Grave apache dos possible through byterange requests

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Grave apache dos possible through byterange requests

Dirk Hartmann-4
Hi,

it is possible to dos a actual squeeze-apache2 with easy to forge rage-requests:

http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html 

Apache-devs are working on a solution:


But because the situation seems serious I thought I give you a heads up.

Running this script against a squeeze machine with 8 Cores and 24GB Ram you only need 200 threads to kick it out of memory.

Cheers
Dirk
Reply | Threaded
Open this post in threaded view
|

Re: Grave apache dos possible through byterange requests

Carlos Alberto Lopez Perez
On 24/08/11 08:53, Dirk Hartmann wrote:

> Hi,
>
> it is possible to dos a actual squeeze-apache2 with easy to forge
> rage-requests:
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
>
> Apache-devs are working on a solution:
>
> http://www.gossamer-threads.com/lists/apache/dev/401638
>
> But because the situation seems serious I thought I give you a heads up.
>
> Running this script against a squeeze machine with 8 Cores and 24GB Ram you
> only need 200 threads to kick it out of memory.
>
> Cheers
> Dirk
>
You can use the following redirect as a temporally workaround:

# a2enmod rewrite

RewriteEngine On
RewriteCond %{HTTP:Range} bytes=0-.* [NC]
RewriteRule .? <a href="http://%">http://%{SERVER_NAME}/ [R=302,L]


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Grave apache dos possible through byterange requests

Andrea Zwirner
2011/8/24 Carlos Alberto Lopez Perez <[hidden email]>
On 24/08/11 08:53, Dirk Hartmann wrote:
> Hi,
>
> it is possible to dos a actual squeeze-apache2 with easy to forge
> rage-requests:
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
>
> Apache-devs are working on a solution:
>
> http://www.gossamer-threads.com/lists/apache/dev/401638
>
> But because the situation seems serious I thought I give you a heads up.
>
> Running this script against a squeeze machine with 8 Cores and 24GB Ram you
> only need 200 threads to kick it out of memory.
>
> Cheers
> Dirk
>

You can use the following redirect as a temporally workaround:

# a2enmod rewrite

RewriteEngine On
RewriteCond %{HTTP:Range} bytes=0-.* [NC]
RewriteRule .? http://%{SERVER_NAME}/ [R=302,L]


I'm not an Apache expert, could you please explain in broad terms what does the workaround does?

Thanks a lot,

   Andrea



--
Andrea Zwirner
email: [hidden email]
cell: +39 366 1872016

Linkspirit Sistemi Informatici
Applicazioni raffinate della scienza informatica
Via Delle Industrie 5 - 33050 Ronchis UD
tel: +39 0432 1845030 - fax: +39 0432 309903
web: www.linkspirit.it - email: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Grave apache dos possible through byterange requests

Carlos Alberto Lopez Perez
On 24/08/11 12:45, Andrea Zwirner wrote:

> 2011/8/24 Carlos Alberto Lopez Perez <[hidden email]>
>
>> On 24/08/11 08:53, Dirk Hartmann wrote:
>>> Hi,
>>>
>>> it is possible to dos a actual squeeze-apache2 with easy to forge
>>> rage-requests:
>>>
>>>
>> http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
>>>
>>> Apache-devs are working on a solution:
>>>
>>> http://www.gossamer-threads.com/lists/apache/dev/401638
>>>
>>> But because the situation seems serious I thought I give you a heads up.
>>>
>>> Running this script against a squeeze machine with 8 Cores and 24GB Ram
>> you
>>> only need 200 threads to kick it out of memory.
>>>
>>> Cheers
>>> Dirk
>>>
>>
>> You can use the following redirect as a temporally workaround:
>>
>> # a2enmod rewrite
>>
>> RewriteEngine On
>> RewriteCond %{HTTP:Range} bytes=0-.* [NC]
>> RewriteRule .? <a href="http://%">http://%{SERVER_NAME}/ [R=302,L]
>>
>>
> I'm not an Apache expert, could you please explain in broad terms what does
> the workaround does?
>
It searches case insensitive (NC=nocase) in the http request for a
header of type range like the one used in the exploit:

Range: bytes=0-*

And if the http request matchs the condition then it redirects the user
to the mainpage of your server using a temporally redirect (R=302). Also
it stops processing more rules at this point (L=last).

