Apache Warns Web Server Admins of DoS Attack Tool

CWmike writes "Developers of the Apache open-source project warned users of the Web server software on Wednesday that a denial-of-service (DoS) tool is circulating that exploits a bug in the program. 'Apache Killer' showed up last Friday in a post to the 'Full Disclosure' security mailing list. The Apache project said it would release a fix for Apache 2.0 and 2.2 in the next 48 hours. All versions in the 1.3 and 2.0 lines are said to be vulnerable to attack. The group no longer supports the older Apache 1.3. 'The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server,' Apache said in an advisory. The bug is not new. Michal Zalewski, a security engineer who works for Google, pointed out that he had brought up the DoS exploitability of Apache more than four-and-a-half years ago. In lieu of a fix, Apache offered steps administrators can take to defend their Web servers until a patch is available."

Re:Apache is too bloated

[Monoecus]

Yes, that's why I use Hiawatha.

Someone should have attended Secure Codeing 101

[gweihir]

Algorithmic complexity attacks (of which this is an example) are nothing new. They have been done on really bad sorting algorithms (quick sort, which is still defended by quite a few people that simply do not get it or are not bright enough to implement the alternatives) and are today employed, e.g., against hash-tables. Libraries/languages by people with a clue (e.g. LUA), have protection against that. Others do not.

Writing secure code is a bit harder than writing merely working code. I guess people have to find that out over and over again....

Re:Someone should have attended Secure Codeing 101

[Narcocide]

This might be informative.

Re:Someone should have attended Secure Codeing 101

[Narcocide]

Alright, fair enough. Maybe you already know this but just for the benefit of the other readers: Quicksort is just fine if you can trust the data is generally randomized in order. The problem is primarily that it accomplishes this speedup by making the unsafe assumption that this is the case, meaning its really easy to dramatically increase the processing time required for a given sort by giving it data in certain specific patterns - such as reverse order or almost completely reverse order. It generally considered a BAD idea to use quicksort on things like public services where the users can directly affect the order of the data passed to it.

Re:Someone should have attended Secure Codeing 101

[zippthorne]

Who recommends quick sort for anything? It's got a bad, O(N^2) degenerate case that's been known about.. since the development of the algorithm.

It's my understanding that merge sort or merge/insertion hybrids are typically used generally, as merge has O(N*log N) for all inputs, and is stable, while insertion can be extremely fast for short lists (but is not appropriate for large lists, as it's also O(N^2)). Other sorts might be chosen if the data is known in advance to have favorable properties for them.

Quick sort's main use is for CS101 courses, to give you something that is relatively easy to understand, implement, and analyze, and which can be easily compared with the other CS101 sort technique, bubble sort.

Re:Someone should have attended Secure Codeing 101

[micheas]

I guess it depends on how many bits you have to implement your sort in.

If you are cramming the sort into less than 8bytes speed will take a back seat. If you can use gigabytes of memory you implement do a much faster more memory intensive sort.

Re:Someone should have attended Secure Codeing 101

[BitHive]

Sadly, idiots (of which the the folks that codeed Apache are an example) nothing new. Their mediocrity has long suffocated us bright folk, many of whom are too timid to call these people what they are: pathetic failures. Others, like yourself, are not.

Achieving perfection is a bit harder than merely rewriting flawed code. I guess people have to experience humiliation over and over again...

Re:Someone should have attended Secure Codeing 101

[maxwell+demon]

There are still people who didn't switch to introsort?

Re:Someone should have attended Secure Codeing 101

[IDK]

Not only that, but quicksort is faster on average sized inputs, which is what you work with most times.
Low complexity doesn't equal speed.

Re:Someone should have attended Secure Codeing 101

[gbjbaanb]

considering the poor choice of a response, you should have checked your links. first one is "why quicksort sucks" that goes on to explain why a *modified* quicksort algorithm posted on wikipedia is not better than the original quicksort algorithm.

3rd link is "why java sucks", and down on the first page is "why .net sucks".

If you want to explain issues with an algorithm like that - say what it is, rather than posting a snide lmgtfy link that is wrong for the problem at hand.

So far it seems to me that the problem with quicksort is in the data provided to it, that in some cases can increase the complexity of the solution exponentially. But to say that means quiicksort sucks is like saying hammers suck because you might hit your thumb.

