Apache killer (was: [NSE] New script and email update patch)

[Henri Doreau <henri.doreau () greenbone net>]

2011/8/21 Duarte Silva <duarte.silva () serializing me>:
> Hi,
>
> I have a new script and need some feedback. It's based in a pretty recent
> Full-Disclosure thread [1], from the script description:
>
> Verifies if a host running Apache HTTP server migth be vulnerable to a memory
> exhaustion based DoS. The script sends a HEAD request that only accepts gzip
> encoding, triggering the Apache mod_gzip/mod_deflate module. If the server
> responds with a 206 status code, then it is highly probable that the server is
> vulnerable.
Hi,

after my previous comments about the style[1] I would like to discuss
ways to detect this vulnerability. As it is currently, your script
reports every server accepting the range request as being (likely)
vulnerable. This leads to many false positives.

The fix[1] for this vulnerability limits the number of ranges that can
be requested to a maximum of 10.
I would therefore recommend the following test, in two steps:
  1. Request a single range like 1-100 and see whether the server
returns a 206 or not.
  2. Request 11 ranges, like "Range:
bytes=0-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10". Code 200 in the
reply means that the target is not affected, 206 means that it is.

This method was found by Michael Meyer and Veerendra G.G for the
OpenVAS project, and appears to be a safe and reliable way to detect
the vulnerability.
Could you try to implement it in your script?

Regards.

[1] http://seclists.org/nmap-dev/2011/q3/645
[2] 
http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3CCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g 
() mail gmail com%3E

-- 
Henri
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/