[TOOL] Blowchunks - Protecting Existing Apache Servers Until Upgrades Arrive

From: support@securiteam.com
Date: 06/23/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 23 Jun 2002 20:56:44 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Blowchunks - Protecting Existing Apache Servers Until Upgrades Arrive
------------------------------------------------------------------------

DETAILS

Many sysadmins will be in the unpleasant situation of having to live with
a known vulnerable apache server (or switching it off) until they can
obtain, test and integrate updated apache binaries for their various
platforms from different vendors, or make enough time to sit down and
patch, re-compile and test their homegrown versions.

Some vendors have been very fast to respond and have back-ported the fix
to many older apache releases, helping avoid many issues that a forced
upgrade might involve. Other vendors supplying apache and apache-based
servers may not be so quick off the mark (or may not even be around
anymore). Homegrown releases may also be similarly outdated, and back
porting is tedious.

Because apache is so great, and has had a history of very few serious
security bugs, older versions are embedded in a wide variety of products
and systems, making it even more problematic to update all of them to the
latest release in a timely manner.

Here is an option that might help in protecting those vulnerable servers,
giving a breathing space until a proper tested fix does become available:
Most web sites and applications have no need for chunked transfer encoding
on HTTP "request" messages. Most browsers do not even support it, and it
is only *required* when a client does not know the final length of a file
before an upload (which is rare). Disallowing such requests should be no
big deal.

Attached are a two versions of code to allow the server to intercept each
incoming HTTP request (at the 'Post Read Request' phase), and check to see
if chunked encoding has been requested. If so, the request is denied and
logged. This should prevent clients being able to trigger the vulnerable
'chunk size' reading code, and therefore prevent DoS or exploits.

 * BlowChunks.pl - this version is for mod_perl enabled servers - if you
have a server with mod_perl already in place, this patch is trivial to
install. Just paste it into the end of your existing httpd.conf, and
restart. All done. Very Easy.

 * mod_blowchunks.c - this version is an apache module. If your apache is
compiled with DSO support (run httpd -l and look for mod_so), you can
compile and install this module with just one apxs command (and a
compiler!), and restart. Should be straightforward for most
administrators.

Both methods offer the advantage of not needing to touch your existing
apache binary (or any other modules), and can be trivially reverted if you
have any trouble, or when your real fix is ready. This should work on any
platform with either mod_perl or DSO support. If your apache is static,
without DSO, you could re-compile it with this module included, but then
you might as well just fix it properly.

Tool code:
# $Id: BlowChunks.pl,v 1.4 2002/06/22 05:27:33 cbailiff Exp $
#
# Reject chunked requests before vulnerable chunking routines can read
them.
# (mod_perl version)
#
# Cris Bailiff, c.bailiff+blowchunks@devsecure.com -
http://www.awayweb.com
# http://www.devsecure.com/pub/src/BlowChunks.pl
#
# Copyright 2002 Cris Bailiff. All rights reserved.
#
# Permission is granted to anyone to use this software for any purpose on
# any computer system, and to alter it and redistribute it, subject
# to the following restrictions:
#
# 1. The author is not responsible for the consequences of use of this
# software, no matter how awful, even if they arise from flaws in it.
#
# 2. The origin of this software must not be misrepresented, either by
# explicit claim or by omission.
#
# 3. Altered versions must be plainly marked as such, and must not be
# misrepresented as being the original software.
#
# 4. This notice may not be removed or altered.
#
# To install in your mod_perl enabled server, copy the code below into
# your httpd.conf file (at the end is best), or read this file into
# your configuration using an 'Include' statement, and restart httpd.
#
# You need mod_perl with support for PerlPostReadRequestHandler
# and <perl> sections. You have these if your mod_perl was configured
# using EVERYTHING=1, which is typical.
#
# (Permission is granted to leave these comments out of your httpd.conf
file :-)
# but please use this original version if passing along...)
#
# --cut-here---

<perl>
# blowchunks for mod_perl
# $Id: BlowChunks.pl,v 1.4 2002/06/22 05:27:33 cbailiff Exp $
# Deny requests using Transfer-Encoding: chunked
#
sub Awayweb::BlowChunks::handler {
  my $r = shift;
  if (join('',$r->headers_in->get('Transfer-Encoding'))
        =~ m/chunked/i)
  {
      $r->log->warn('Transfer-Encoding: chunked - denied and logged');
      return 400
  }
  return 0
}
</perl>
PerlPostReadRequestHandler Awayweb::BlowChunks

/*
 * $Id: mod_blowchunks.c,v 1.3 2002/06/22 05:27:33 cbailiff Exp $
 *
 * Reject chunked requests before vulnerable chunking routines can read
them.
 * (apache module version)
 *
 * Cris Bailiff, c.bailiff+blowchunks@devsecure.com -
http://www.awayweb.com
 * http://www.devsecure.com/pub/src/mod_blowchunks.c
 *
 * Copyright 2002 Cris Bailiff. All rights reserved.
 *
 * Permission is granted to anyone to use this software for any purpose on
 * any computer system, and to alter it and redistribute it, subject
 * to the following restrictions:
 *
 * 1. The author is not responsible for the consequences of use of this
 * software, no matter how awful, even if they arise from flaws in it.
 *
 * 2. The origin of this software must not be misrepresented, either by
 * explicit claim or by omission.
 *
 * 3. Altered versions must be plainly marked as such, and must not be
 * misrepresented as being the original software.
 *
 * 4. This notice may not be removed or altered.
 *
 * To compile & install in your apache (using apxs):
 *
 * # /usr/sbin/apxs -i -a -c mod_blowchunks.c
 *
 * and restart. Read the apxs(8) man page for more info on compiling
apache
 * modules.
 */

#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_main.h"
#include "http_protocol.h"

module MODULE_VAR_EXPORT blowchunks_module;

static int blowchunks_check_one_header(void *data, const char *key, const
char *val)
{
    if (ap_find_last_token(NULL, val, "chunked")) {
        *((int *)data)=TRUE;
        return FALSE;
    }
    return TRUE;
}

static int blowchunks_post_read_request(request_rec *r)
{
    int found=FALSE;
    ap_table_do(blowchunks_check_one_header,&found,r->headers_in,
         "Transfer-Encoding",NULL);
    if (found==TRUE) {
        ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
         "Transfer-Encoding: chunked - denied and logged");
        return HTTP_BAD_REQUEST;
    }
    return DECLINED;
}

module MODULE_VAR_EXPORT blowchunks_module =
{
    STANDARD_MODULE_STUFF,
    NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
    NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
#if MODULE_MAGIC_NUMBER >= 19970902
    blowchunks_post_read_request
#else
#error Your apache is too old to have the post_read_request module hook
#endif
};

ADDITIONAL INFORMATION

The information has been provided by
<mailto:c.bailiff+bugtraq@devsecure.com> Cris Bailiff.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages