Bugtraq mailing list archives
Re: YA Apache DoS attack
From: ben () ALGROUP CO UK (Ben Laurie)
Date: Sat, 8 Aug 1998 00:04:21 +0100
Dag-Erling Coidan Smørgrav wrote:
I know that there are many trivial ways of overloading a web server (e.g. opening tons of connection to eat up file descriptors and process slots), but this one seemed a little extreme, to say the least.
This is O(n^2) and therefore a Bad Thing(tm), that I will agree with.
Please note that I've only tested this on Apache 1.2.5 and 1.2.6, not on 1.3.1. However, there is no mention of this bug in the change log for 1.3.1, so I'll assume it's vulnerable. BTW, how can the Apache team be stupid enough not to provide a way of submitting problem reports by email? If they did, I'd've sent this to them first and given them a week, but they don't and I'm too friggin' lazy to use their web interface...
security () apache org
Here's the 'sploit for the script kiddies. It should compile cleanly and work on most Unices. These are the ones I've tested it on:
And here's a band-aid for 1.3.1 - I'm sure we'll come up with something better soon. This (untested) patch should prevent the worst effects. A similar patch should work for 1.2.x. Index: http_protocol.c =================================================================== RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v retrieving revision 1.229 diff -u -r1.229 http_protocol.c --- http_protocol.c 1998/08/06 17:30:30 1.229 +++ http_protocol.c 1998/08/07 23:02:56 @@ -714,6 +714,7 @@ int len; char *value; char field[MAX_STRING_LEN]; + int nheaders=0; /* * Read header lines until we get the empty separator line, a read error, @@ -723,6 +724,11 @@ char *copy = ap_palloc(r->pool, len + 1); memcpy(copy, field, len + 1); + if(++nheaders == 100) { + r->status = HTTP_BAD_REQUEST; + return; + } + if (!(value = strchr(copy, ':'))) { /* Find the colon separator */ r->status = HTTP_BAD_REQUEST; /* or abort the bad request */ return; Cheers, Ben. -- Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/ and Technical Director|Email: ben () algroup co uk | A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/ London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/ WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
Current thread:
- Re: YA Apache DoS attack Ben Laurie (Aug 07)
- Re: YA Apache DoS attack GoatBoy (Aug 07)
- Re: YA Apache DoS attack bugtraq (Aug 09)
- <Possible follow-ups>
- Re: YA Apache DoS attack Dag-Erling Coidan Smørgrav (Aug 08)
- Re: YA Apache DoS attack Scott Burke (Aug 15)
- Re: YA Apache DoS attack Marc Slemko (Aug 15)