Re: YA Apache DoS attack

From: Ben Laurie (benat_private)
Date: Fri Aug 07 1998 - 16:04:21 PDT

Next message: Matthew R. Potter: "Re: Solaris 2.4 pop buffer overrun"

Previous message: Aleph One: "Re: Eudora security bug - executes URL"
Maybe in reply to: Dag-Erling Coidan Smørgrav: "YA Apache DoS attack"
Next in thread: GoatBoy: "Re: YA Apache DoS attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dag-Erling Coidan Smørgrav wrote:
> I know that there are many trivial ways of overloading a web server
> (e.g. opening tons of connection to eat up file descriptors and
> process slots), but this one seemed a little extreme, to say the
> least.

This is O(n^2) and therefore a Bad Thing(tm), that I will agree with.

> Please note that I've only tested this on Apache 1.2.5 and 1.2.6, not
> on 1.3.1. However, there is no mention of this bug in the change log
> for 1.3.1, so I'll assume it's vulnerable.
>
> BTW, how can the Apache team be stupid enough not to provide a way of
> submitting problem reports by email? If they did, I'd've sent this to
> them first and given them a week, but they don't and I'm too friggin'
> lazy to use their web interface...

securityat_private

> Here's the 'sploit for the script kiddies. It should compile cleanly
> and work on most Unices. These are the ones I've tested it on:

And here's a band-aid for 1.3.1 - I'm sure we'll come up with something better
soon. This (untested) patch should prevent the worst effects. A similar patch
should work for 1.2.x.

Index: http_protocol.c
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.229
diff -u -r1.229 http_protocol.c
--- http_protocol.c     1998/08/06 17:30:30     1.229
+++ http_protocol.c     1998/08/07 23:02:56
@@ -714,6 +714,7 @@
     int len;
     char *value;
     char field[MAX_STRING_LEN];
+    int nheaders=0;

     /*
      * Read header lines until we get the empty separator line, a read error,
@@ -723,6 +724,11 @@
         char *copy = ap_palloc(r->pool, len + 1);
         memcpy(copy, field, len + 1);

+        if(++nheaders == 100) {
+           r->status = HTTP_BAD_REQUEST;
+           return;
+       }
+
         if (!(value = strchr(copy, ':'))) {     /* Find the colon separator */
             r->status = HTTP_BAD_REQUEST;       /* or abort the bad request */
             return;

Cheers,

Ben.

--
Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: benat_private |
A.L. Digital Ltd,     |Apache-SSL author     http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache/

WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/

Next message: Matthew R. Potter: "Re: Solaris 2.4 pop buffer overrun"
Previous message: Aleph One: "Re: Eudora security bug - executes URL"
Maybe in reply to: Dag-Erling Coidan Smørgrav: "YA Apache DoS attack"
Next in thread: GoatBoy: "Re: YA Apache DoS attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:47 PDT