Re:Someone should have attended Secure Codeing 101

[LordLimecat]

Cant comment on quicksort since its been years since I was in a CS class, but none of those google results indicate that quicksort sucks.

Usually you want your LMGTFY to show clear examples that make your case, and none of those links do.

Re:Someone should have attended Secure Codeing 101

[Unequivocal]

This is a joke right?

Re:Someone should have attended Secure Codeing 101

[BitHive]

Someone should have attended Spotting Sarcasm 101.

Re:Someone should have attended Secure Codeing 101

[Unequivocal]

:) I had to ask. On /. it's not as easy as I would like to tell..

Quickfix

[pasv]

http://www.gossamer-threads.com/lists/apache/dev/401638 -- someone has got a patch. Keep those fast moving script kittens at bay

If this was IIS

[bonch]

Imagine the anti-Microsoft shitstorm around here if this was an IIS attack tool.

Re:If this was IIS

The patch has taken 4.5 years. If we have to wait for someone to start exploiting vulnerabilities before we are allowed to get a patch then I don't care how fast those patches come it is a major fail.

Re:If this was IIS

[LordLimecat]

None of these justify the reaction that IIS would have gotten.

Slashdot is vulnerable...

[CajunArson]

All versions in the 1.3 and 2.0 lines are said to be vulnerable to attack. The group no longer supports the older Apache 1.3.

Since Slashdot is still stuck in the late '90's with a thin veneer of bad javascript, over apache 1.3 it's vulnerable... and no patch either.

Re:Slashdot is vulnerable...

[CajunArson]

Oh and before you say that Malda & crew will do a deep code analysis of the 1.3 branch and fixit themselves:
              1. They're STILL RUNNING 1.3!!
              2. Slashcode... QED.

Re:Slashdot is vulnerable...

[antdude]

So someone could use this exploit and take /. down. :(

Re:Slashdot is vulnerable...

[gl4ss]

maybe they patched it. or maybe they filter the vuln. before it hits apache, it seems that it's just about asking for a large number of ranges in a head request.

Re:Slashdot is vulnerable...

[Briareos]

3. No more Malda.

Re:Apache is too bloated

[MechaStreisand]

Really? Apache has 200+ failed unit tests that are just ignored?

They're not even close to comparable. Apache has served me very well. My server is not even vulnerable to this as I don't have mod_deflate loaded or compiled. (I tested using the kill script.)

A quick summary

[rabtech]

A quick summary: A client can use byte range requests that are overlapping and/or duplicated to use a single small request to overload the server. eg: 0-,0-,0- would request the entire contents of the file three times. YMMV but this has to do with how Apache handles the multipart responses consuming memory and isn't an actual bandwidth DoS.

Unfortunately there are legit reasons for allowing out-of-order ranges and multiple ranges, such as a PDF reader requesting the header, then skipping to the end of the file for the index, then using ranges to request specific pages. Another example was a streaming movie skipping forward by grabbing byte ranges to look for i-frames without downloading the entire file.

So the fix discussion centers on when to ignore a range request, when can you merge ranges, can you re-order them, can you reject overlapping ranges and how much do they need to overlap, etc. The consensus seems to be that first you merge adjacent ranges, then if too many ranges are left OR too many duplicated bytes are requested then the request skips the multi-part handling and just does a straight up 200 OK stream of the whole file or throws back a 416 (can't satisfy multipart request).

Re:A quick summary

[sonamchauhan]

Shouldn't the fix just be that Apache calculate the _total_ size requested by the client, and if that crosses some definable limit, knock back the request with a HTTP 4xx response ( "client demands too much" ) or a 5xx error ("we're not google") (if it wants to be polite)

Re:A quick summary

Worse than that... even requesting a lot of small ranges can overload the server. The example code (iirc) requested the range 5-,5-0,5-1,5-2,5-3,5-4...5-1299 repeatedly. The real killer though is accept-encoding gzip, which causes Apache to try to zip all of those tiny ranges. That's really what kills the server.

Re:A quick summary

[PiSkyHi]

Or one could gather range requests and create a merge list with no repeats and Apache should only keep 1 copy in memory, maybe if they have too many repeated requests for overlapping ranges the error could be "I'm sorry, could you repeat that please?"

Re:Apache is too bloated

The link in the blurb claiming to point to the advisory from Apache isn't correct.

The actual advisory from Apache notes that mod_deflate's presence is orthogonal (irrelevant) to the exploitability of this issue.

