The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[linux-security] Apache bug, eats memory...


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Sat, 8 Aug 1998 09:28:01 +0200 (CEST)
From: Jan-Philip Velders <[email protected]>
To: [email protected]
Subject: [linux-security] Apache bug, eats memory...

Hi,

the following pieces of mail came by on BugTraq.
It appears that Apache (1.2.5 and 1.2.6 tested, 1.3 is vulnerable according
to Ben Laurie [Apache member]) doesn't handle the case, when there are
a lot (say 10000) of "User-Agent:"-headers. (other headers could also
work!).

An exploit with source-code was posted on BugTraq.

excerpts from the mail by <[email protected]>:
| There seems to be a simple way of badly DoSing any Apache server. It
| involved a massive memory leak in the way it handles incoming request
| headers. I based my exploit on the assumption that they use setenv()
| (which they don't) and that the bug occurs when you send a header that
| will end up as an environment variable if you request a CGI script
| (such as User-Agent), but I have since verified that there is no
| connection there. Anyway, you can blow Apache through the roof by
| sending it tons of headers - the server's memory consumption seems to
| be a steep polynomial of the amount of data you send it. Below is a
| snapshot of top(1) about one minute after I sent my server a request
| with 10,000 copies of "User-Agent: sioux\r\n" (totalling 190,016 bytes
| of data)
|---cut---
| last pid: 29187;  load averages:  1.82,  1.06,  0.68 18:21:36
| 82 processes:  2 running, 80 sleeping
| CPU states: 93.5% user, 0.0% nice, 6.1% system, 0.4% interrupt, 0.0% idle
| Mem: 82M Active, 5692K Inact, 31M Wired, 4572K Cache, 8349K Buf, 616K Free
| Swap: 512M Total, 402M Used, 110M Free, 79% Inuse, 5412K In, 748K Out
| PID USERNAME PRI NICE  SIZE    RES STATE    TIME   WCPU    CPU COMMAND
| 29176 www      -18   0   392M 85612K swread   0:57  6.83%  6.83% httpd
|---cut---

Ben Laurie (team Apache) <[email protected]> responded swift:
| And here's a band-aid for 1.3.1 - I'm sure we'll come up with something
| better soon. This (untested) patch should prevent the worst effects. A
| similar patch should work for 1.2.x.

He posted this band-aid:

Index: http_protocol.c

RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v retrieving revision 1.229 diff -u -r1.229 http_protocol.c --- http_protocol.c 1998/08/06 17:30:30 1.229 +++ http_protocol.c 1998/08/07 23:02:56 @@ -714,6 +714,7 @@ int len; char *value; char field[MAX_STRING_LEN]; + int nheaders=0; /* * Read header lines until we get the empty separator line, a read error, @@ -723,6 +724,11 @@ char *copy = ap_palloc(r->pool, len + 1); memcpy(copy, field, len + 1); + if(++nheaders == 100) { + r->status = HTTP_BAD_REQUEST; + return; + } + if (!(value = strchr(copy, ':'))) { /* Find the colon separator */ r->status = HTTP_BAD_REQUEST; /* or abort the bad request */ return; I think this is worth patching ;-) No reports so far about people using the is the "wild"... Greetings, Jan-Philip Velders <[email protected]> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Nederlandse Linux GebruikersGroep : http://www.nllgg.nl | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -- ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- To unsubscribe: mail -s unsubscribe [email protected] < /dev/null

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру