Credits: Auriemma Luigi <kaino3at_private> I have found a little bug in some versions of Apache WebServer for Win32. I have tested 1.3.14 and 1.3.15 (default installation) on Win98SE and Win2ksp1, and are vulnerable; today I have tested an Apache 1.3.9 with ApacheJServ/1.0 and it doesn't work (Access Forbidden), probably he want a string more or less long. The bug consist in sending a string of 8192 chars: (http command) <space> string 0d 0a. The string is 8190 byte long, the last 2 byte are the return code (0d 0a) If anyone send this string, Apache give an error at the administrator, and leave the connection alive in idle until the administrator close the crash window that appear. And if we add 100 other 8192 chars string (for example Accept: (8182 of "A")), the range of memory occupied by the string is more. In Windows 98 if someone send 2 or more strings from different connection, we have only a crash, but all the connections in idle; instead in Win NT/2000 we have all the crashes and all the connections in idle. I think that someone can use this bug in 2 or more methods: 1) Insert a shellcode in the string 2) Open a lot of connection with the 8192 chars string for saturate all resources Some examples: 1) GET (8184 of "/") / 2) HEAD /(8182 of "A") / 3) GET (8184 of "/") / for 100 times: Accept: (8182 of "/") 4) GET (8177 of "/") HTTP/1.0 5) All your fantasy! Thanks for your attention.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 04:33:44 PDT