[Snort-sigs] Anyone working on sigs for the Apache chunked encodingvulnerability?

Syzop syz at ...641...
Tue Jun 18 12:21:07 EDT 2002


Matt Kettler wrote:

> I'm wondering if anyone has a bit more information on this vulnerability so
> that we can start writing sigs for it.

If you send (for example):
GET /killapache.html HTTP/1.0
Transfer-Encoding: chunked


the child will crash.

> Currently it looks like it's a DoS against any version of Apache on any
> platform, and potentially exploitable on win32 and some 64bit platforms.

Looks like it, yes...
Jun 18 06:23:49 syzop kernel: pid 30992 (apache), uid 33 exited on signal 11 writing 0xc0000000
stack overflow, like they said.

> The available information I can find so far indicates a lot about the high
> level structure of the problem, but so far (somewhat wisely) does not give
> much exploit detail. Unfortunately lack of such detail makes signature
> writing near impossible at this point, so I'm wondering if anyone has
> stumbled across more information than I have.

   Bram Matthys (Syzop).

More information about the Snort-sigs mailing list