HTTP: Apache-nosejob.c Attempt
This signature detects attempts to exploit a known vulnerability in Apache Web servers. Apache improperly calculates required buffer sizes for chunked encoded requests due to a signed interpretation of an unsigned integer value. Attackers can send chunked encoded requests with the unique Host header value "Apache-nosejob.c." in the GET request to create a buffer overflow and execute arbitrary code.
Extended Description
When processing requests coded with the 'Chunked Encoding' mechanism, Apache fails to properly calculate required buffer sizes. This is believed to be due to improper (signed) interpretation of an unsigned integer value. Consequently, several conditions that have security implications may occur. Reportedly, a buffer overrun and signal race condition occur. Exploiting these conditions may allow arbitrary code to run. **Update**: Reportedly, at least one worm is exploiting this vulnerability to propagate in the wild. The worm targets FreeBSD 4.5 systems running Apache 1.3.22-24 and 1.3.20. Other versions may also be affected.
Affected Products
Oracle oracle_http_server
Short Name
HTTP:APACHE:NOSEJOB
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
Apache-nosejob.c Attempt CVE-2002-0392 bid:5033
Release Date
04/22/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3339
False Positive
Unknown
Vendors
Apache_software_foundation
Red_hat
Ibm
Hp
Macromedia
Oracle
CVSS Score
7.5