[Info-vax] 'Kill tool' released for unpatched Apache server vulnerability

Thu Aug 25 17:51:21 EDT 2011

On Aug 25, 3:54 pm, Rich Jordan <jor... at ccs4vms.com> wrote:
> On Aug 25, 11:45 am, John Nebel <john.ne... at csdco.com> wrote:
>
>
>
> > As <http://labs.hoffmanlabs.com/node/1767> indicates, even with
> > mod_deflate shut off, the exploit will affect OpenVMS.
>
> > [root at arethusa ~]# ./kill_apache.plwww.whatever.com
> > host seems vuln
> > ATTACKING whatever [using 500 forks]
>
> > If one adds these to httpd.conf
>
> > LoadModule headers_module       modules/mod_headers.exe
> > RequestHeader unset Range
>
> > [root at arethusa ~]# ./kill_apache.plwww.whatever.com
> > Host does not seem vulnerable
>
> > SWS 2.2 update 1 and 2.1-1 update 2
>
> > John
>
> The links referenced by Hoff's entry on this point out that just
> removing the Range header can block legitimate clients and requests.
> They provide a variant that llows up to 5 ranges but it doesn't work
> on my test system, and according to the Apache docs, it can't actually
> work:
>
> Test box: OpenVMS Alpha V8.3, TCPIP V5.6 ECO 5, CSWS V2.1-1 Update 1.0
>
> # drop Range header when more than 5 ranges.
> # CVE-2011-3192
> SetEnvIf Range (,.*?){5,} bad-range=1
> RequestHeader unset Range env=bad-range
>
> With this in my virtual container definition I get the error:
>
> "header unset takes two arguments"
>
> however the docs at Apache seem to imply that with 'unset' you can
> only use one argument (the name of the header to be unset; I don't see
> a way to make the 'unset' conditional on a test or environment
> value.
>
> For the test box it doesn't matter, but for at least one customer (VMS
> I64 V8.3-1H1, same CSWS) I know I can't just drop all range request
> headers because we tested it and it broke some of their functionality.
>
> Any thoughts appreciated.
>
> In the Apache docs, the RequestHeader arguments look like this:
>
> ===========
> V2.0
> RequestHeader set|append|add|unset header [value [env=[!]variable]]
>
> If unset is used then [value] must be left out
>
> When the RequestHeader directive is used with the add, append, or set
> argument, a fourth argument may be used to specify conditions under
> which the action will be taken.   (so no mention of being able to do a
> conditional UNSET)
>
> ===========
> V2.2
> RequestHeader set|append|merge|add|unset|edit header [value]
> [replacement] [early|env=[!]variable]
>
> For unset, no value should be given.
>
> (Note there is no specific mention of the conditional being limited to
> only certain commands in this version).

And another 'scuse me.  I had loaded a test build for a customer demo
on this box that had the non-current SWS installed.  We'll try
upgrading to current before chasing config issues.  Sigh.