Re: [Full-disclosure] Apache Killer



I know this topic is OLD but, i just wonder and, also having spoken to kcope
re this myself, discussed the size of each bucket wich can be made to
stupendous amounts and using a different vector, ok, instead of Range:bytes=
, picture a GET request with as was shown in the code is there, you
"Request-Range: bytes=5-,5-69,5-" , now we have bypassed most filters
already in place, and the request range code, is exactly the same as range
code.
Only one person spotted this.

Anyhow, This started about byte= 'stupendous' amount but, in the end there
is a few ways that people are still using this..
remember it does not need any mod_deflate or mod_gzip to function... i have
not tested the method outlined on anything new, but it was pretty nasty on
the old systems wich is now made worse if you set the byterange to a high
amount from start, rather than sending 0- first... you can just avoid it and
stay in the middle and lower it, but the problem can be repeated in some
packages, and im retesting using a simple bit of code called create_conns.c
and modified GET request.
create_conns code is googleable, just google for create_conns.c by n0ah and
you have found that app... you can even try a slowloris app and just send
one packet. Simple enough to recreate this.. as this is not about 'range'
anymore.

Also i found this bypasses the filters set by mod_filter wich were
'suggested' and actually added to part of the fix, or some fix's were based
on this.. i think that maybe a time to look at some modified code of this,
or just setup better traps, better yet, use a patched package, as i do not
*think* these are affected, but dont use any of the quick-fixes is what is
to be learnt from this exploit in a BIG way.
on FreeBSD the httpd on v8.0 was affected so badly, i have never seen a
httpd die so badly, as with a flavor of citrix wich was interesting. Anyhow
moving on...

Anyhow, i know it is old but, i am seeing people still with this problem,
who dont realise that some quick-patches, is NOT the way togo...
I would assume apache have seen that request-Range exists in the same LINE
as range code, does wich is affected, so they would be abit crazy to NOT
patch that.
I do remember one person showing the affected line in wich request-range
was, and i looked it up in my code and bingo, it was same as his example so
i assume request-range would be used in a request form.
A system GET or POST perhaps... anyhow regardless, i just thought of this
and the discussions ive had re this, and think it should be checked 1000% :P
Sorry for those who it annoys but, im a fussy fofo on that side of things,
ie httpd/ftpd MUST be spankin perfect or i dont rest.
Thanks for those who originally and still, help on this topic.
Always, thx to kcope for atleast releasing it so it could be patched. <3
and ofcourse, always my buddies on #haxnet@ef, who help me with these
discussions.
Dos sucks, but hiding from it sucks worse.
cheers to all, and specially for those affected by 9/11,my special regards.
xd / dru
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: installation of Linux ... Newbie completely lost.
    ... > I don't understand the request - if all now goes well, ... Thx every one. ... Wich version of the ... Linux is better than Windows but choosing between Linus Torvald ...
    (alt.os.linux)
  • Re: [Full-disclosure] Apache Killer
    ... Aha this is exactly what me and kcope were discussing, ... wich is alone enough to really reak some havoc on ... a seperate apache attacking script wich was posted but this did not ... have the sufficient pulling power of a request-Range type attack... ...
    (Full-Disclosure)