I tested it thoroughly and it stops the attack meanwhile it don't
affects normal behaviour of the server, resuming downloads continue to
work as expected.

http://stackoverflow.com/questions/3303029/http-range-header



signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Grave apache dos possible through byterange requests

Andrew McGlashan
In reply to this post by Carlos Alberto Lopez Perez
Hi,

Carlos Alberto Lopez Perez wrote:
> You can use the following redirect as a temporally workaround:
>
> # a2enmod rewrite
>
> RewriteEngine On
> RewriteCond %{HTTP:Range} bytes=0-.* [NC]
> RewriteRule .? <a href="http://%">http://%{SERVER_NAME}/ [R=302,L]

Would that work for all websites of a Debian server if placed into a
file located in /etc/apache2/conf.d  ?

Will other rewrites will be fine in the normal conf files for each website?

Thanks

--
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/4E54EAA3.4080301@...

Reply | Threaded
Open this post in threaded view
|

Re: Grave apache dos possible through byterange requests

Carlos Alberto Lopez Perez
In reply to this post by Carlos Alberto Lopez Perez
On 24/08/11 12:13, Carlos Alberto Lopez Perez wrote:
> You can use the following redirect as a temporally workaround:
>
> # a2enmod rewrite
>
> RewriteEngine On
> RewriteCond %{HTTP:Range} bytes=0-.* [NC]
> RewriteRule .? <a href="http://%">http://%{SERVER_NAME}/ [R=302,L]
>

Sorry, the above redirect is wrong. It won't work if the attacker
changes bytes=0 to bytes=1 for example in the perl exploit. Also it only
blocks the check that the exploit uses to see if the server is
vulnerable, but not the range requests that is where the real problem is.


Please use the following one instead (suggested at full-disclosure[1]):


RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]


--------
[1]
http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082365.html


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Grave apache dos possible through byterange requests

Carlos Alberto Lopez Perez
In reply to this post by Andrew McGlashan
On 24/08/11 14:12, Andrew McGlashan wrote:
>
> Would that work for all websites of a Debian server if placed into a
> file located in /etc/apache2/conf.d  ?
>
> Will other rewrites will be fine in the normal conf files for each website?
>
> Thanks
It should not mess with another redirects that you have.. but I think
that you must apply it under each one of the virtual hosts of your
deployment.


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Grave apache dos possible through byterange requests

Rolf Kutz-2
In reply to this post by Dirk Hartmann-4
On 24/08/11 08:53 +0200, Dirk Hartmann wrote:

>
>it is possible to dos a actual squeeze-apache2 with easy to forge
>rage-requests:
>
>http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html
>
>Apache-devs are working on a solution:
>
>http://www.gossamer-threads.com/lists/apache/dev/401638
>
>But because the situation seems serious I thought I give you a heads up.
>
>Running this script against a squeeze machine with 8 Cores and 24GB Ram you
>only need 200 threads to kick it out of memory.

There is an advisory that recommends some
workarounds, depending on the needs of your
specific site:

http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110824161640.122D387DD@...%3E

regards
Rolf

--
I never let my schooling get in the way of my education. — Mark Twain


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/20110825080837.GC13555@...

Reply | Threaded
Open this post in threaded view
|

Re: Grave apache dos possible through byterange requests

Christian Hammers
In reply to this post by Dirk Hartmann-4
Hallo

Word is spreading that "Request-Range:" seems to be a synonym to "Range:" and
is similar vulnerable but not covered by the config snippets that were
proposed yesterday. So Gentlemen, patch again! :-(

tschüss,

-christian-


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/20110826111700.64bfc0f0@...

Reply | Threaded
Open this post in threaded view
|

Re: Grave apache dos possible through byterange requests

Carlos Alberto Lopez Perez
On 26/08/11 11:17, Christian Hammers wrote:
> Hallo
>
> Word is spreading that "Request-Range:" seems to be a synonym to "Range:" and
> is similar vulnerable but not covered by the config snippets that were
> proposed yesterday. So Gentlemen, patch again! :-(
>
Confirmed!.

