Full Disclosure mailing list archives

Re: Apache Killer

From: "-= Glowing Sex =-" <doomxd () gmail com>
Date: Thu, 25 Aug 2011 06:25:51 +1000

oops, did it again... forgot to cc the list :s


On 25 August 2011 06:25, -= Glowing Sex =- <doomxd () gmail com> wrote:

Very nice stuff!
I think kcope did grab the idea from something you actually mentioned once
davide, lol,a reference to a website i think and mentioning the byte range.
I played abit with this, changed the request of 0- to more like this,

root@craked:~# perl killapache.pl www.***.com
IO::Socket::INET=GLOB(0x22016f8) HEAD / HTTP/1.1
Host: www.***.com
Range:bytes=0-
Accept-Encoding: gzip
Connection: close
^C

This, when i added the If-Range was less successful so i removed that, and
changed the 0- section to one wich includes -doc_size , this produced a
difference... and oh, i did also make it print "$sock $p"; for alittle to
watch the header sending... alot of time it was not adding on the $p , it
stopped at 0-.
Interesting anyhow to play with the advisory/opatch and exploit.. it
produces some wicked results on many httpds. I mean instant death to nearly
all of freebsd v8 wich i have seen now...
Anyhow, i hope we dont see another one lke this, i really blame apache for
this, and wont ever hold an exploit coder to things wich are readable on
some pages of apache, and just do not get brought to the fore, it is
expected that everyone know how to update to dev, wich unfortunately is not
goin to happen :P.
anyhow, cheers for all the input on this, the patches for it work, and it
is much nicer without any apache d0s :)
thx, cheers,
xd




On 25 August 2011 00:26, Davide Guerri <davide.guerri () gmail com> wrote:

Hi Douglas,
I'd put optional spaces (\s*) between bytes= and the ranges and between
ranges.

The following

bytes=    0-1,  5-69,-69


is a valid Range header value (I mean that is accepted by apache).

I agree with you about not to check the http method (GET/HEAD/POST seem to
be all vulnerable) and about the use of the [N]o[S]ub and the [L]ast flag.

To sum up I'd rather use something like the following:

RewriteEngine On
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [NS,L,F]


I can say nothing about the efficiency of the Cond.

If you remove any check that matches a single range webdav should work. It
seems really unusual for a service to use multiple ranges to me...

Davide.



On 24/ago/2011, at 15:40, Douglas Huff wrote:

I think this is a more complete rule that should be slightly more

efficient and thorough even though it's 3 separate matches:


RewriteEngine On
RewriteCond %{HTTP:Range} bytes=0-[0-9]+, [NC,OR]
RewriteCond %{HTTP:Range} bytes=([0-9-],){4,} [NC,OR]
RewriteCond %{HTTP:Range} bytes=[0-9,-]+,0-(,|$) [NC]
RewriteRule .? http://%{SERVER_NAME}/ [NS,L,F]

I cannot remember if the second RewriteCond's syntax is supported by

mod_rewrite and don't have a machine handy right this moment to test
effectiveness anyhow.


This should stop any requests with a range starting with 0- specified as

a range (first and third rule) or 4 or more ranges included (second rule).


--
Douglas Huff

On Aug 24, 2011, at 5:29 AM, Carlos Alberto Lopez Perez wrote:

On 20/08/11 14:05, Moritz Naumann wrote:

On 20.08.2011 00:23 HI-TECH . wrote:

(see attachment)
/Kingcope


Works (too) well here. Are there any workarounds other than rate
limiting or detecting + dropping the traffic IPS-wise?

Moritz


You can use the following redirect as a temporally workaround:

# a2enmod rewrite

RewriteEngine On
RewriteCond %{HTTP:Range} bytes=0-.* [NC]
RewriteRule .? http://%{SERVER_NAME}/ [R=302,L]



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Apache Killer, (continued)
- - - Re: Apache Killer Jari Fredriksson (Aug 24)
    - Re: Apache Killer Davide Guerri (Aug 24)
    - Re: Apache Killer Jari Fredriksson (Aug 24)
    - Re: Apache Killer ZOne (Aug 25)
    - Re: Apache Killer Marco Ermini (Aug 25)
    - Re: Apache Killer David (Aug 25)
  - Re: Apache Killer Carlos Alberto Lopez Perez (Aug 24)
    - Re: Apache Killer Douglas Huff (Aug 24)
    - Re: Apache Killer Douglas Huff (Aug 24)
    - Re: Apache Killer Davide Guerri (Aug 24)
    - Message not available
    - Re: Apache Killer -= Glowing Sex =- (Aug 24)
- Re: Apache Killer Jari Fredriksson (Aug 20)
  - Re: Apache Killer -= Glowing Sex =- (Aug 20)
  - Re: Apache Killer Sheran Gunasekera (Aug 21)
- Re: Apache Killer Mark J Cox (Aug 24)
  - Re: Apache Killer Georgi Guninski (Aug 25)
    - Re: Apache Killer Valdis . Kletnieks (Aug 25)
    - Re: Apache Killer Georgi Guninski (Aug 26)
    - Re: Apache Killer Valdis . Kletnieks (Aug 26)
    - Re: Apache Killer nix (Aug 26)
    - Re: Apache Killer Ulises2k (Aug 26)

(Thread continues...)