lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAKH-_dKKTcuT8u2CYTGCrzcT700g6iyak-x2oHdGN4ZRzB6p+Q@mail.gmail.com>
Date: Tue, 13 Sep 2011 22:36:16 -0300
From: Javier Bassi <javierbassi@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Apache Killer

On Mon, Sep 12, 2011 at 11:26 PM, xD 0x41 wrote:
> I know this topic is OLD but, i just wonder and, also having spoken to kcope
> re this myself, discussed the size of each bucket wich can be made to
> stupendous amounts and using a different vector, ok, instead of Range:bytes=
> , picture a GET request with as was shown in the code is there, you
> "Request-Range: bytes=5-,5-69,5-" , now we have bypassed most filters
> already in place, and the request range code, is exactly the same as range
> code.
> Only one person spotted this.

HTTPD advisory was very clear that both Range and Request-Range can be
used. Everyone who unset Range probably unset Request-Range too. If
host is vulnerable its a little better to use Range because using
Request-Range will take 8 bytes more. (more bytes = less ranges)

I have tested a bit the exploit and saw 1300 ranges is just a fixed
number chosen by kingcope but it can be a little bigger. Range field
can be almost 8KB long and its a total waste of bytes to use x-y,
format where y is an increasing number that will take more than one
digit. So instead of 1300 you can get it to 2725 max if you use repeat
x-, where x is always single digit number. By doing that the exploit
gets much more effective.

I have attached the source if anyone cares

View attachment "killapache2.pl" of type "text/x-perl" (2090 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