Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: YA Apache DoS attack

From: ben () ALGROUP CO UK (Ben Laurie)
Date: Sat, 8 Aug 1998 00:04:21 +0100

Dag-Erling Coidan Smørgrav wrote:

I know that there are many trivial ways of overloading a web server
(e.g. opening tons of connection to eat up file descriptors and
process slots), but this one seemed a little extreme, to say the
least.


This is O(n^2) and therefore a Bad Thing(tm), that I will agree with.


Please note that I've only tested this on Apache 1.2.5 and 1.2.6, not
on 1.3.1. However, there is no mention of this bug in the change log
for 1.3.1, so I'll assume it's vulnerable.

BTW, how can the Apache team be stupid enough not to provide a way of
submitting problem reports by email? If they did, I'd've sent this to
them first and given them a week, but they don't and I'm too friggin'
lazy to use their web interface...


security () apache org


Here's the 'sploit for the script kiddies. It should compile cleanly
and work on most Unices. These are the ones I've tested it on:


And here's a band-aid for 1.3.1 - I'm sure we'll come up with something better
soon. This (untested) patch should prevent the worst effects. A similar patch
should work for 1.2.x.

Index: http_protocol.c
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.229
diff -u -r1.229 http_protocol.c
--- http_protocol.c     1998/08/06 17:30:30     1.229
+++ http_protocol.c     1998/08/07 23:02:56
@@ -714,6 +714,7 @@
     int len;
     char *value;
     char field[MAX_STRING_LEN];
+    int nheaders=0;

     /*
      * Read header lines until we get the empty separator line, a read error,
@@ -723,6 +724,11 @@
         char *copy = ap_palloc(r->pool, len + 1);
         memcpy(copy, field, len + 1);

+        if(++nheaders == 100) {
+           r->status = HTTP_BAD_REQUEST;
+           return;
+       }
+
         if (!(value = strchr(copy, ':'))) {     /* Find the colon separator */
             r->status = HTTP_BAD_REQUEST;       /* or abort the bad request */
             return;

Cheers,

Ben.

--
Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben () algroup co uk |
A.L. Digital Ltd,     |Apache-SSL author     http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache/

WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
Previous By Date Next
Previous By Thread Next

Current thread: