Nmap Development mailing list archives
Re: Apache killer (was: [NSE] New script and email update patch)
From: Duarte Silva <duarte.silva () serializing me>
Date: Mon, 29 Aug 2011 11:08:15 +0100
Good morning, new version implementing Henri Doreau sugestions in the attachments. Regards, Duarte Silva On Friday 26 August 2011 12:44:17 Duarte Silva wrote:
Hi, I was expecting a long term fix from upstream to compare behaviours between vulnerable servers and not vulnerable servers. Even so, I will give your sugestions a go during the weekend (I will also be checking the apache-dev mailling list). Thanks, Duarte SIlva On Friday 26 August 2011 09:55:18 Henri Doreau wrote:2011/8/21 Duarte Silva <duarte.silva () serializing me>:Hi, I have a new script and need some feedback. It's based in a pretty recent Full-Disclosure thread [1], from the script description: Verifies if a host running Apache HTTP server migth be vulnerable to a memory exhaustion based DoS. The script sends a HEAD request that only accepts gzip encoding, triggering the Apache mod_gzip/mod_deflate module. If the server responds with a 206 status code, then it is highly probable that the server is vulnerable.Hi, after my previous comments about the style[1] I would like to discuss ways to detect this vulnerability. As it is currently, your script reports every server accepting the range request as being (likely) vulnerable. This leads to many false positives. The fix[1] for this vulnerability limits the number of ranges that can be requested to a maximum of 10. I would therefore recommend the following test, in two steps: 1. Request a single range like 1-100 and see whether the server returns a 206 or not. 2. Request 11 ranges, like "Range: bytes=0-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10". Code 200 in the reply means that the target is not affected, 206 means that it is. This method was found by Michael Meyer and Veerendra G.G for the OpenVAS project, and appears to be a safe and reliable way to detect the vulnerability. Could you try to implement it in your script? Regards. [1] http://seclists.org/nmap-dev/2011/q3/645 [2] http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3CCAAPSnn 2 PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g () mail gmail com%3E
Attachment:
http-vuln-cve2011-3192.nse
Description:
Attachment:
smime.p7s
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Apache killer (was: [NSE] New script and email update patch) Henri Doreau (Aug 26)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 26)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Henri Doreau (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Henri Doreau (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) David Fifield (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Henri Doreau (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Fyodor (Sep 07)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 29)
- Re: Apache killer (was: [NSE] New script and email update patch) Duarte Silva (Aug 26)