[svlug] Heads up: Bad remote DoS for current Apache httpd

Jesse Monroy jesse650 at gmail.com
Wed Aug 24 23:57:37 PDT 2011


Rick,
>From the PERL script attached to the Notice (from Full Disclosure) and RFC 2612

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

>14.35.2 Range Retrieval Requests
>
>HTTP retrieval requests using conditional or unconditional GET methods MAY request one or >more sub-ranges of the entity, instead of the entire entity, using the Range request header, >which applies to the entity returned as the result of the request:
>
>      Range = "Range" ":" ranges-specifier
>
>A server MAY ignore the Range header. However, HTTP/1.1 origin servers and intermediate >caches ought to support byte ranges when possible, since Range supports efficient recovery >from partially failed transfers, and supports efficient partial retrieval of large entities.
>

This section of the protocol is supposed to be for "efficient
recovery", and as stated for "partially failed transfer ... and ..
recovery".

Further, they are misusing the spec by asking for 1 byte at a time ---
in compressed mode!!
(NOTE: PERL code states: "Accept-Encoding: gzip")

The server should reject this, but apparently an error in logic. It
should be an easy fix, but the actual code may take a week to
propagate.

There should be a switch in Apache to turn OFF partially recovery mode
till the fix is in.

Jesse


On 8/24/11, Rick Moen <rick at linuxmafia.com> wrote:
> http://seclists.org/fulldisclosure/2011/Aug/175 has details of a DoS
> against all current Apache httpd versions that permit remote exhaustion
> of RAM and CPU.  A patch is expected within 48 hours.  Meanwhile,
> the DoS can be averted with your choice of several configuration
> settings that prevent the remote Web client from requesting too many
> overlapping byte ranges.
>
> http://article.gmane.org/gmane.comp.apache.announce/58
>
> On Debian, I tightened down my own server by doing first:
>
> #  a2enmod headers
>
> And then adding the following to /etc/apache2/httpd.conf and then
> restarting Apache:
>
> # Drop the Range header when more than 5 ranges.
> # CVE-2011-3192
> SetEnvIf Range (,.*?){5,} bad-range=1
> RequestHeader unset Range env=bad-range
> # optional logging.
> CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
>
>
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/lists/listinfo/svlug
>




More information about the svlug mailing list