Web Application Security
Apache Killer - take 2? Jan 19 2012 07:59PM
Damiano Bolzoni (damiano bolzoni utwente nl) (1 replies)
Re: Apache Killer - take 2? Jan 23 2012 01:40PM
Anestis Bechtsoudis (bechtsoudis a gmail com)
On 01/19/2012 09:59 PM, Damiano Bolzoni wrote:
> Hi all,
> today we saw a weird HTTP header in a request that came to a web server
> we are monitoring:
> HEAD /contact HTTP/1.1
> Content-Range: bytes 1-1024/-1
> User-Agent: Opera/9.80 (Windows NT 5.1; U; pl) Presto/2.5.22 Version/10.51
> Host: www.xyz.nl
> Accept: */*
> The offending IP is not in any blacklist, and the intent is kind of
> clear...the server is Apache, but I have no detailed information about
> the version/patching level. The server went ahead with a simple redirect
> to the default error page.
> Is this just a clumsy way to attempt an overflow of one of the range
> boundaries and replicate the infamous Apache Killer attack?
> cheers

Apache byte-range killer use many small byte-range chunks in a single
request. So no, your attached request is not related to such an attack.

At latest Apache stable release (2.2.21) -1 is not a valid
entity-length, resulting in a full size 200 response (and not a 206
partial content response) despite the requested range.

For better understanding take a look at modules/http/byterange_filter.c
at apache sources.

I attach a simple perl PoC to check your web servers in case you have to
deal with outdated versions.


Anestis Bechtsoudis

Network Operation Center,
Laboratory for Computing (LabCom),
Dept. of Computer Engineering & Informatics,
University of Patras, Greece
#!/usr/bin/perl -w
# Written by @anestisb

use strict;
use IO::Socket;

if ($#ARGV != 0) {
print "Usage: ./byte_range_check.pl <host> (ex.\n";

my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "80",
Proto => 'tcp');

my $request = "HEAD / HTTP/1.1\r\n".
"Host: $ARGV[0]\r\n".
"Accept-Encoding: gzip\r\n".
"Connection: close\r\n".

print $sock $request;

my $line='';
my $output='';

while ($line = <$sock>) { $output .= $line; }

print $output;

This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus