Full Disclosure mailing list archives
Re: Apache Killer
From: "-= Glowing Sex =-" <doomxd () gmail com>
Date: Thu, 25 Aug 2011 06:25:51 +1000
oops, did it again... forgot to cc the list :s On 25 August 2011 06:25, -= Glowing Sex =- <doomxd () gmail com> wrote:
Very nice stuff! I think kcope did grab the idea from something you actually mentioned once davide, lol,a reference to a website i think and mentioning the byte range. I played abit with this, changed the request of 0- to more like this, root@craked:~# perl killapache.pl www.***.com IO::Socket::INET=GLOB(0x22016f8) HEAD / HTTP/1.1 Host: www.***.com Range:bytes=0- Accept-Encoding: gzip Connection: close ^C This, when i added the If-Range was less successful so i removed that, and changed the 0- section to one wich includes -doc_size , this produced a difference... and oh, i did also make it print "$sock $p"; for alittle to watch the header sending... alot of time it was not adding on the $p , it stopped at 0-. Interesting anyhow to play with the advisory/opatch and exploit.. it produces some wicked results on many httpds. I mean instant death to nearly all of freebsd v8 wich i have seen now... Anyhow, i hope we dont see another one lke this, i really blame apache for this, and wont ever hold an exploit coder to things wich are readable on some pages of apache, and just do not get brought to the fore, it is expected that everyone know how to update to dev, wich unfortunately is not goin to happen :P. anyhow, cheers for all the input on this, the patches for it work, and it is much nicer without any apache d0s :) thx, cheers, xd On 25 August 2011 00:26, Davide Guerri <davide.guerri () gmail com> wrote:Hi Douglas, I'd put optional spaces (\s*) between bytes= and the ranges and between ranges. The followingbytes= 0-1, 5-69,-69is a valid Range header value (I mean that is accepted by apache). I agree with you about not to check the http method (GET/HEAD/POST seem to be all vulnerable) and about the use of the [N]o[S]ub and the [L]ast flag. To sum up I'd rather use something like the following:RewriteEngine On RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+ RewriteRule .* - [NS,L,F]I can say nothing about the efficiency of the Cond. If you remove any check that matches a single range webdav should work. It seems really unusual for a service to use multiple ranges to me... Davide. On 24/ago/2011, at 15:40, Douglas Huff wrote:I think this is a more complete rule that should be slightly moreefficient and thorough even though it's 3 separate matches:RewriteEngine On RewriteCond %{HTTP:Range} bytes=0-[0-9]+, [NC,OR] RewriteCond %{HTTP:Range} bytes=([0-9-],){4,} [NC,OR] RewriteCond %{HTTP:Range} bytes=[0-9,-]+,0-(,|$) [NC] RewriteRule .? http://%{SERVER_NAME}/ [NS,L,F] I cannot remember if the second RewriteCond's syntax is supported bymod_rewrite and don't have a machine handy right this moment to test effectiveness anyhow.This should stop any requests with a range starting with 0- specified asa range (first and third rule) or 4 or more ranges included (second rule).-- Douglas Huff On Aug 24, 2011, at 5:29 AM, Carlos Alberto Lopez Perez wrote:On 20/08/11 14:05, Moritz Naumann wrote:On 20.08.2011 00:23 HI-TECH . wrote:(see attachment) /KingcopeWorks (too) well here. Are there any workarounds other than rate limiting or detecting + dropping the traffic IPS-wise? MoritzYou can use the following redirect as a temporally workaround: # a2enmod rewrite RewriteEngine On RewriteCond %{HTTP:Range} bytes=0-.* [NC] RewriteRule .? http://%{SERVER_NAME}/ [R=302,L] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apache Killer, (continued)
- Re: Apache Killer Jari Fredriksson (Aug 24)
- Re: Apache Killer Davide Guerri (Aug 24)
- Re: Apache Killer Jari Fredriksson (Aug 24)
- Re: Apache Killer ZOne (Aug 25)
- Re: Apache Killer Marco Ermini (Aug 25)
- Re: Apache Killer David (Aug 25)
- Re: Apache Killer Douglas Huff (Aug 24)
- Re: Apache Killer Douglas Huff (Aug 24)
- Re: Apache Killer Davide Guerri (Aug 24)
- Message not available
- Re: Apache Killer -= Glowing Sex =- (Aug 24)
- Re: Apache Killer -= Glowing Sex =- (Aug 20)
- Re: Apache Killer Sheran Gunasekera (Aug 21)
- Re: Apache Killer Georgi Guninski (Aug 25)
- Re: Apache Killer Valdis . Kletnieks (Aug 25)
- Re: Apache Killer Georgi Guninski (Aug 26)
- Re: Apache Killer Valdis . Kletnieks (Aug 26)
- Re: Apache Killer nix (Aug 26)
- Re: Apache Killer Ulises2k (Aug 26)