Apache2 is still Range header DoS vulnerable if gzip compression is enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Invalid
|
High
|
Steve Beattie |
Bug Description
Today I've upgraded my Apache2 packages from version 2.2.14-5ubuntu8.4 to 2.2.14-5ubuntu8.6 on Ubuntu Lucid 10.04 LTS boxes we use here. It seems that the WWW server is still Range header DoS (CVE-2011-3192) vulnerable if I have enabled gzip compression-
This is a result of my testing for disabled compression:
root@server:~# ls /etc/apache2/
deflate.conf
deflate.load
root@server:~#
root@server:~# grep gzip /etc/apache2/
SetEnv no-gzip
root@server:~#
ptecza@laptop:~$ perl killapache.pl my.server.pl
Host does not seem vulnerable
ptecza@laptop:~$
ptecza@laptop:~$ telnet my.server.pl www
Trying 11.22.33.44...
Connected to my.server.pl.
Escape character is '^]'.
HEAD / HTTP/1.1
Host: my.server.pl
Range:bytes=0-100
Accept-Encoding: gzip
Connection: close
HTTP/1.1 200 OK
Date: Fri, 02 Sep 2011 12:58:33 GMT
Server: Apache
Set-Cookie: FSESSIONID=m; path=/; domain=
X-Powered-By: PHP/5.3.
Set-Cookie: e9231db0fb41e22
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: lang=deleted; expires=Thu, 02-Sep-2010 12:58:35 GMT; path=/
Set-Cookie: jfcookie=deleted; expires=Thu, 02-Sep-2010 12:58:35 GMT; path=/
Set-Cookie: jfcookie[
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Fri, 02 Sep 2011 12:58:37 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Connection closed by foreign host.
ptecza@laptop:~$
and below you can see the result for enabled compression:
root@server:~# grep gzip /etc/apache2/
##SetEnv no-gzip
root@server:~#
ptecza@laptop:~$ perl killapache.pl my.server.pl
host seems vuln
ptecza@laptop:~$
ptecza@laptop:~$ telnet my.server.pl www
Trying 11.22.33.44...
Connected to my.server.pl.
Escape character is '^]'.
HEAD / HTTP/1.1
Host: my.server.pl
Range:bytes=0-100
Accept-Encoding: gzip
Connection: close
HTTP/1.1 206 Partial Content
Date: Fri, 02 Sep 2011 13:14:31 GMT
Server: Apache
Set-Cookie: FSESSIONID=m; path=/; domain=
X-Powered-By: PHP/5.3.
Set-Cookie: e9231db0fb41e22
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: lang=deleted; expires=Thu, 02-Sep-2010 13:14:31 GMT; path=/
Set-Cookie: jfcookie=deleted; expires=Thu, 02-Sep-2010 13:14:31 GMT; path=/
Set-Cookie: jfcookie[
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Fri, 02 Sep 2011 13:14:32 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Range: bytes 0-19/20
Content-Length: 20
Connection: close
Content-Type: text/html; charset=utf-8
Connection closed by foreign host.
ptecza@laptop:~$
CVE References
Changed in apache2 (Ubuntu): | |
assignee: | nobody → Steve Beattie (sbeattie) |
Hi Paweł,
Thanks for taking the time to report this issue.
First off, killapache.pl's testapache() function for whether the host is vulnerable is not very accurate; all it tests is whether apache returns 206 Partial Content when given the byte range of '0-'. In our update, we included the upstream commit svn.apache. org/viewvc? view=revision& sortby= date&revision= 1163833 which returns a 206 on that byte range because debian had a bug report http:// bugs.debian. org/cgi- bin/bugreport. cgi?bug= 639825 of a client breaking when 200 was returned for that exact byte range.
http://
Second, I'm unable to reproduce the difference in behavior that you're seeing when gzip compression is enabled or disabled; with a stock setup, my attempts look like:
$ dpkg -l apache2-mpm-prefork | tail -1
ii apache2-mpm-prefork 2.2.14-5ubuntu8.6
$ apache2ctl -t -D DUMP_MODULES |grep deflate
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
Syntax OK
deflate_module (shared)
# ask for gzip encoding
$ nc localhost 80
HEAD / HTTP/1.1
Host: localhost
Range:bytes=0-100
Accept-Encoding: gzip
Connection: close
HTTP/1.1 206 Partial Content b1-4abd003eaae6 f"
Date: Sat, 03 Sep 2011 00:04:37 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Wed, 31 Aug 2011 16:56:54 GMT
ETag: "482db-
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Range: bytes 0-100/146
Content-Length: 101
Connection: close
Content-Type: text/html
# no gzip encoding
$ nc localhost 80
HEAD / HTTP/1.1
Host: localhost
Range:bytes=0-100
Connection: close
HTTP/1.1 206 Partial Content b1-4abd003eaae6 f"
Date: Sat, 03 Sep 2011 00:05:26 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Wed, 31 Aug 2011 16:56:54 GMT
ETag: "482db-
Accept-Ranges: bytes
Content-Length: 101
Vary: Accept-Encoding
Content-Range: bytes 0-100/177
Connection: close
Content-Type: text/html
# disable gzip encoding d/apache2 restart' to activate new configuration!
$ sudo a2dismod deflate
Module deflate disabled.
Run '/etc/init.
$ sudo /etc/init.d/apache2 restart
* Restarting web server apache2
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
... waiting apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
...done.
$ apache2ctl -t -D DUMP_MODULES |grep deflate
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
Syntax OK
# ask for gzip encoding; shouldn't get it
$ nc localhost 80
HEAD / HTTP/1.1
Host: localhost
Range:bytes=0-100
Accept-Encoding: gzip
Connection: close
HTTP/1.1 206 Partial Content b1-4abd003eaae6 f"
Date: Sat, 03 Sep 2011 00:07:27 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Wed, 31 Aug 2011 16:56:54 GMT
ETag: "482db-
Accept-Ranges: bytes
Content-Length: 101
Content-Range: bytes 0-100/177
Connection: close
Content-Type: text/html
# don't ask for gzip encoding
$ nc localhost 80
HEAD / ...