Nmap Development mailing list archives
Apache killer (was: [NSE] New script and email update patch)
From: Henri Doreau <henri.doreau () greenbone net>
Date: Fri, 26 Aug 2011 10:55:18 +0200
2011/8/21 Duarte Silva <duarte.silva () serializing me>:
Hi, I have a new script and need some feedback. It's based in a pretty recent Full-Disclosure thread [1], from the script description: Verifies if a host running Apache HTTP server migth be vulnerable to a memory exhaustion based DoS. The script sends a HEAD request that only accepts gzip encoding, triggering the Apache mod_gzip/mod_deflate module. If the server responds with a 206 status code, then it is highly probable that the server is vulnerable.
Hi, after my previous comments about the style[1] I would like to discuss ways to detect this vulnerability. As it is currently, your script reports every server accepting the range request as being (likely) vulnerable. This leads to many false positives. The fix[1] for this vulnerability limits the number of ranges that can be requested to a maximum of 10. I would therefore recommend the following test, in two steps: 1. Request a single range like 1-100 and see whether the server returns a 206 or not. 2. Request 11 ranges, like "Range: bytes=0-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10". Code 200 in the reply means that the target is not affected, 206 means that it is. This method was found by Michael Meyer and Veerendra G.G for the OpenVAS project, and appears to be a safe and reliable way to detect the vulnerability. Could you try to implement it in your script? Regards. [1] http://seclists.org/nmap-dev/2011/q3/645 [2] http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3CCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g () mail gmail com%3E -- Henri _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Apache killer (was: [NSE] New script and email update patch) Henri Doreau (Aug 26)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 26)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Henri Doreau (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Henri Doreau (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) David Fifield (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Henri Doreau (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Fyodor (Sep 07)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 26)