[Info-vax] 'Kill tool' released for unpatched Apache server vulnerability
Rich Jordan
jordan at ccs4vms.com
Thu Aug 25 17:36:48 EDT 2011
On Aug 25, 4:18 pm, "Martin Vorlaender" <m... at pdv-systeme.de> wrote:
> Rich Jordan <jor... at ccs4vms.com> wrote:
> > John Nebel <john.ne... at csdco.com> wrote:
> >> As <http://labs.hoffmanlabs.com/node/1767> indicates, even with
> >> mod_deflate shut off, the exploit will affect OpenVMS.
>
> >> [root at arethusa ~]# ./kill_apache.plwww.whatever.com
> >> host seems vuln
> >> ATTACKING whatever [using 500 forks]
>
> >> If one adds these to httpd.conf
>
> >> LoadModule headers_module modules/mod_headers.exe
> >>RequestHeaderunsetRange
>
> >> [root at arethusa ~]# ./kill_apache.plwww.whatever.com
> >> Host does not seem vulnerable
>
> >> SWS 2.2 update 1 and 2.1-1 update 2
>
> > The links referenced by Hoff's entry on this point out that just
> > removing the Range header can block legitimate clients and requests.
> > They provide a variant that llows up to 5 ranges but it doesn't work
> > on my test system, and according to theApachedocs, it can't actually
> > work:
>
> > Test box: OpenVMS Alpha V8.3, TCPIP V5.6 ECO 5, CSWS V2.1-1 Update 1.0
>
> > # drop Range header when more than 5 ranges.
> > # CVE-2011-3192
> > SetEnvIf Range (,.*?){5,} bad-range=1
> >RequestHeaderunsetRange env=bad-range
>
> > With this in my virtual container definition I get the error:
>
> > "headerunsettakes two arguments"
>
> [...]
>
> The workaround I use (but haven't tested yet) is
>
> RewriteEngine On
> RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
> RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
> RewriteRule .* - [F]
>
> and
>
> RewriteOptions inherit
>
> for any virtual hosts (in case the rewrite rule is placed in
> the global part of the config).
>
> cf.http://seclists.org/fulldisclosure/2011/Aug/241
>
> cu,
> Martin
> --
> One OS to rule them all | Martin Vorlaender | OpenVMS rules!
> One OS to find them | work: m... at pdv-systeme.de
> One OS to bring them all | http://vms.pdv-systeme.de/users/martinv/
> And in the Darkness bind them.| home: martin.vorlaen... at t-online.de
Yeah I saw the rewrite options but was trying to avoid them; none of
our test or production servers have ever had the mod_rewrite stuff
enabled, I've never used it, and a higher level of validation testing
(than using the RequestHeader option) would be required that there's
just not time for right now.
The RequestHeader option was listed as being for Apache 2.0 and up,
while the rewrite was for V1.3 (and up) but even the 2.2 docs don't
seem to allow for what the workaround is trying to do.
Rich
More information about the Info-vax
mailing list