The correct link:

http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110824161640.122D387DD@minotaur.apache.org%3E

Re:nginx has its problems, too.

[Ice+Station+Zebra]

Welcome to 2011, not running CGI scripts is a feature (and a good one at that).

Re:Apache is too bloated

[MechaStreisand]

Regardless, my server isn't vulnerable - that's all I care about.

Not that bad

[Evets]

I read the advisory, chose a course of action, then it took about a minute to make my server not vulnerable. It's great that they made the disclosure.

Re:Not that bad

[Onymous+Coward]

In more detail...

Some of the suggestions from the Full Disclosure discussion and elsewhere:

• using mod_rewrite to forbid multiple ranges
• another rewrite
• another rewrite, "more efficient"
• using mod_headers to remove Range requests
• Snort filtering
• byterange_filter.c patch
• unsubscribe request from clueless Sudanese agricultural banker
• reference to RFC hints at better solution to come

Re:Not that bad

[Onymous+Coward]

Oh, and -- sorry -- Apache security advisory.

test your vulnerability

You can do a quick test with something like this:

/bin/echo -en "HEAD / HTTP/1.1\r\nHost:localhost\r\nRange:bytes=0-,$(perl -e 'for ($i=1;$i<1300;$i++) { print "5-$i,"; }')5-1300\r\nAccept-Encoding:gzip\r\nConnection:close\r\n\r\n" | nc localhost 80

If you're vulnerable, you should see a really ridiculously long Content-Length header, like 900k or so.

Disabling mod_deflate or the equivalent prevents this behavior, but it's not clear that there isn't another exploit waiting to happen. A super quick fix is to kill the Range header entirely using mod_header, like so

RequestHeader unset Range

in your apache.conf or moral equivalent. For the most part, you can get away with not serving Range headers, and if you can't, you know it and don't need my advice on fixing this.

Re:test your vulnerability

[Noodlenoggin]

Just to add on to this, if your web server doesn't accept requests addressed to localhost or the ip address with a rewrite rule or for some other reason, then you may need to add in the hostname for that query rather than just using localhost for the headers.

eg: echo -en "HEAD / HTTP/1.1\r\nHost:www.mydomainname.com\r\nRange:bytes=0-,$(perl -e 'for ($i=1;$i<1300;$i++) { print "5-$i,"; }')5-1300\r\nAccept-Encoding:gzip\r\nConnection:close\r\n\r\n" | nc localhost 80


A couple of my servers have Limit options set with a deny from all to the base htdocs folder, therefore only allowing virtual hosts to supply content and not the base host itself.
Sending 'localhost' as the header would return a 403 Forbidden with no mention of the Content-Length at all, even though the server was vulnerable.

Re:test your vulnerability

[rabtech]

Just wanted to point out that this does *not* depend on mod_deflate or mod_gzip. That makes the problem worse, but it is the fact that Apache sets up a lot of internal data structures to handle the "metadata" of the multi-part request. Even with compression disabled, you can still easily overload the server with comparatively fewer requests because you're asking Apache to setup thousands and thousands of multi-part buckets for each single HTTP request. It doesn't take very many requests to bring everything to a standstill.

Re:nginx has its problems, too.

[LordLimecat]

using chroot/jails/containers/zones

Not being a Linux guru, I thought I had heard repeatedly "Chroots do NOT provide security"? Cant someone who pulls off a privelege escalation escape the chroot?

Re:nginx has its problems, too.

[maxwell+demon]

What about running CGI scripts on a separate virtual machine from the rest of the system? Basically set up a separate web server on that, and have all CGI scripts be executed from there. For access to shared resources, have a "gate keeper" process (or module in the web server) running on the original host which can give out one-time passwords which are then passed onto the script, and which the script can then use to access the resources through that gate keeper. The gate keeper can have a detailed knowledge about what each script is allowed to access, and block any other request. I'm not sure if this would be feasible performance-wise, but I think it would make quite a secure system. Indeed, the script server could mount all file systems readonly (you could even remove the write capability from the file system driver if you're paranoid enough), because you don't need to change the scripts from within the scripts (installing the scripts would be done from the host system or another virtual machine). That way, even if someone managed to hijack a script, the worst he could do is to mess with those things the specific script is allowed to access (because the gate keeper knows which script was called, and won't allow any other access). Unless the attacker additionally finds a security hole in the gate keeper process, of course. As an additional bonus, the scripts would not need to have the database password (the gate keeper would have it), so even if the script server was completely hacked, the database password would still not leak.

