mod_jk sends bad packet when method unknown
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libapache-mod-jk (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Distribution: Ubuntu 7.04 on x86_64
Package: libapache2-mod-jk 1:1.2.18-3ubuntu1.1
Steps to reproduce:
1) Instantiate Jetty 6.1.7 with this simple Java program:
public static void main(String[] args) throws Exception {
Server server = new Server();
Connector connector = new Ajp13SocketConn
}
(You need Jetty, jetty util, jetty ajp and the servlet API in the classpath.)
2) Attach a debugger to Jetty's Ajp13Parser class and set a break point to the line that reads _handler.
3) Use mod_jk from Ubuntu 7.04 to make Apache delegate a URI to the Jetty process via AJP13.
4) Telnet to your Apache.
5) Type:
FOO /url-that-
Host: appropriate-
6) Observe the AJP13 packet that Jetty receives from mod_jk.
(I suppose alternatively this could be observed without Jetty using netcat or similar.)
Actual results:
The byte that communicates the HTTP verb has the value 0xFF. This value is not part of the documented protocol:
http://
Moreover, it appears that this isn't a legitimate AJP13 extension, either, because the string "FOO" is not present in the packet.
If you step further in the debugger, Jetty will experience a null pointer, because it trusts that it gets only correct AJP13 packets from a trusted party. (I've reported this to Jetty developers.)
If Jetty is used as part of a larger application, this may put the application is a state that causes the app no longer to work causing denial of service. (I'm seeing this loss of subsequent functionality issue in a big app but I'm unable to produce a minimized test case. Anyway, since this is a real DoS vector for an actual service I maintain, I'm marking this as a security issue.)
It is semi-reasonable for AJP13 recipients to trust that they only get valid packets, because AJP13 is supposed to be used only between trusted parties.
Expected results:
Expected mod_jk to respond with 501 Not Implemented when it receives an HTTP method that it cannot map to a legal AJP13 value.
Additional info:
I expect that this has been fixed upstream--perhaps even in Gutsy, but I am unable to verify.
Changed in libapache-mod-jk: | |
status: | New → Confirmed |
Attaching a full .java file I used for bootstrapping a minimal AJP13 recipient for attaching a debugger to.