[7577] in bugtraq
Re: YA Apache DoS attack
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri Aug 7 21:11:34 1998
Date: Sat, 8 Aug 1998 00:04:21 +0100
Reply-To: Ben Laurie <ben@ALGROUP.CO.UK>
From: Ben Laurie <ben@ALGROUP.CO.UK>
X-To: Dag-Erling Coidan =?ISO-8859-1?Q?Sm=F8rgrav?= <finrod@EWOX.ORG>
To: BUGTRAQ@NETSPACE.ORG
Dag-Erling Coidan Sm=F8rgrav wrote:
> I know that there are many trivial ways of overloading a web server
> (e.g. opening tons of connection to eat up file descriptors and
> process slots), but this one seemed a little extreme, to say the
> least.
This is O(n^2) and therefore a Bad Thing(tm), that I will agree with.
> Please note that I've only tested this on Apache 1.2.5 and 1.2.6, not
> on 1.3.1. However, there is no mention of this bug in the change log
> for 1.3.1, so I'll assume it's vulnerable.
>
> BTW, how can the Apache team be stupid enough not to provide a way of
> submitting problem reports by email? If they did, I'd've sent this to
> them first and given them a week, but they don't and I'm too friggin'
> lazy to use their web interface...
security@apache.org
> Here's the 'sploit for the script kiddies. It should compile cleanly
> and work on most Unices. These are the ones I've tested it on:
And here's a band-aid for 1.3.1 - I'm sure we'll come up with something=
better
soon. This (untested) patch should prevent the worst effects. A similar=
patch
should work for 1.2.x.
Index: http_protocol.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.229
diff -u -r1.229 http_protocol.c
--- http_protocol.c 1998/08/06 17:30:30 1.229
+++ http_protocol.c 1998/08/07 23:02:56
@@ -714,6 +714,7 @@
int len;
char *value;
char field[MAX_STRING_LEN];
+ int nheaders=3D0;
/*
* Read header lines until we get the empty separator line, a read=
error,
@@ -723,6 +724,11 @@
char *copy =3D ap_palloc(r->pool, len + 1);
memcpy(copy, field, len + 1);
+ if(++nheaders =3D=3D 100) {
+ r->status =3D HTTP_BAD_REQUEST;
+ return;
+ }
+
if (!(value =3D strchr(copy, ':'))) { /* Find the colon se=
parator */
r->status =3D HTTP_BAD_REQUEST; /* or abort the bad =
request */
return;
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/
WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/