Thanks!

[thomassabo2011]

I think Apache is just like all the other projects that grow too big ! The jewelry store, welcome to go and have a look .

Touchpads?

[Mikachu]

When I saw the headline, I thought Apache was going to warn retailers about selling HP touchpads...

mod_evasive ?

[slydder]

has anyone noticed if mod_evasive disarms/mitigates this attack vector?

Re:nginx has its problems, too.

[silanea]

And people call Apache bloated. Right.

Re:nginx has its problems, too.

[ArsenneLupin]

Cant someone who pulls off a privelege escalation escape the chroot?

Yes, he can. Basically, the trick is to do another chroot to a subdirectory, but without doing the chdir. So now the attacker is in a situation where the current directory is above the root. Here he can keep doing chdir(".."); until he reaches the real root, and then all he needs to do is chroot(".");.

What's worse, this exploit is due to the way how chroot is spec'ed, thus it can't really be fixed by the kernel.

So yes, you can escape a chroot jail if you've got root. However, the point of the chroot jail is to prevent attackers from gaining root in the first place, by confining them to a minimal and more controllable environment which has no spare crowbars lying around.

Moreover, other confinements, such as BSD jails, containers or zones may not have the problem outlined above.

How to test it against HTTPS?

[Swampcritter]

Exploit code and ways of testing the vulnerability seem to be addressed towards HTTP. Has anyone tested it against HTTPS yet?

Re:How to test it against HTTPS?

[TheNinjaroach]

HTTPS is still HTTP. There's just an SSL layer in between. If you want to interact with some HTTPS server, try using OpenSSL with the s_client option.

Vulnerability first reported in 2007

[Skuto]

With the bug first reported over 4.5 years ago, this was entirely avoidable.

http://seclists.org/bugtraq/2007/Jan/83

Indexes

[brabo_sd]

FY, Options -indexes on /var/www made my boxes safe against this attack.

Re:Apache is too bloated

[X0563511]

Lets not forget that being a proper admin and having Apache locked down by, for example, some SELinux policies... it's kind of a tough nut to break.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:nginx has its problems, too.

[X0563511]

A proper SELinux (or AppArmor, I'd imagine) policy would also serve to confine them in their box.

Recommended webserver for WSGI Python apps?

[Just+Some+Guy]

Since we're discussing Apache anyway... I've used Apache for over a decade now. Right now I'm working on a Pyramid app and publishing it with mod_wsgi on Apache 2.2, for no other reason than that I'm already familiar with Apache. Since this is a brand new project and will be running on its own dedicated server - and therefore doesn't have play nicely with any pre-existing web apps - I wanted to re-evaluate my decision. If you needed to publish a WSGI app today, what server would you use and why?

Re:nginx has its problems, too.

[overlordofmu]

Do not reply to the AC trolls, please.

Although, your comment was quite damn funny.

Confisusion..

[iridium213]

So...

"... and said it would release a fix for Apache 2.0 and 2.2 in the next 48 hours."
...
"... According to Apache, all versions in the 1.3 and 2.0 lines are vulnerable to attack."

So dropping support for 1.3 I understand (EOL etc), but fixing 2.2 event though it isn't reported as vulnerable? which is it?

Re:Confisusion..

[geminidomino]

I figured it was two different points. The first being that they'd release a fix for 2.x, and the other a less than subtle "Update your goddamn software!" reminder.

Re:nginx has its problems, too.

[Seyedkevin]

Web servers run without root privileges so that the server isn't capable of doing overtly harmful things but you can still modify things that the web server is supposed to modify. That is, it can still mess it up.

If you want to give scripts a separately isolated area, you can use this: http://httpd.apache.org/docs/2.0/suexec.html File system permissions takes over from here.

I don't know too much about SQL servers, but couldn't you probably use kerberos or something instead of directly using database passwords?

4 .5 years before they do something....

[hesaigo999ca]

I am glad they finally got to it, but if apache had told their bank that there was an issue with their account , I am sure they would have wanted their bank to do something right away about it, and not 4.5 years ago....you just have to hit them where it hurts...ddos their banks, not their servers.....

Re:nginx has its problems, too.

[badkarmadayaccount]

Or, OpenVZ containers.