Comment 1 for bug 839569

Hi Paweł,

Thanks for taking the time to report this issue.

First off, killapache.pl's testapache() function for whether the host is vulnerable is not very accurate; all it tests is whether apache returns 206 Partial Content when given the byte range of '0-'. In our update, we included the upstream commit
http://svn.apache.org/viewvc?view=revision&sortby=date&revision=1163833 which returns a 206 on that byte range because debian had a bug report http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639825 of a client breaking when 200 was returned for that exact byte range.

Second, I'm unable to reproduce the difference in behavior that you're seeing when gzip compression is enabled or disabled; with a stock setup, my attempts look like:

  $ dpkg -l apache2-mpm-prefork | tail -1
  ii apache2-mpm-prefork 2.2.14-5ubuntu8.6

  $ apache2ctl -t -D DUMP_MODULES |grep deflate
  apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
  Syntax OK
   deflate_module (shared)

  # ask for gzip encoding
  $ nc localhost 80
  HEAD / HTTP/1.1
  Host: localhost
  Range:bytes=0-100
  Accept-Encoding: gzip
  Connection: close

  HTTP/1.1 206 Partial Content
  Date: Sat, 03 Sep 2011 00:04:37 GMT
  Server: Apache/2.2.14 (Ubuntu)
  Last-Modified: Wed, 31 Aug 2011 16:56:54 GMT
  ETag: "482db-b1-4abd003eaae6f"
  Accept-Ranges: bytes
  Vary: Accept-Encoding
  Content-Encoding: gzip
  Content-Range: bytes 0-100/146
  Content-Length: 101
  Connection: close
  Content-Type: text/html

  # no gzip encoding
  $ nc localhost 80
  HEAD / HTTP/1.1
  Host: localhost
  Range:bytes=0-100
  Connection: close

  HTTP/1.1 206 Partial Content
  Date: Sat, 03 Sep 2011 00:05:26 GMT
  Server: Apache/2.2.14 (Ubuntu)
  Last-Modified: Wed, 31 Aug 2011 16:56:54 GMT
  ETag: "482db-b1-4abd003eaae6f"
  Accept-Ranges: bytes
  Content-Length: 101
  Vary: Accept-Encoding
  Content-Range: bytes 0-100/177
  Connection: close
  Content-Type: text/html

  # disable gzip encoding
  $ sudo a2dismod deflate
  Module deflate disabled.
  Run '/etc/init.d/apache2 restart' to activate new configuration!
  $ sudo /etc/init.d/apache2 restart
   * Restarting web server apache2
  apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
   ... waiting apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
     ...done.
  $ apache2ctl -t -D DUMP_MODULES |grep deflate
  apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName
  Syntax OK

  # ask for gzip encoding; shouldn't get it
  $ nc localhost 80
  HEAD / HTTP/1.1
  Host: localhost
  Range:bytes=0-100
  Accept-Encoding: gzip
  Connection: close

  HTTP/1.1 206 Partial Content
  Date: Sat, 03 Sep 2011 00:07:27 GMT
  Server: Apache/2.2.14 (Ubuntu)
  Last-Modified: Wed, 31 Aug 2011 16:56:54 GMT
  ETag: "482db-b1-4abd003eaae6f"
  Accept-Ranges: bytes
  Content-Length: 101
  Content-Range: bytes 0-100/177
  Connection: close
  Content-Type: text/html

  # don't ask for gzip encoding
  $ nc localhost 80
  HEAD / HTTP/1.1
  Host: localhost
  Range:bytes=0-100
  Connection: close

  HTTP/1.1 206 Partial Content
  Date: Sat, 03 Sep 2011 00:07:45 GMT
  Server: Apache/2.2.14 (Ubuntu)
  Last-Modified: Wed, 31 Aug 2011 16:56:54 GMT
  ETag: "482db-b1-4abd003eaae6f"
  Accept-Ranges: bytes
  Content-Length: 101
  Content-Range: bytes 0-100/177
  Connection: close
  Content-Type: text/html

I do note that in your first connection attempt, the Content-Length and Content-Range fields are not returned at all. Do you have any idea why this might be? What's different about your configuration than the default? Is it possible there's a transparent proxy in between you and the server? Did you put in place any of the mitigation configurations?

Finally, I should point out that the testcases going around (like the one in killapache.pl) are based on symptomatic behavior and aren't a guarantee that a DoS happens. The testcase that I've been using has a byte range request of

  Range:bytes=1-15,10-35,8-9,14-22,0-5,23-

With that request, I get a 206 response with the vulnerable code and a 200 response with the fix applied, regardless of whether gzip compression is enabled or not.

Finally, running the killapache.pl script with the attack function (killapache) enabled, definitely results in a DoS situation with the unpatched packages (top shows the resident memory data of the apache processes ballooning to 25-30MB), while running it against the updated packages does not (apache processes memory usage stays sane). This is also regardless of whether gzip compression is turned on or not.

Any clarification about your configuration that you can provide to help diagnose the behavior you're seeing would be most appreciated. Thanks!