes  
Description:  Apache web server for Win32 reportedly contains a vulnerability that allows remote users to crash the server application and may allow for execution of arbitrary code.

This vulnerability is reported to exist in versions 1.3.14 and 1.3.15 (default installation) on Windows 98SE and Windows 2000 SP1. When a remote user sends a string of 8192 characters, "(http command) <space> string 0d 0a", the server will crash.

The user reports that it may be possible to insert executable shell code into the string and that it may be possible to open many connections to cause the server to consume all resources.

Impact:  A remote user can cause the server application to crash.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.apache.org/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Windows (Any)
Reported By:  Auriemma Luigi <kaino3@GENIE.IT>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 16 2001 (Additional Information) Re: Apache Web Server for Windows Lets Remote Users Crash the Web Server Application   (Auriemma Luigi <kaino3@GENIE.IT>)
Additional information about the failure to log these attacks is provided.
Oct 14 2001 (Apache Issues Fix) Re: Apache Web Server for Windows Lets Remote Users Crash the Web Server Application   (Mark J Cox <mjc@apache.org>)
A new version has been released.


 Source Message Contents
Date:  Thu, 12 Apr 2001 13:56:49 +0200
From:  Auriemma Luigi <kaino3@GENIE.IT>
Subject:  Apache Win32 8192 chars string bug

 

Credits: Auriemma Luigi <kaino3@genie.it>

I have found a little bug in some versions of Apache WebServer for
Win32.
I have tested 1.3.14 and 1.3.15 (default installation) on Win98SE and
Win2ksp1, and are
vulnerable; today I have tested an Apache 1.3.9 with ApacheJServ/1.0 and
it doesn't work (Access Forbidden), probably he want a string more or less
long.
The bug consist in sending a string of 8192 chars: (http command) <space>
string 0d 0a.
The string is 8190 byte long, the last 2 byte are the return code (0d 0a)
If anyone send this string, Apache give an error at the administrator, and
leave the connection alive in idle until the administrator close the crash
window that appear. And if we add 100 other 8192 chars string (for
example Accept: (8182 of "A")), the range of memory occupied by the string
is more. In Windows 98 if someone send 2 or more strings from different
connection, we have only a crash, but all the connections in idle; instead
in Win NT/2000 we have all the crashes and all the connections in idle. I
think that someone can use this bug in 2 or more methods:

1) Insert a shellcode in the string
2) Open a lot of connection with the 8192 chars string for saturate all
resources

Some examples:

1) GET (8184 of "/") /

2) HEAD /(8182 of "A") /

3) GET (8184 of "/") /
      for 100 times:
   Accept: (8182 of "/")

4) GET (8177 of "/") HTTP/1.0

5) All your fantasy!


Thanks for your attention.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2001, SecurityGlobal.net LLC