Apache/Tomcat Denial of Service and Information Leakage Vulnerability
5 Dec. 2002
Summary
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for operating systems including UNIX and Windows NT. Apache has been the most popular web server on the Internet for the last 5 years.
The Jakarta Project creates and maintains open source solutions on the Java platform for distribution to the public at no charge. Tomcat 4 is the official Reference Implementation of the Servlet 2.3 and JavaServer Pages 1.2 technologies.
Mod_jk is an apache module which allows apache to deliver web requests transparently to the tomcat engine. It supports several protocols, in particular the Apache Jserv Protocol 1.3 (AJP13).
When these components are combined there exists an inconsistency in the communication protocols implemented by mod_jk which allows a malicious user to desynchronize Apache-Tomcat communications and render the Tomcat service useless until the operator can intervene. The nature of the desynchronization may also result in information leakage which may be used to collect private data from legitimate users of the site.
Credit:
The information has been provided by Qualys Security.
Vulnerable systems:
* mod_jk 1.2 using Apache Jserv Protocol 1.3
* Apache 1.3.x
* Tomcat 4.x Server
A client may connect to the target machine and deliver several requests with an invalid chunked encoded body e.g.
GET /index.jsp HTTP/1.1
Host: victim.com
Transfer-Encoding: Chunked
53636f7474
The request path is not relevant, after several requests like this are made the server becomes desynchronized and other users of the site will begin to see responses mixed between users. The site responses get desynchronized with the requests and the server becomes useless until either apache or tomcat are restarted.
The reason this happens is that mod_jk misinterprets the chunked request, after sending the request to Tomcat via AJP13 it immediately sends a second zero length AJP13 packet (4 bytes - magic number + zero size). The tomcat server receives the first request and sends the response back over the connection. Upon receiving the second zero size packet it repeats the query, and again sends a second response back to mod_jk.
Mod_jk is only expecting one valid response, so it pulls it off the wire and leaves the second response untouched. The next request which is sent over this connection (valid or invalid) will generate another response, however mod_jk pulls the old duplicate response off the wire and sends this back to the requesting agent. Essentially this desynchronizes the queries and responses leaving the communication channel useless, furthermore, repeated requests will eventually fill up the network buffers resulting in the requests blocking and the server completely failing to respond.
Mod_jk uses a pool of workers so a full scale denial of service would require desynchronizing all of the workers using multiple requests. The Number of requests required to block a worker completely will depend on the size of the response and the network buffers.
The potential for information leakage is great but the risk is mitigated somewhat by the unpredictability of the query-response desynchronisation. Depending on the target site this may be somewhat exploitable by a malicious user to redirect other users to a specific response by saturating the communication channels with a desired response.