Just modified the suggest solution[1] adding an [OR] (and nocase) for
also matching for request-range


RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
RewriteRule .* - [F]


[1] https://lwn.net/Articles/456268/


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Grave apache dos possible through byterange requests

linbloke

On 26/08/11 8:52 PM, Carlos Alberto Lopez Perez wrote:

> On 26/08/11 11:17, Christian Hammers wrote:
>> Hallo
>>
>> Word is spreading that "Request-Range:" seems to be a synonym to "Range:" and
>> is similar vulnerable but not covered by the config snippets that were
>> proposed yesterday. So Gentlemen, patch again! :-(
>>
> Confirmed!.
>
> Just modified the suggest solution[1] adding an [OR] (and nocase) for
> also matching for request-range
>
>
> RewriteEngine on
> RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
> RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
> RewriteRule .* - [F]
>
>
> [1] https://lwn.net/Articles/456268/
>
Hello,

I'm curious as to why you suggest option 2 over option 1 from the Apache
advisory? My guess is that it is compatible with version 1.3 and 2.x and
that is has stronger enforcement of the syntax (by requiring ^bytes=)
rather than just 5 comma separated fields. Would the following be the
equivalent update to option 1:

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
SetEnvIf Request-Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
RequestHeader unset Request-Range env=bad-range

# optional logging.
CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range

I've put that into /etc/apaches/conf.d/CVE-2011-3192

I appreciate that it clobbers both headers if either match but that's ok
for me. If either match I'd be happier to drop the connection but I
don't want to touch every virtualhost config and Rewrite rules scare me too.


Best regards,
LB


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/4E5781F4.1030903@...

Reply | Threaded
Open this post in threaded view
|

Re: Grave apache dos possible through byterange requests

Dirk-Willem van Gulik

On 26 aug. 2011, at 13:22, linbloke wrote:

> I'm curious as to why you suggest option 2 over option 1 from the Apache advisory? My guess is that it is compatible with version 1.3 and 2.x and that is has stronger enforcement of the syntax (by requiring ^bytes=) rather than just 5 comma separated fields.
...
> RequestHeader unset Range env=bad-range

Correct; env=bad-range is not functional until midway the 2.x (2.2) series.

> I don't want to touch every virtualhost config and Rewrite rules scare me too.

A rewrite rule requires more care - as it may get negated deeper down. RequestHeader and SetEnvIf are more robust.

Dw.

--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/1567DE1A-B6B5-4FB2-AE56-73C760793B63@...

Reply | Threaded
Open this post in threaded view
|

Re: Grave apache dos possible through byterange requests

Carlos Alberto Lopez Perez
In reply to this post by linbloke
On 26/08/11 13:22, linbloke wrote:

> Hello,
>
> I'm curious as to why you suggest option 2 over option 1 from the Apache
> advisory? My guess is that it is compatible with version 1.3 and 2.x and
> that is has stronger enforcement of the syntax (by requiring ^bytes=)
> rather than just 5 comma separated fields. Would the following be the
> equivalent update to option 1:
>
> # Drop the Range header when more than 5 ranges.
> # CVE-2011-3192
> SetEnvIf Range (,.*?){5,} bad-range=1
> SetEnvIf Request-Range (,.*?){5,} bad-range=1
> RequestHeader unset Range env=bad-range
> RequestHeader unset Request-Range env=bad-range
>
> # optional logging.
> CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
>
> I've put that into /etc/apaches/conf.d/CVE-2011-3192
>
> I appreciate that it clobbers both headers if either match but that's ok
> for me. If either match I'd be happier to drop the connection but I
> don't want to touch every virtualhost config and Rewrite rules scare me
> too.
>
>
> Best regards,
> LB
Didn't know the method 1 can be applied outside the vhost, so this is much easier to deploy.

Thanks for the tip!


The new advisory [1] recommends this:

         # Drop the Range header when more than 5 ranges.
         # CVE-2011-3192
         SetEnvIf Range (?:,.*?){5,5} bad-range=1
         RequestHeader unset Range env=bad-range

         # We always drop Request-Range; as this is a legacy
         # dating back to MSIE3 and Netscape 2 and 3.
         RequestHeader unset Request-Range

         # optional logging.
         CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
         CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-req-range


[1] http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082427.html


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Grave apache dos possible through byterange requests

Thomas Hungenberg-2
Carlos Alberto Lopez Perez wrote:

> The new advisory [1] recommends this:
>
>          # Drop the Range header when more than 5 ranges.
>          # CVE-2011-3192
>          SetEnvIf Range (?:,.*?){5,5} bad-range=1
>          RequestHeader unset Range env=bad-range
>
>          # We always drop Request-Range; as this is a legacy
>          # dating back to MSIE3 and Netscape 2 and 3.
>          RequestHeader unset Request-Range
>
>          # optional logging.
>          CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
>          CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-req-range

What's the use of the second CustomLog line?
'bad-req-range' is never set, is it?

  - Thomas


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/4E5AA494.8030905@...