----- Original Message -----
From: "iDEFENSE Labs" <labs@idefense.com>
To: <bugtraq@securityfocus.com>
Sent: Tuesday, April 08, 2003 8:44 AM
Subject: iDEFENSE Security Advisory 04.08.03: Denial of Service in Apache
HTTP Server 2.x


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> iDEFENSE Security Advisory 04.08.03:
> http://www.idefense.com/advisory/04.08.03.txt
> Denial of Service in Apache HTTP Server 2.x
> April 8, 2003
>
> I. BACKGROUND
>
> The Apache Software Foundation's HTTP Server Project is an effort to
> develop and maintain an open-source web server for modern operating
> systems including Unix and Microsoft Corp.'s Windows. More information is
> available at http://httpd.apache.org/ .
>
> II. DESCRIPTION
>
> Remote exploitation of a memory leak in the Apache HTTP Server causes the
> daemon to over utilize system resources on an affected system. The problem
> is HTTP Server's handling of large chunks of consecutive linefeed
> characters. The web server allocates an eighty-byte buffer for each
> linefeed character without specifying an upper limit for allocation.
> Consequently, an attacker can remotely exhaust system resources by
> generating many requests containing these characters.
>
> III. ANALYSIS
>
> While this type of attack is most effective in an intranet setting, remote
> exploitation over the Internet, while bandwidth intensive, is feasible.
> Remote exploitation could consume system resources on a targeted system
> and, in turn, render the Apache HTTP daemon unavailable. iDEFENSE has
> performed research using proof of concept exploit code to demonstrate the
> impact of this vulnerability. A successful exploitation scenario requires
> between two and seven megabytes of traffic exchange.
>
> IV. DETECTION
>
> Both the Windows and Unix implementations of Apache HTTP Server 2.0.44 are
> vulnerable; all 2.x versions up to and including 2.0.44 are most likely
> vulnerable as well.
>
> V. VENDOR FIX/RESPONSE
>
> Apache HTTP Server 2.0.45, which fixes this vulnerability, can be
> downloaded at http://httpd.apache.org/download.cgi . This release
> introduces a limit of 100 blank lines accepted before an HTTP connection
> is discarded.
>
> VI. CVE INFORMATION
>
> The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has
> assigned the identification number CAN-2003-0132 to this issue.
>
> VII. DISCLOSURE TIMELINE
>
> 01/23/2003 Issue disclosed to iDEFENSE
> 03/06/2003 security@apache.org contacted
> 03/06/2003 Response from Lars Eilebrecht
> 03/11/2003 Status request from iDEFENSE
> 03/13/2003 Response received from Mark J Cox
> 03/23/2003 Response received from Brian Pane
> 03/25/2003 iDEFENSE clients notified
> 04/08/2003 Coordinated Public Disclosure
>
>
> Get paid for security research
> http://www.idefense.com/contributor.html
>
> Subscribe to iDEFENSE Advisories:
> send email to listserv@idefense.com, subject line: "subscribe"
>
>
> About iDEFENSE:
>
> iDEFENSE is a global security intelligence company that proactively
> monitors sources throughout the world - from technical
> vulnerabilities and hacker profiling to the global spread of viruses
> and other malicious code. Our security intelligence services provide
> decision-makers, frontline security professionals and network
> administrators with timely access to actionable intelligence
> and decision support on cyber-related threats. For more information,
> visit http://www.idefense.com .
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
>
> iQA/AwUBPpL7k/rkky7kqW5PEQKSEQCfbqX0EJWYTE1oqFUwpBqGWiFI5esAoMZI
> P/F2T7UtpHxj1aaJqnJzSyFa
> =1dI8
> -----END PGP SIGNATURE-----
>