DO NOT REPLY [Bug 47417] New: Apache Web Server 2.2.11 Incomplete HTTP Header Resource Exhaustion Vulnerability

Wed, 24 Jun 2009 09:30:42 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=47417

           Summary: Apache Web Server 2.2.11 Incomplete HTTP Header
                    Resource Exhaustion Vulnerability
           Product: Apache httpd-2
           Version: 2.2.11
          Platform: All
               URL: http://isc.sans.org/diary.html?storyid=6601
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Core
        AssignedTo: [email protected]
        ReportedBy: [email protected]


This alleged vulnerability was reported to us by our internal security group.
Apparently, all versions of Apache 2.2, including the latest version 2.2.11 are
affected by a bug that can cause DoS attacks to be made very trivially.

While there are a lot of DoS tools available today, this one is particularly
interesting because it holds the connection open while sending incomplete HTTP
requests to the server.

In this case, the server will open the connection and wait for the complete
header to be received. However, the client (the DoS tool) will not send it and
will instead keep sending bogus header lines which will keep the connection
allocated.
The initial part of the HTTP request is completely legitimate:

GET / HTTP/1.1\r\n
Host: host\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0;
.NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729; MSOffice 12)\r\n
Content-Length: 42\r\n

After sending this the client waits for certain time – notice that it is
missing one CRLF to finish the header which is otherwise completely legitimate.
The bogus header line the tools sends is currently:

X-a: b\r\n

Which obviously doesn't mean anything to the server so it keeps waiting for the
rest of the header to arrive.

This link at iDefense labs has the code required to run teh exploit:
https://ialert.idefense.com/idcontent/2009/exploit_code/487469-Web_Server_HTTP_Header_DoS.php.txt

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to