OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter Gründl (peter.grundlDEFCOM.COM)
Date: Wed Mar 07 2001 - 09:16:16 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ======================================================================
                      Defcom Labs Advisory def-2001-02

                    IBM HTTP Server Kernel Leak DoS

    Author: Peter Gründl <peter.grundldefcom.com>
    Release Date: 2001-01-08
    Re-release Date: 2001-03-07
    ======================================================================
    ------------------------=[Re-Release Reason]=-------------------------
    Due to a vendor released patch for this vulnerability this advisory
    has been re-released. Also, as it was pointed out on Bugtraq, the
    advisory name was poorly chosen, so the advisory has been named more
    appropriately. Finally vulnerable versions of the IBM HTTP Server are
    now fully known, so the updated list is included in the advisory.

    ------------------------=[Brief Description]=-------------------------
    The Afpa cache in the IBM HTTP Server, has problems handling certain
    types of URL requests. The result of such a URL is a kernel leak,
    which will eventually end up consuming all available kernel memory and
    rendering the host useless.

    ------------------------=[Affected Systems]=--------------------------
    - IBM HTTP Server 1.3.6.4 for Windows NT/2000
    - IBM HTTP Server 1.3.12 for Windows NT/2000
    - IBM HTTP Server 1.3.12.2 for Windows NT/2000

    ----------------------=[Detailed Description]=------------------------
    Sending a continous stream of HTTP requests resulting in "bad request"
    will cause a kernel leak in Windows NT. There are many ways to trigger
    the bad request result that triggers the leak,

    eg. GET / HTTP/1.0\r\nuser-agent: 20000xnull\r\n\r\n

    ---------------------------=[Workaround]=-----------------------------
    Temporary workaround:
    Comment out the three lines beginning with "Afpa" in the httpd.conf
    file (located in the conf directory in the web server folder).

    Fix:
    Download and install the fix from
    http://www-4.ibm.com/software/webservers/httpservers/efix.html

    -------------------------=[Vendor Response]=--------------------------
    This issue was brought to the vendor's attention on the 8th of
    December, 2000. A workaround was received from the vendor on the 5th
    of January, 2001. A fix was released on the 5th of March, 2001.

    Original Response:
    "This issue is caused by a problem in the AfpaCache module of the IBM
    HTTP Server. The only workaround at this time is to disable the
    AfpaCache. IBM Development is working on fixing this issue, but it is
    not yet known when a fix will be available."

    ======================================================================
                This release was brought to you by Defcom Labs

                  labsdefcom.com www.defcom.com
    ======================================================================