-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 04.08.03: http://www.idefense.com/advisory/04.08.03.txt Denial of Service in Apache HTTP Server 2.x April 8, 2003 I. BACKGROUND The Apache Software Foundation's HTTP Server Project is an effort to develop and maintain an open-source web server for modern operating systems including Unix and Microsoft Corp.'s Windows. More information is available at http://httpd.apache.org/ . II. DESCRIPTION Remote exploitation of a memory leak in the Apache HTTP Server causes the daemon to over utilize system resources on an affected system. The problem is HTTP Server's handling of large chunks of consecutive linefeed characters. The web server allocates an eighty-byte buffer for each linefeed character without specifying an upper limit for allocation. Consequently, an attacker can remotely exhaust system resources by generating many requests containing these characters. III. ANALYSIS While this type of attack is most effective in an intranet setting, remote exploitation over the Internet, while bandwidth intensive, is feasible. Remote exploitation could consume system resources on a targeted system and, in turn, render the Apache HTTP daemon unavailable. iDEFENSE has performed research using proof of concept exploit code to demonstrate the impact of this vulnerability. A successful exploitation scenario requires between two and seven megabytes of traffic exchange. IV. DETECTION Both the Windows and Unix implementations of Apache HTTP Server 2.0.44 are vulnerable; all 2.x versions up to and including 2.0.44 are most likely vulnerable as well. V. VENDOR FIX/RESPONSE Apache HTTP Server 2.0.45, which fixes this vulnerability, can be downloaded at http://httpd.apache.org/download.cgi . This release introduces a limit of 100 blank lines accepted before an HTTP connection is discarded. VI. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0132 to this issue. VII. DISCLOSURE TIMELINE 01/23/2003 Issue disclosed to iDEFENSE 03/06/2003 security@apache.org contacted 03/06/2003 Response from Lars Eilebrecht 03/11/2003 Status request from iDEFENSE 03/13/2003 Response received from Mark J Cox 03/23/2003 Response received from Brian Pane 03/25/2003 iDEFENSE clients notified 04/08/2003 Coordinated Public Disclosure -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPpLkoPrkky7kqW5PEQJRiwCgoBhtjYyD+jU1vA0vLxjRkG5jkegAoInD m1CYmfbbDhbwcI07LIH5aNVt =dYlg -----END PGP SIGNATURE----- To stop receiving iDEFENSE Security Advisories, reply to this message and put "unsubscribe" in the subject.