Threat Level: Infocon green

ISC Diary

Refresh Latest Diaries


Revival of an Unpatched Apache HTTPD DoS

Published: 2011-08-25,
Last Updated: 2011-08-25 03:17:50 UTC
by Kevin Shortt (Version: 1)

8 comment(s)

Readers have been writing in and I wanted to get this out to for info and comment.  I have not had a chance to test it out myself.  It first surfaced in 2007 by Michal Zalewski on bugtraq. [1]   It appears due to its lack of sophistication, that it did not get much attention by Apache developers and it has remained unpatched all of this time.

It formally resurfaced last Friday with a proof of concept.  A CVE is in draft and a patch is expected in a few days by the Apache team.  You can read a discussion about it on the Apache HTTPD dev mailing list. [2]   The link provides details on some mitigation measures to be taken.   When I get chance I will test and report back.  

In the mean time please share your experiences with your fellow readers with a comment.

 
[1] http://seclists.org/bugtraq/2007/Jan/83
[2] http://marc.info/?l=apache-httpd-dev&m=131418828705324&w=2

-Kevin
--
ISC Handler on Duty

Keywords: apache DoS kill tool
8 comment(s)
Top of page

Top of page

Comments

I tried this out yestersay on a virtual machine running CentOS 6. Load and memory consumption immediately rose on the server, a very effective DoS IMHO. I shall be playing with mitigation techniques today ahead of an official patch.
posted by Jim, Thu Aug 25 2011, 06:28
I too tested this on stock apache on CentOS 6, however the attack failed. I do not use the default config, instead my config is trimmed down to the only modules necessary and other general hardening. Unfortunately I was too buy to investigate it further, as all my servers utilize similar apache configuration.
posted by VJ, Thu Aug 25 2011, 14:12
Since I had more time today, I investigated why the attack fails against my servers. Turns out I do not use mod_gzip/mod_deflate. See http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082302.html

This is not the first time taking the minimalist (least privilege) approach has paid off for me. :-)
posted by VJ, Thu Aug 25 2011, 14:57
I tried this on metasploitable's web server. Results here:
http://compusec.org/?p=111
posted by Albert, Thu Aug 25 2011, 17:16
Although the P0F uses mod_gzip/mod_deflate the concensus seems to be that the vulnerability lies in the range_bytes code and has nothing to do with mod_gzip/mod_deflate although this module seems to amplify the problem.
Disabling mod_gzip/mod_deflate is NOT A FIX, but considering the kiddies might save you a lot of grief.
posted by Patrick, Fri Aug 26 2011, 05:58
The posting on the apache dev list that's linked above has broken solutions for handling the Range header.
Better read the "official" posting on the apache announce list that has updated info

http://marc.info/?l=apache-httpd-announce&m=131420273523300&w=2
posted by Patrick, Fri Aug 26 2011, 06:05
I too was pleasantly surprised to see 'Host not vulnerable" results.... it was nice for a change walking over and praising the admins for their 'less is more' approach to their Apache configs.

I would encourage you to do the same if you can...
posted by CS, Fri Aug 26 2011, 16:21
Also: "In an updated advisory posted this morning(8.26.11), the Apache team revealed further exposure of the platform to the attack, and noted that "active use of this tool has been observed." " ~DarkReading
http://seclists.org/fulldisclosure/2011/Aug/301
posted by CS, Fri Aug 26 2011, 16:23

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form

Diary Archives

Top of page
site/port/ip search:

Get ISC Swag!!

