Recently many web owners are concerned with the new published Apache DoS issue(CVE-2011-3192), which can be triggered when the vulnerable code handles HTTP requests with malicious 'Range' headers. Today I would like to talk a little bit of it as well as the detection of your installation.
This bug exists in a function called ap_byterange_filter in byterange_filter.c. When an HTTP request with Range header is sent to an Apache server, the function ap_byterange_filter will decide how many range values the request has by detecting character ',' in the value field:
...
if (!ap_strchr_c(range, ',')) {
/* a single range */
num_ranges = 1;
}
else {
/* a multiple range */
num_ranges = 2;
}
...
Later, if the number of range values is bigger than 1, the function will create bucket pool for the request:
...
if (ctx->num_ranges == 1) {
...
}
else {
char *ts;
e = apr_bucket_pool_create(ctx->bound_head, strlen(ctx->bound_head), r->pool, c->bucket_alloc);
...
It has been proved that if a lot of HTTP requests with multiple values set in Range header will consume huge amount of CPU and memory of the target.
If you have an affected version of Apache installed you may wonder whether it is vulnerable or not based on your configuration. To tell that, there is a very simple method which is actually from the published exploit for this bug. In its code, it simple sends following request to the target server:
GET / HTTP/1.1
Host: Localhost
Range: bytes=0-
Connection: Close
If the target responses with 'HTTP/1.1 206 Partial Content', then it is vulnerable to this bug. After walking through all the source code of Apache HTTPD server, I found that the vulnerable function, ap_byterange_filter , is the only one which uses 'HTTP_PARTIAL_CONTENT' response. That means this detection of method is pretty accurate to tell whether an affected version of installation is vulnerable or not.
Note: all the source code pieces are copied from the last vulnerable version of Apache, 2.2.19.
