Hi, the following pieces of mail came by on BugTraq. It appears that Apache (1.2.5 and 1.2.6 tested, 1.3 is vulnerable according to Ben Laurie [Apache member]) doesn''t handle the case, when there are a lot (say 10000) of "User-Agent:"-headers. (other headers could also work!). An exploit with source-code was posted on BugTraq. excerpts from the mail by <finrod@EWOX.ORG>: | There seems to be a simple way of badly DoSing any Apache server. It | involved a massive memory leak in the way it handles incoming request | headers. I based my exploit on the assumption that they use setenv() | (which they don''t) and that the bug occurs when you send a header that | will end up as an environment variable if you request a CGI script | (such as User-Agent), but I have since verified that there is no | connection there. Anyway, you can blow Apache through the roof by | sending it tons of headers - the server''s memory consumption seems to | be a steep polynomial of the amount of data you send it. Below is a | snapshot of top(1) about one minute after I sent my server a request | with 10,000 copies of "User-Agent: sioux\r\n" (totalling 190,016 bytes | of data) |---cut--- | last pid: 29187; load averages: 1.82, 1.06, 0.68 18:21:36 | 82 processes: 2 running, 80 sleeping | CPU states: 93.5% user, 0.0% nice, 6.1% system, 0.4% interrupt, 0.0% idle | Mem: 82M Active, 5692K Inact, 31M Wired, 4572K Cache, 8349K Buf, 616K Free | Swap: 512M Total, 402M Used, 110M Free, 79% Inuse, 5412K In, 748K Out | PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND | 29176 www -18 0 392M 85612K swread 0:57 6.83% 6.83% httpd |---cut--- Ben Laurie (team Apache) <ben@ALGROUP.CO.UK> responded swift: | And here''s a band-aid for 1.3.1 - I''m sure we''ll come up with something | better soon. This (untested) patch should prevent the worst effects. A | similar patch should work for 1.2.x. He posted this band-aid: Index: http_protocol.c ==================================================================RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v retrieving revision 1.229 diff -u -r1.229 http_protocol.c --- http_protocol.c 1998/08/06 17:30:30 1.229 +++ http_protocol.c 1998/08/07 23:02:56 @@ -714,6 +714,7 @@ int len; char *value; char field[MAX_STRING_LEN]; + int nheaders=0; /* * Read header lines until we get the empty separator line, a read error, @@ -723,6 +724,11 @@ char *copy = ap_palloc(r->pool, len + 1); memcpy(copy, field, len + 1); + if(++nheaders == 100) { + r->status = HTTP_BAD_REQUEST; + return; + } + if (!(value = strchr(copy, '':''))) { /* Find the colon separator */ r->status = HTTP_BAD_REQUEST; /* or abort the bad request */ return; I think this is worth patching ;-) No reports so far about people using the is the "wild"... Greetings, Jan-Philip Velders <jpv@jvelders.tn.tudelft.nl> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Nederlandse Linux GebruikersGroep : http://www.nllgg.nl | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-