Byterange filter in Apache HTTP Server prior to HTTP Server 2.2.20 allow remote attackers to cause Denial of Service ( DoS ) which cause memory and CPU consumption , exploited in the wild in August 2011.
Exploit:
For study and researching purpose, source code for this vulnerability can be obtained from "CVE-2011-3192 (“Apache Killer”) Exploit in Ruby", "Apache HTTP Server Byte Range DoS Manual Check" and PoC for this exploit code by Exploit-db.com
As patch for this vulnerability been released by Apache last week. Prior to official patch, there have solution was suggested and discussed to mitigate this problem.
Official Mitigation by Apache (https://httpd.apache.org/security/CVE-2011-3192.txt), Web administrators who use Apache HTTP Server are advised to apply the patch as soon as possible.
Mitigation:
===========
There are several immediate options to mitigate this issue until a full fix
is available. Below examples handle both the 'Range' and the legacy
'Request-Range' with various levels of care.
Note that 'Request-Range' is a legacy name dating back to Netscape Navigator
2-3 and MSIE 3. Depending on your user community - it is likely that you
can use option '3' safely for this older 'Request-Range'.
0) Consult http://httpd.apache.org/security/CVE-2011-3192.txt for the most
recent information (as this is the final advisory).
1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the Range: header or reject the request.
Option 1: (Apache 2.2, requires mod_setenvif and mod_headers)
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (?:,.*?){5,5} bad-range=1
RequestHeader unset Range env=bad-range
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
#
RequestHeader unset Request-Range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
Above may not work for all configurations. In particular situations
mod_cache and (language) modules may act before the 'unset'
is executed upon during the 'fixup' phase.
Option 2: (Pre 2.2, requires mod_rewrite and mod_headers)
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
RewriteRule .* - [F]
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
#
RequestHeader unset Request-Range
The number 5 is arbitrary. Several 10's should not be an issue and may be
required for sites which for example serve PDFs to very high end eReaders
or use things such complex http based video streaming.
WARNING These directives need to be specified in every configured
vhost, or inherited from server context as described in:
http://httpd.apache.org/docs/current/mod/mod_rewrite.html#vhosts
2) Use mod_headers to completely dis-allow the use of Range headers:
RequestHeader unset Range
Note that this may break certain clients - such as those used for
e-Readers and progressive/http-streaming video.
Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific
legacy header - add:
RequestHeader unset Request-Range
Unlike the commonly used 'Range' header - dropping the 'Request-Range'
is not likely to affect many clients.
4) Deploy a Range header count module as a temporary stopgap measure.
A stop-gap module which is runtime-configurable can be found at:
http://people.apache.org/~fuankg/httpd/mod_rangecnt-improved/
A simpler stop-gap module which requires compile-time configuration
is also available:
http://people.apache.org/~dirkx/mod_rangecnt.c
Exploit:
For study and researching purpose, source code for this vulnerability can be obtained from "CVE-2011-3192 (“Apache Killer”) Exploit in Ruby", "Apache HTTP Server Byte Range DoS Manual Check" and PoC for this exploit code by Exploit-db.com
0 comments:
Post a Comment