Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Cve-2011-3192[SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
upengan78
l33t
l33t


Joined: 27 Jun 2007
Posts: 710
Location: IL

PostPosted: Fri Aug 26, 2011 2:45 pm    Post subject: Cve-2011-3192[SOLVED] Reply with quote

Hello,

It's about http://www.securityfocus.com/bid/49303

Didn't see any thread here, so I thought I'd start one. Wonder if this gets discussed somewhere else for Gentoo?


I added below to /etc/apache2/httpd.conf

Code:
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (?:,.*?){5,5} bad-range=1
RequestHeader unset Range env=bad-range

# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range

# optional logging.
CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range
CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-req-range


Restarted apache2 and running killapache.pl against this Gentoo system. My Load average has gone up from 1 to 17 and may rise higher.

access_log
Code:

sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -
sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -
sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -
sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -
sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -
sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -
sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -
sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -
sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -


error_log

Code:
[Fri Aug 26 09:47:48 2011] [error] [mod_pagespeed 0.9.0.0-0 @17384] /var/cache/mod_pagespeed/6lO3lRc2F3y74cOhDGe7.lock:0: creating dir (code=13 Permission denied)
[Fri Aug 26 09:47:48 2011] [error] [mod_pagespeed 0.9.0.0-0 @17384] /var/cache/mod_pagespeed/DV5iN99a8DSsPKhAa7At.lock:0: creating dir (code=13 Permission denied)
[Fri Aug 26 09:47:48 2011] [error] [mod_pagespeed 0.9.0.0-0 @17384] /var/cache/mod_pagespeed/7z4Ro6Xtzx7iey9-4mK_.lock:0: creating dir (code=13 Permission denied)
[Fri Aug 26 09:47:48 2011] [error] [mod_pagespeed 0.9.0.0-0 @17384] /var/cache/mod_pagespeed/4C1UzN6j_pND0j9rscPW.lock:0: creating dir (code=13 Permission denied)
[Fri Aug 26 09:47:48 2011] [error] [mod_pagespeed 0.9.0.0-0 @17384] /var/cache/mod_pagespeed/6lO3lRc2F3y74cOhDGe7.lock:0: creating dir (code=13 Permission denied)
[Fri Aug 26 09:47:48 2011] [error] [mod_pagespeed 0.9.0.0-0 @5452] /var/cache/mod_pagespeed/DV5iN99a8DSsPKhAa7At.lock:0: creating dir (code=13 Permission de


range-CVE-2011-3192.log

Code:
sourceIP - - [26/Aug/2011:09:48:12 -0500] "HEAD / HTTP/1.1" 200 -
sourceIP - - [26/Aug/2011:09:48:12 -0500] "HEAD / HTTP/1.1" 200 -
sourceIP - - [26/Aug/2011:09:48:12 -0500] "HEAD / HTTP/1.1" 200 -
sourceIP - - [26/Aug/2011:09:48:12 -0500] "HEAD / HTTP/1.1" 200 -
sourceIP - - [26/Aug/2011:09:48:12 -0500] "HEAD / HTTP/1.1" 200 -
sourceIP - - [26/Aug/2011:09:48:12 -0500] "HEAD / HTTP/1.1" 200 -



So it seems the workaround I applied doesn't seem to help? Any idea if there will be a patch from Gentoo or you guys recommend any tweaks to this workaround or any other method as a workaround?

Let me know.

Thanks.


Last edited by upengan78 on Fri Aug 26, 2011 4:22 pm; edited 1 time in total
Back to top
View user's profile Send private message
Yuu
Apprentice
Apprentice


Joined: 23 Dec 2008
Posts: 223
Location: France

PostPosted: Fri Aug 26, 2011 3:35 pm    Post subject: Reply with quote

Hi upengan78,

I wanted to create this thread too but... I think I don't like starting threads :D

However, I was aware of this issue few days ago and I even made a small python scrypt (killapache doesn't work for me) to test my own Apache server. Unfortunately, I must have misread the informations because I didn't know that "Request-Range" was vulnerable too.

For me this fix (RequestHeader unset <header>) just remove the range/request-range header :
Code:
127.0.0.1 - - [26/Aug/2011:17:36:07 +0200] "GET / HTTP/1.1" 200 651
127.0.0.1 - - [26/Aug/2011:17:36:07 +0200] "GET / HTTP/1.1" 200 651
127.0.0.1 - - [26/Aug/2011:17:36:07 +0200] "GET / HTTP/1.1" 200 651
127.0.0.1 - - [26/Aug/2011:17:36:08 +0200] "GET / HTTP/1.1" 200 651


Then, the client gets a HTTP status code = 200 (instead of 206) and don't get the ranges. So, that works for me.

So, thank you for this update :]
_________________
Main laptop : T8300 cpu | 200 GB hard drive | 2 GB of ram | 8600M GT | Gentoo x86_64
Server : Celeron 220 cpu | 250 GB hard drive | 2 GB of ram | SiS 662 VGA | Gentoo x86_64
Back to top
View user's profile Send private message
upengan78
l33t
l33t


Joined: 27 Jun 2007
Posts: 710
Location: IL

PostPosted: Fri Aug 26, 2011 3:47 pm    Post subject: Reply with quote

No Problem.

About that Request Range, yes that also needs to be taken care of . Update : http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082427.html

I have the script and works for me fine. I had to emege Parallel/Fork Manager though.

I just finished installing mod_security on my gentoo however that also didn't take care of the issue after enabling apache2 with mod_security with a restart, load still goes high.

In addition, I enabled Sec rules from here http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-attack.html, those didn't help me either.

Also tried Rewrite Engine rules in the comment section of aboe(spiderlab) link and load still goes high.


SOLVED.

I realized I did a mistake in /etc/conf.d/apache file with -D option. In order to use mod_security I had wrongly put -D MOD_SECURITY instead of SECURITY. After correctiong and restarting apache2, the killapache script now shows below,
Code:

Host does not seem vulnerable
Note that I haven't added special security rule. Essentially just emerged mod_security, enabled conf.d/apache to add -D SECURITY, restarted apache2 and it looks ready to defend from this attack at least..
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum