On 01/19/2012 09:59 PM, Damiano Bolzoni wrote:
> Hi all,
> today we saw a weird HTTP header in a request that came to a web server
> we are monitoring:
>
> HEAD /contact HTTP/1.1
> Content-Range: bytes 1-1024/-1
> User-Agent: Opera/9.80 (Windows NT 5.1; U; pl) Presto/2.5.22 Version/10.51
> Host: www.xyz.nl
> Accept: */*
>
>
> The offending IP is not in any blacklist, and the intent is kind of
> clear...the server is Apache, but I have no detailed information about
> the version/patching level. The server went ahead with a simple redirect
> to the default error page.
>
> Is this just a clumsy way to attempt an overflow of one of the range
> boundaries and replicate the infamous Apache Killer attack?
>
> cheers
>
Apache byte-range killer use many small byte-range chunks in a single
request. So no, your attached request is not related to such an attack.
At latest Apache stable release (2.2.21) -1 is not a valid
entity-length, resulting in a full size 200 response (and not a 206
partial content response) despite the requested range.
For better understanding take a look at modules/http/byterange_filter.c
at apache sources.
I attach a simple perl PoC to check your web servers in case you have to
deal with outdated versions.
Regards,
Anestis
--
Anestis Bechtsoudis
Network Operation Center,
Laboratory for Computing (LabCom),
Dept. of Computer Engineering & Informatics,
University of Patras, Greece
#!/usr/bin/perl -w
# Written by @anestisb
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
> Hi all,
> today we saw a weird HTTP header in a request that came to a web server
> we are monitoring:
>
> HEAD /contact HTTP/1.1
> Content-Range: bytes 1-1024/-1
> User-Agent: Opera/9.80 (Windows NT 5.1; U; pl) Presto/2.5.22 Version/10.51
> Host: www.xyz.nl
> Accept: */*
>
>
> The offending IP is not in any blacklist, and the intent is kind of
> clear...the server is Apache, but I have no detailed information about
> the version/patching level. The server went ahead with a simple redirect
> to the default error page.
>
> Is this just a clumsy way to attempt an overflow of one of the range
> boundaries and replicate the infamous Apache Killer attack?
>
> cheers
>
Apache byte-range killer use many small byte-range chunks in a single
request. So no, your attached request is not related to such an attack.
At latest Apache stable release (2.2.21) -1 is not a valid
entity-length, resulting in a full size 200 response (and not a 206
partial content response) despite the requested range.
For better understanding take a look at modules/http/byterange_filter.c
at apache sources.
I attach a simple perl PoC to check your web servers in case you have to
deal with outdated versions.
Regards,
Anestis
--
Anestis Bechtsoudis
Network Operation Center,
Laboratory for Computing (LabCom),
Dept. of Computer Engineering & Informatics,
University of Patras, Greece
#!/usr/bin/perl -w
# Written by @anestisb
use strict;
use IO::Socket;
if ($#ARGV != 0) {
print "Usage: ./byte_range_check.pl <host> (ex. 127.0.0.1)\n";
exit;
}
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "80",
Proto => 'tcp');
my $request = "HEAD / HTTP/1.1\r\n".
"Host: $ARGV[0]\r\n".
"Range:bytes=0-12/-1\r\n".
"Accept-Encoding: gzip\r\n".
"Connection: close\r\n".
"\r\n";
print $sock $request;
my $line='';
my $output='';
while ($line = <$sock>) { $output .= $line; }
print $output;
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
[ reply ]