Vulnerability

    httpd (Apache)

Affected

    Apache WebServer for Win32

Description

    Auriemma Luigi  found following.   He has  found a  little bug  in
    some  versions  of  Apache  WebServer  for  Win32.   He has tested
    1.3.14 and 1.3.15 (default installation) on Win98SE and  Win2ksp1,
    and  are  vulnerable.   He  also  tested  an  Apache  1.3.9   with
    ApacheJServ/1.0 and it  doesn't work (Access  Forbidden), probably
    he want a string more or less long.

    The bug consist in sending a string of 8192 chars: (http  command)
    <space> string 0d 0a.   The string is 8190  byte long, the last 2
    byte are the return  code (0d 0a).   If anyone sends this  string,
    Apache  give  an  error  at  the  administrator,  and  leave   the
    connection alive in idle  until the administrator close  the crash
    window that appear.   And if we  add 100 other  8192 chars  string
    (for example Accept: (8182 of "A")), the range of memory  occupied
    by the string is  more.  In Windows  98 if someone send  2 or more
    strings from different connection, we  have only a crash, but  all
    the connections in  idle; instead in  Win NT/2000 we  have all the
    crashes and all the connections in idle.

    It is believed that someone can use this bug in 2 or more methods:
    1) Insert a shellcode in the string
    2) Open  a  lot  of  connection  with  the  8192 chars string  for
       saturate all resources

    Some examples:

        1) GET (8184 of "/") /
        2) HEAD /(8182 of "A") /
        3) GET (8184 of "/") /
           for 100 times:
           Accept: (8182 of "/")

        4) GET (8177 of "/") HTTP/1.0
        5) All your fantasy!

    Apache  don't  register  the  attacker's  request in the log files
    (access and  error DON'T  report the  string, the  error or  other
    information  about  the  event).   This  is  very  useful  for the
    attacker for run remote commands or open idle connections  without
    the danger of be logged.

Solution

    Nothing yet.