Range request flaw in all versions of apache

[dan]

I'm sure you've probably all heard by now about the Range header flaw that causes apache to eat up all system memory, swap, and start killing processes, essentially rendering the target system useless.

There's been many discussions about how to mitigate this attack (as it *is* being used!) until apache come out with a new version.

I've just tried installing one of the suggested mitigate techniques, which works a treat.

Basically, here's what you need to do;

mkdir mod_rangecnt
cd mod_rangecnt
wget http://people.apache.org/~dirkx/mod_rangecnt.c
apxs -c mod_rangecnt.c
apxs -i -a mod_rangecnt.la
apachectl restart

by simply allowing this module to be enabled will prevent apache from responding to requests, and supplying a message in apache's error log with the following;

[Sat Aug 27 03:43:45 2011] [warn] [client x.x.x.x] Rejected on a Range: header with more than 5 ranges (has 1301)

Since there is no official fix for this flaw yet (which has existed since at least apache 1.3 came to be), it's strongly suggested you install this module. Anyone using DA and have installed their LAMP stack with custombuild (which should be all of you!), this should work for you.

Dan

 

[nobaloney]

Dan:

Isn't it necessary to to make a change to apache configuration?

From man apxs (manpagez.com):

apxs is a tool for building and installing extension modules for the Apache HyperText Transfer Protocol (HTTP) server. This is achieved by building a dynamic shared object (DSO) from one or more source or object files which then can be loaded into the Apache server under run-time via the LoadModule directive from mod_so.

Jeff

 

[dan]

apxs -i -a mod_rangecnt.la

(taken from said man page):

-i This indicates the installation operation and installs one or
more dynamically shared objects into the server's modules direc-
tory.

-a This activates the module by automatically adding a correspond-
ing LoadModule line to Apache's httpd.conf configuration file,
or by enabling it if it already exists.


bottom line: apxs does the config change for you.

 

[mkniskanen]

There is a bunch of workarounds that do not seem to depend on that module, as far as I could understand:

http://article.gmane.org/gmane.comp.apache.announce/58

 

[dan]

no, agreed. there are a few ways of mitigating the issue. mod_rangecnt is one of them. the point of my post was to simply inform that this method works, it works on DA servers compiled and built with custombuild without any hassle at all, and that that bunch of commands in my first post are all that's needed to get it downloaded, compiled, installed and activated.

if you want to try the other methods, by all means, go ahead. post back and let us all know how well they work.

 

[nobaloney]

Thanks, Dan. I should have read further. Please post again in a few days and let us know if you've had any problems.

Thanks.

Jeff

 

[ditto]

Thank you, Dan! However I will gamble and wait for Apache to release version 2.2.20 that fix this. It should happen anytime now!

Here is the newest announce: Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192) (posted Fri, 26 Aug, 10:35) where they at the bottom say this:

A patch or new Apache release for Apache 2.0 and 2.2 is expected
in the next 24 hours.

Also it seems very close to a new Apache 2.2.20 release when you look at the changelog in svn.apache.org: http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES

Changes with Apache 2.2.20

*) SECURITY: CVE-2011-3192 (cve.mitre.org)
core: Fix handling of byte-range requests to use less memory, to avoid
denial of service. If the sum of all ranges in a request is larger than
the original file, ignore the ranges and send the complete file.
PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener]

*) mod_authnz_ldap: If the LDAP server returns constraint violation,
don't treat this as an error but as "auth denied". [Stefan Fritsch]

*) mod_filter: Fix FilterProvider conditions of type "resp=" (response
headers) for CGI. [Joe Orton, Rainer Jung]

*) mod_reqtimeout: Fix a timed out connection going into the keep-alive
state after a timeout when discarding a request body. PR 51103.
[Stefan Fritsch]

*) core: Do the hook sorting earlier so that the hooks are properly sorted
for the pre_config hook and during parsing the config. [Stefan Fritsch]

So my conclusion is that Apache 2.2.20 will be released very soon, and I will gamble that there is no ddos on my servers until then.

 

[mkniskanen]

if you want to try the other methods, by all means, go ahead. post back and let us all know how well they work.

I took the "lowest energy" method and simply added

SetEnvIf Range (,.*?){15,} bad-range=1
RequestHeader unset Range env=bad-range

on top of my httpd.conf - and will gamble as well until the final solution is published by Apache and installable in DA.

 

[propcgamer]

So my conclusion is that Apache 2.2.20 will be released very soon, and I will gamble that there is no ddos on my servers until then.

I'm surprised its taking them much longer than they originally estimated, considering they said 24 hours on the 26th, and here we are, almost the 30th!

 

[Driesp]

I have apache 2.2.20 installed (shortly after it was released).
The same problem as you described is happening right now for the 2nd time today.
Apache suddenly eats all the memory, the server crashes shortly after.
Had to poweroff poweron.

Maybe it isn't fixed or a new vulnerability has been discovered in this release?

top - 13:51:40 up 15 min,  1 user,  load average: 9.16, 2.90, 1.34
Tasks: 199 total,   1 running, 198 sleeping,   0 stopped,   0 zombie
Cpu0  :  5.4%us,  3.0%sy,  0.0%ni,  1.0%id, 90.6%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu1  :  3.0%us,  7.7%sy,  0.0%ni,  0.0%id, 86.6%wa,  1.0%hi,  1.7%si,  0.0%st
Mem:   4034868k total,  4010504k used,    24364k free,     1524k buffers
Swap:  2031608k total,  1121732k used,   909876k free,    39228k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 8467 apache    18   0 4293m 3.1g 4696 D 11.0 80.8   0:12.98 /usr/sbin/httpd -k start -DSSL

I don't know where to seek in the logs for clues.


-----

Or could this be triggered via PHP.
I have seen that the ini_set function was not been disabled.
Is it possible for a PHP script using all memory to crash the server
using ini_set('memory_limit', -1)?
Suhosin is not installed.