Apache Web Server mod_cgi Error May Let Malicious CGI Scripts Crash the Web Service
|
|
SecurityTracker Alert ID: 1007823
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 27 2003
|
Impact: Denial of service via local system
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 2.0.47
|
Description: A denial of service vulnerability was reported in the Apache 2.0 web server. A user with the ability to place CGI scripts on the server can cause the web service to hang.
It is reported that CGI scripts that generate more than 4k of output to STDERR will cause the CGI script to hang. This, in turn,
may cause the Apache httpd process to hang while waiting for additional input from the CGI process due to a locked write() function
call in mod_cgi.
The Apache httpd server may fail to respond to subsequent requests.
A demonstration exploit script is provided
in the Source Message.
Brandon Black is credited with reporting this flaw.
|
Impact: A user with privileges to place CGI scripts on the server can call a malicious script that will cause the httpd process to hang.
|
Solution: The vendor has issued a fixed version of mod_cgi.c, available from the Apache 2.1 CVS repository.
|
Vendor URL: nagoya.apache.org/bugzilla/show_bug.cgi?id=22030 (Links to External Site)
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 26 Sep 2003 23:45:58 -0400
Subject: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030
|
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030
> Apache 2.0.47
> SECURITY: 4097+ bytes of stderr from cgi script causes script to hang
Reported by Brandon Black
> If a cgi script under mod_cgi outputs more than 4096 bytes of stderr before it
> finishes writing to and closing its stdout, the write() inthe cgi script
> containing the 4097th byte of stderr will hang indefinitely, hanging the
> script's execution.
>
> This appears to be cause by the fact that mod_cgi reads all stdout output
> first, and then begins reading stderr output. APR's file_io which is handling
> the streams will only buffer 4096 characters before further writes by the
> script to stderr will hang, waiting for mod_cgi to read some of the data from
> the stream via APR file_io.
>
> This occured for me where a perl cgi script was producing a large volume of
> harmless warning messages to ssl_error_log before it got to the part of it's
> execution where it actually wrote the stdout output, and causing the script to
> hang and produce no output to the end user. Below is a test script to
> demonstrate:
>
> #!/usr/bin/perl
> # 24x170 = 4080 bytes to stderr
> foreach my $x (1..24) {
> print STDERR 'X' x 169 . "\n";
> }
> # + 17 more bytes, putting us at 4097
> # Delete one char from the print below to make
> # it work again
> print STDERR "0123456789ABCDEF\n";
> # Our actual script output, which never comes
> print "Content-type: text/plain\n\nASDF\n";
|
|
