Re: [Full-disclosure] Apache Killer

I know this topic is OLD but, i just wonder and, also having spoken to kcope
re this myself, discussed the size of each bucket wich can be made to
stupendous amounts and using a different vector, ok, instead of Range:bytes=
, picture a GET request with as was shown in the code is there, you
"Request-Range: bytes=5-,5-69,5-" , now we have bypassed most filters
already in place, and the request range code, is exactly the same as range
Only one person spotted this.

Anyhow, This started about byte= 'stupendous' amount but, in the end there
is a few ways that people are still using this..
remember it does not need any mod_deflate or mod_gzip to function... i have
not tested the method outlined on anything new, but it was pretty nasty on
the old systems wich is now made worse if you set the byterange to a high
amount from start, rather than sending 0- first... you can just avoid it and
stay in the middle and lower it, but the problem can be repeated in some
packages, and im retesting using a simple bit of code called create_conns.c
and modified GET request.
create_conns code is googleable, just google for create_conns.c by n0ah and
you have found that app... you can even try a slowloris app and just send
one packet. Simple enough to recreate this.. as this is not about 'range'

Also i found this bypasses the filters set by mod_filter wich were
'suggested' and actually added to part of the fix, or some fix's were based
on this.. i think that maybe a time to look at some modified code of this,
or just setup better traps, better yet, use a patched package, as i do not
*think* these are affected, but dont use any of the quick-fixes is what is
to be learnt from this exploit in a BIG way.
on FreeBSD the httpd on v8.0 was affected so badly, i have never seen a
httpd die so badly, as with a flavor of citrix wich was interesting. Anyhow
moving on...

Anyhow, i know it is old but, i am seeing people still with this problem,
who dont realise that some quick-patches, is NOT the way togo...
I would assume apache have seen that request-Range exists in the same LINE
as range code, does wich is affected, so they would be abit crazy to NOT
patch that.
I do remember one person showing the affected line in wich request-range
was, and i looked it up in my code and bingo, it was same as his example so
i assume request-range would be used in a request form.
A system GET or POST perhaps... anyhow regardless, i just thought of this
and the discussions ive had re this, and think it should be checked 1000% :P
Sorry for those who it annoys but, im a fussy fofo on that side of things,
ie httpd/ftpd MUST be spankin perfect or i dont rest.
Thanks for those who originally and still, help on this topic.
Always, thx to kcope for atleast releasing it so it could be patched. <3
and ofcourse, always my buddies on #haxnet@ef, who help me with these
Dos sucks, but hiding from it sucks worse.
cheers to all, and specially for those affected by 9/11,my special regards.
xd / dru
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -