www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kaino <kai...@genie.it>
Subject os-windows/7522: Apache Win32 8192 string bug
Date Thu, 05 Apr 2001 09:08:32 GMT

>Number:         7522
>Category:       os-windows
>Synopsis:       Apache Win32 8192 string bug
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Apr 05 02:10:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     kaino3@genie.it
>Release:        ALL!!!
>Organization:
apache
>Environment:
Windows 9x/NT/2000
>Description:
I have found a little bug in all the versions of Apache WebServer for Win32.
The bug consist in sending a string of 8192 chars: command <space> string 0d 0a.
The string is 8190 byte long, the last 2 byte are the return code (0d 0a)
If anyone send this string, Apache give an error at the administrator, and leave the connection
alive in idle until the administrator close the crash windows that appear. And if we add 100
other 8192 chars string (for example Accept: (8182 of "A")), the range of memory occupied
by the crash is more. In Windows 98 if someone send 2 or more strings from different connection,
we have only a crash, but all the connections in idel; instead in Win NT/2000 we have all
the crashes and all the connections in idle. I think that someone can use this bug in 2 or
more methods:

1) Insert a shellcode in the string because the string is write in memory
2) Open a lot of connection with the 8192 chars string for saturate all resources

I hope that you want to answer me for confirm or not my report, or for other explanations.
Thanks
>How-To-Repeat:
1) GET (8184 of "/") /

2) HEAD /(8182 of "A") /

3) GET (8184 of "/") /
      for 100 times:
   Accept: (8182 of "/")

4) All your fantasy!
>Fix:
I dont'know
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <apbugs@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]
 
 


Mime
View raw message