Date: Sat, 8 Aug 1998 09:28:01 +0200 (CEST)
From: Jan-Philip Velders <jpv@jvelders.tn.tudelft.nl>
To: linux-security@redhat.com
Subject: [linux-security] Apache bug, eats memory...
Hi,
the following pieces of mail came by on BugTraq.
It appears that Apache (1.2.5 and 1.2.6 tested, 1.3 is vulnerable according
to Ben Laurie [Apache member]) doesn't handle the case, when there are
a lot (say 10000) of "User-Agent:"-headers. (other headers could also
work!).
An exploit with source-code was posted on BugTraq.
excerpts from the mail by <finrod@EWOX.ORG>:
| There seems to be a simple way of badly DoSing any Apache server. It
| involved a massive memory leak in the way it handles incoming request
| headers. I based my exploit on the assumption that they use setenv()
| (which they don't) and that the bug occurs when you send a header that
| will end up as an environment variable if you request a CGI script
| (such as User-Agent), but I have since verified that there is no
| connection there. Anyway, you can blow Apache through the roof by
| sending it tons of headers - the server's memory consumption seems to
| be a steep polynomial of the amount of data you send it. Below is a
| snapshot of top(1) about one minute after I sent my server a request
| with 10,000 copies of "User-Agent: sioux\r\n" (totalling 190,016 bytes
| of data)
|---cut---
| last pid: 29187; load averages: 1.82, 1.06, 0.68 18:21:36
| 82 processes: 2 running, 80 sleeping
| CPU states: 93.5% user, 0.0% nice, 6.1% system, 0.4% interrupt, 0.0% idle
| Mem: 82M Active, 5692K Inact, 31M Wired, 4572K Cache, 8349K Buf, 616K Free
| Swap: 512M Total, 402M Used, 110M Free, 79% Inuse, 5412K In, 748K Out
| PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
| 29176 www -18 0 392M 85612K swread 0:57 6.83% 6.83% httpd
|---cut---
Ben Laurie (team Apache) <ben@ALGROUP.CO.UK> responded swift:
| And here's a band-aid for 1.3.1 - I'm sure we'll come up with something
| better soon. This (untested) patch should prevent the worst effects. A
| similar patch should work for 1.2.x.
He posted this band-aid:
Index: http_protocol.c
RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.229
diff -u -r1.229 http_protocol.c
--- http_protocol.c 1998/08/06 17:30:30 1.229
+++ http_protocol.c 1998/08/07 23:02:56
@@ -714,6 +714,7 @@
int len;
char *value;
char field[MAX_STRING_LEN];
+ int nheaders=0;
/*
* Read header lines until we get the empty separator line, a read error,
@@ -723,6 +724,11 @@
char *copy = ap_palloc(r->pool, len + 1);
memcpy(copy, field, len + 1);
+ if(++nheaders == 100) {
+ r->status = HTTP_BAD_REQUEST;
+ return;
+ }
+
if (!(value = strchr(copy, ':'))) { /* Find the colon separator */
r->status = HTTP_BAD_REQUEST; /* or abort the bad request */
return;
I think this is worth patching ;-)
No reports so far about people using the is the "wild"...
Greetings,
Jan-Philip Velders
<jpv@jvelders.tn.tudelft.nl>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| Nederlandse Linux GebruikersGroep : http://www.nllgg.nl |
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
