Return-Path: new-httpd-owner-johnie=netgod.net@apache.org Received: from localhost (johnie@localhost [127.0.0.1]) by netgod.net (8.9.1/8.9.1/Debian/GNU) with ESMTP id VAA02253 for ; Fri, 7 Aug 1998 21:41:07 -0400 Received: from mercury.alloy.net by fetchmail-4.5.5 IMAP for (single-drop); Fri, 07 Aug 1998 21:41:07 EDT Received: from hyperreal.org (taz.hyperreal.org [209.133.83.16]) by mercury.alloy.net (8.9.1/ALLOY) with SMTP id TAA19800 for ; Fri, 7 Aug 1998 19:05:53 -0400 (EDT) Received: (qmail 4335 invoked by uid 6000); 7 Aug 1998 23:05:47 -0000 Received: (qmail 4323 invoked from network); 7 Aug 1998 23:05:45 -0000 Received: from eastwood.aldigital.algroup.co.uk (194.128.162.193) by taz.hyperreal.org with SMTP; 7 Aug 1998 23:05:45 -0000 Received: from freeby.ben.algroup.co.uk (freeby.ben.algroup.co.uk [193.133.15.6]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id XAA12444; Fri, 7 Aug 1998 23:04:51 GMT Received: from algroup.co.uk (naughty.ben.algroup.co.uk [193.133.15.107]) by freeby.ben.algroup.co.uk (8.6.12/8.6.12) with ESMTP id AAA08630; Sat, 8 Aug 1998 00:04:48 +0100 Message-ID: <35CB87F5.C6F23650@algroup.co.uk> Date: Sat, 08 Aug 1998 00:04:21 +0100 From: Ben Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.05 [en] (WinNT; I) MIME-Version: 1.0 To: "Dag-Erling Coidan Smørgrav" CC: BUGTRAQ@netspace.org, Apache List Subject: Re: YA Apache DoS attack References: <861zqspvtw.fsf@niobe.ewox.org> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@apache.org Status: RO X-Status: Dag-Erling Coidan Smørgrav wrote: > I know that there are many trivial ways of overloading a web server > (e.g. opening tons of connection to eat up file descriptors and > process slots), but this one seemed a little extreme, to say the > least. This is O(n^2) and therefore a Bad Thing(tm), that I will agree with. > Please note that I've only tested this on Apache 1.2.5 and 1.2.6, not > on 1.3.1. However, there is no mention of this bug in the change log > for 1.3.1, so I'll assume it's vulnerable. > > BTW, how can the Apache team be stupid enough not to provide a way of > submitting problem reports by email? If they did, I'd've sent this to > them first and given them a week, but they don't and I'm too friggin' > lazy to use their web interface... security@apache.org > Here's the 'sploit for the script kiddies. It should compile cleanly > and work on most Unices. These are the ones I've tested it on: And here's a band-aid for 1.3.1 - I'm sure we'll come up with something better soon. This (untested) patch should prevent the worst effects. A similar patch should work for 1.2.x. Index: http_protocol.c =================================================================== RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v retrieving revision 1.229 diff -u -r1.229 http_protocol.c --- http_protocol.c 1998/08/06 17:30:30 1.229 +++ http_protocol.c 1998/08/07 23:02:56 @@ -714,6 +714,7 @@ int len; char *value; char field[MAX_STRING_LEN]; + int nheaders=0; /* * Read header lines until we get the empty separator line, a read error, @@ -723,6 +724,11 @@ char *copy = ap_palloc(r->pool, len + 1); memcpy(copy, field, len + 1); + if(++nheaders == 100) { + r->status = HTTP_BAD_REQUEST; + return; + } + if (!(value = strchr(copy, ':'))) { /* Find the colon separator */ r->status = HTTP_BAD_REQUEST; /* or abort the bad request */ return; Cheers, Ben. -- Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/ and Technical Director|Email: ben@algroup.co.uk | A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/ London, England. |"Apache: TDG" http://www.ora.com/catalog/apache/ WE'RE RECRUITING! http://www.aldigital.co.uk/recruit/