Advertisement

Security News Feeds

InternetStormCenter
SANS Newsbites
SANS @Risk

Diary Archives

Got Packets? Odd duplicate DNS replies from 10.x IP Addresses - by: Johannes Ullrich (2012-05-16)

Reserved IP Address Space Reminder - by: Johannes Ullrich (2012-05-16)

Odd DNS replies from 10 nets and RFC1323 impacting firewalls - by: Dan Goldberg (2012-05-15)

View Diary Archives

Search Diaries:

SANS Institute

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute

ISC Diary | Revival of an Unpatched Apache HTTPD DoS
Threat Level: Infocon green

ISC Diary

Refresh Latest Diaries


Revival of an Unpatched Apache HTTPD DoS

Published: 2011-08-25,
Last Updated: 2011-08-25 03:17:50 UTC
by Kevin Shortt (Version: 1)

8 comment(s)

Readers have been writing in and I wanted to get this out to for info and comment.  I have not had a chance to test it out myself.  It first surfaced in 2007 by Michal Zalewski on bugtraq. [1]   It appears due to its lack of sophistication, that it did not get much attention by Apache developers and it has remained unpatched all of this time.

It formally resurfaced last Friday with a proof of concept.  A CVE is in draft and a patch is expected in a few days by the Apache team.  You can read a discussion about it on the Apache HTTPD dev mailing list. [2]   The link provides details on some mitigation measures to be taken.   When I get chance I will test and report back.  

In the mean time please share your experiences with your fellow readers with a comment.

 
[1] http://seclists.org/bugtraq/2007/Jan/83
[2] http://marc.info/?l=apache-httpd-dev&m=131418828705324&w=2

-Kevin
--
ISC Handler on Duty

Keywords: apache DoS kill tool
8 comment(s)
Top of page

Top of page

Comments

I tried this out yestersay on a virtual machine running CentOS 6. Load and memory consumption immediately rose on the server, a very effective DoS IMHO. I shall be playing with mitigation techniques today ahead of an official patch.
posted by Jim, Thu Aug 25 2011, 06:28
I too tested this on stock apache on CentOS 6, however the attack failed. I do not use the default config, instead my config is trimmed down to the only modules necessary and other general hardening. Unfortunately I was too buy to investigate it further, as all my servers utilize similar apache configuration.
posted by VJ, Thu Aug 25 2011, 14:12
Since I had more time today, I investigated why the attack fails against my servers. Turns out I do not use mod_gzip/mod_deflate. See http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082302.html

This is not the first time taking the minimalist (least privilege) approach has paid off for me. :-)
posted by VJ, Thu Aug 25 2011, 14:57
I tried this on metasploitable's web server. Results here:
http://compusec.org/?p=111
posted by Albert, Thu Aug 25 2011, 17:16
Although the P0F uses mod_gzip/mod_deflate the concensus seems to be that the vulnerability lies in the range_bytes code and has nothing to do with mod_gzip/mod_deflate although this module seems to amplify the problem.
Disabling mod_gzip/mod_deflate is NOT A FIX, but considering the kiddies might save you a lot of grief.
posted by Patrick, Fri Aug 26 2011, 05:58
The posting on the apache dev list that's linked above has broken solutions for handling the Range header.
Better read the "official" posting on the apache announce list that has updated info

http://marc.info/?l=apache-httpd-announce&m=131420273523300&w=2
posted by Patrick, Fri Aug 26 2011, 06:05
I too was pleasantly surprised to see 'Host not vulnerable" results.... it was nice for a change walking over and praising the admins for their 'less is more' approach to their Apache configs.

I would encourage you to do the same if you can...
posted by CS, Fri Aug 26 2011, 16:21
Also: "In an updated advisory posted this morning(8.26.11), the Apache team revealed further exposure of the platform to the attack, and noted that "active use of this tool has been observed." " ~DarkReading
http://seclists.org/fulldisclosure/2011/Aug/301
posted by CS, Fri Aug 26 2011, 16:23

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form

Diary Archives

Top of page
site/port/ip search:

Get ISC Swag!!

Advertisement

Security News Feeds

InternetStormCenter
SANS Newsbites
SANS @Risk

Diary Archives

Got Packets? Odd duplicate DNS replies from 10.x IP Addresses - by: Johannes Ullrich (2012-05-16)

Reserved IP Address Space Reminder - by: Johannes Ullrich (2012-05-16)

Odd DNS replies from 10 nets and RFC1323 impacting firewalls - by: Dan Goldberg (2012-05-15)

View Diary Archives

Search Diaries:

SANS Institute

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute