Received: (qmail 59239 invoked by uid 501); 5 Apr 2001 09:08:32 -0000 Message-Id: <20010405090832.59238.qmail@apache.org> Date: 5 Apr 2001 09:08:32 -0000 From: kaino Reply-To: kaino3@genie.it To: submit@bugz.apache.org Subject: Apache Win32 8192 string bug X-Send-Pr-Version: 3.110 >Number: 7522 >Category: os-windows >Synopsis: Apache Win32 8192 string bug >Confidential: no >Severity: critical >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Apr 05 02:10:01 PDT 2001 >Closed-Date: Wed May 30 08:00:41 PDT 2001 >Last-Modified: Wed May 30 08:00:41 PDT 2001 >Originator: kaino3@genie.it >Release: All prior to 1.3.20 >Organization: >Environment: Windows 9x/NT/2000 >Description: I have found a little bug in all the versions of Apache WebServer for Win32. The bug consist in sending a string of 8192 chars: command string 0d 0a. The string is 8190 byte long, the last 2 byte are the return code (0d 0a) If anyone send this string, Apache give an error at the administrator, and leave the connection alive in idle until the administrator close the crash windows that appear. And if we add 100 other 8192 chars string (for example Accept: (8182 of "A")), the range of memory occupied by the crash is more. In Windows 98 if someone send 2 or more strings from different connection, we have only a crash, but all the connections in idel; instead in Win NT/2000 we have all the crashes and all the connections in idle. I think that someone can use this bug in 2 or more methods: 1) Insert a shellcode in the string because the string is write in memory 2) Open a lot of connection with the 8192 chars string for saturate all resources I hope that you want to answer me for confirm or not my report, or for other explanations. Thanks >How-To-Repeat: 1) GET (8184 of "/") / 2) HEAD /(8182 of "A") / 3) GET (8184 of "/") / for 100 times: Accept: (8182 of "/") 4) All your fantasy! >Fix: I dont'know >Release-Note: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: wrowe State-Changed-When: Wed May 30 08:00:39 PDT 2001 State-Changed-Why: Affected OS2 and Win32, this denial-of-service exploit was closed in Apache release 1.3.20. In the case of an extremely long uri, a deeply embedded parser properly discarded the request, returning the NULL pointer, and the next higher-level parser was not prepared for that contigency. Note further that accessing the NULL pointer created an exception caught by the OS, causing the apache process to be immediately terminated. While this exposes a denial-of-service attack, it does not pose an opportunity for any server exploits or data vulnerability. Thank you for your report and discovery, next time please direct such reports to security@apache.org before using a public forum such as bugs.apache.org, so we have the chance to close the exploit and make a patch available before a vulnerability is widely dissemenated. Release-Changed-From-To: ALL!!!-All prior to 1.3.20 Release-Changed-By: wrowe Release-Changed-When: Wed May 30 08:00:39 PDT 2001 Severity-Changed-From-To: serious-critical Severity-Changed-By: wrowe Severity-Changed-When: Wed May 30 08:00:39 PDT 2001 >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]