Public Vulnerability Reports

Denial of Service in Apache HTTP Server 2.x

04.08.03

BACKGROUND

The Apache Software Foundation's HTTP Server Project is an effort to develop and maintain an open-source web server for modern operating systems including Unix and Microsoft Corp.'s Windows. More information is available at http://httpd.apache.org/ .

DESCRIPTION

Remote exploitation of a memory leak in the Apache HTTP Server causes the daemon to over utilize system resources on an affected system. The problem is HTTP Server's handling of large chunks of consecutive linefeed characters. The web server allocates an eighty-byte buffer for each linefeed character without specifying an upper limit for allocation. Consequently, an attacker can remotely exhaust system resources by
generating many requests containing these characters.

ANALYSIS

While this type of attack is most effective in an intranet setting, remote exploitation over the Internet, while bandwidth intensive, is feasible. Remote exploitation could consume system resources on a targeted system and, in turn, render the Apache HTTP daemon unavailable. iDEFENSE has performed research using proof of concept exploit code to demonstrate the impact of this vulnerability. A successful exploitation scenario requires
between two and seven megabytes of traffic exchange.

DETECTION

Both the Windows and Unix implementations of Apache HTTP Server 2.0.44 are
vulnerable; all 2.x versions up to and including 2.0.44 are most likely vulnerable as well.

VENDOR RESPONSE

Apache HTTP Server 2.0.45, which fixes this vulnerability, can be downloaded at http://httpd.apache.org/download.cgi . This release introduces a limit of 100 blank lines accepted before an HTTP connection is discarded.

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0132 to this issue.

DISCLOSURE TIMELINE

01/23/2003 Issue disclosed to iDEFENSE
03/06/2003 security@apache.org contacted
03/06/2003 Response from Lars Eilebrecht
03/11/2003 Status request from iDEFENSE
03/13/2003 Response received from Mark J Cox
03/23/2003 Response received from Brian Pane
03/25/2003 iDEFENSE clients notified
04/08/2003 Coordinated Public Disclosure