Full Disclosure mailing list archives

Re: Apache Killer

From: Dirk-Willem van Gulik <dirkx () webweaving org>
Date: Thu, 25 Aug 2011 09:46:01 +0100


On 25 Aug 2011, at 05:54, Michal Zalewski wrote:

just for the record I have the impression that this not the same vulnerability
you outlined in your advisory a while back. It is more that the idea
for this vulnerability originated from your advisory, not the same bug.


I don't think this even matters, and I really don't disagree...

In 2007, I noticed that their Range handling is silly, and may prompt
them to generate very large responses.


Hmm - I think we are conflating two issues:

1)      The contemporary interpretation of RFC 2616 allows for multiple
        overlapping ranges; requires them to be returned in order and
        has easy ways (e.g. 0-) of asking for a lot of data.

This basically means that a small request can cause the server to prep a lot
of data and, assuming the TCP connection looks alive to the server; lots of
data to be sent out. And because Ranges are fundamentally about arbitrary
ranges - this means hard work for the server.

This is an issue for all web servers implementing Range according to RFC2616
properly. This strict interpretation is currently discussed in the IETF:

        http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311

This issue is, a Michal's 2007 email importantly points out, cross server. Not 
just Apache. And I am sure we've not heard the last of this.

Then there something very apache 1.3/2.0/2.2 specific

2)      Under certain (very common) conditions Apache internally is really 
        rather inefficient at handling such request which 'explode' into
        many 100's of internal requests for large byte ranges.

        This is purely due to how it sets up the various bucket brigades
        and a lingering/remnant of the good old 0.9 times where one
        request meant one file and one reply.

The latter needs to be fixed in the apache code - and it would not surprise
me if we'll see more issues like this; where design assumptions from the old
1:1:1 times are no longer valid.

Thanks,

Dw.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Apache Killer, (continued)
- - - Re: Apache Killer -= Glowing Sex =- (Aug 23)
    - Message not available
    - Message not available
    - Re: Apache Killer -= Glowing Sex =- (Aug 23)
    - Re: Apache Killer HI-TECH . (Aug 22)
  - Re: Apache Killer HI-TECH . (Aug 23)
    - Re: Apache Killer Michal Zalewski (Aug 23)
    - Re: Apache Killer -= Glowing Sex =- (Aug 23)
    - Re: Apache Killer HI-TECH . (Aug 24)
    - Re: Apache Killer HI-TECH . (Aug 24)
    - Re: Apache Killer Michal Zalewski (Aug 24)
    - Re: Apache Killer HI-TECH . (Aug 24)
    - Re: Apache Killer Dirk-Willem van Gulik (Aug 25)
    - Re: Apache Killer root (Aug 24)
    - Re: Apache Killer Michal Zalewski (Aug 24)
    - Re: Apache Killer root (Aug 24)
    - Re: Apache Killer Dan Kaminsky (Aug 24)
    - Re: Apache Killer root (Aug 24)
    - Re: Apache Killer Dan Kaminsky (Aug 24)
    - Re: Apache Killer root (Aug 25)
    - Re: Apache Killer -= Glowing Sex =- (Aug 23)
    - Re: Apache Killer Davide Guerri (Aug 24)
    - Re: Apache Killer -= Glowing Sex =- (Aug 24)

(Thread continues...)