Apache (mod_deflate) Denial of Service Vulnerability

2009.07.12
Risk: Low
Local: No
Remote: Yes
CWE: CWE-399


CVSS Base Score: 7.1/10
Impact Subscore: 6.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

Hi, we have received a bug report [1] that a DoS is possible with mod_deflate since it does not stop to compress large files even after the network connection has been closed. This allows to use large amounts of CPU if there is a largish (>10 MB) file available that has mod_deflate enabled. An exploit is as easy as for a in $(seq 1 100) ; do curl -H "Accept-Encoding: gzip" -is http://url.to/large/file.txt | head -1 ; done Franois Guerraz, the bug submitter, also suggested a patch: --- mod_deflate.c 2008-01-04 15:23:50.000000000 +0100 +++ mod_deflate.c.new 2009-06-26 16:50:36.000000000 +0200 @@ -691,6 +691,10 @@ continue; } + if (r->connection->aborted) { + return APR_ECONNABORTED; + } + /* read */ apr_bucket_read(e, &data, &len, APR_BLOCK_READ); This greatly reduces the problem. But even with it, quite a bit of data is compressed (maybe determined by APR_MMAP_LIMIT == 4MB?). Cheers, Stefan [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712

References:

https://rhn.redhat.com/errata/RHSA-2009-1148.html
https://bugzilla.redhat.com/show_bug.cgi?id=509125
http://www.mandriva.com/security/advisories?name=MDVSA-2009:149
http://marc.info/?l=apache-httpd-dev&m=124661528519546&w=2
http://marc.info/?l=apache-httpd-dev&m=124621326524824&w=2
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top