A bug in the way that the hugely popular Apache Web server handles some types of HTTP “range” header requests can enable a remote attacker to cause a denial-of-service condition on a vulnerable server. The flaw, which affects all versions of Apache 1.3 and Apache 2, reportedly already is being exploited in the wild and Apache Software Foundation officials are working on a fix for the bug, which is expected to be released within a few days.
The vulnerability in Apache actually has been a known issue for more than four years, since researcher Michal Zalewski pointed it out in a Bugtraq post. Zalewski said at the time of his 2007 post that the attack was fairly simplistic and not especially innovative.
“Combined with the functionality of window scaling (as per RFC 1323), it is
my impression that a lone, short request can be used to trick the server
into firing gigabytes of bogus data into the void, regardless of the
server file size, connection count, or keep-alive request number limits
implemented by the administrator. Whoops?” he wrote.
But the bug apparently never was fixed by Apache and resurfaced late last week when another researcher, known as Kingcope, posted a message to Full Disclosure about it. He also released a Perl script that executed the attack, exhausting the memory of the remote Apache server. That message sparked a long discussion on the mailing list about the severity and nature of the vulnerability, and a separate discussion on the Apache list about wasy to mitigate the problem.
“At least apache 2.2.17 has a remotely exploitable dos vulnerability which
allows to consume all memory on a target system. A request for triggering the
memory consumption includes a large “Range” header which requests as many
different bytes as possible from a file served by httpd. Combining this with a
gzip “Accept-Encoding” header the httpd is assumed to compress each of the
bytes requested in the Range header seperately consuming large memory regions.
The behaviour when compressing the streams is devastating and can end up in
rendering the underlying operating system unusable when the requests are sent
parallely. Symptoms are swapping to disk and killing of processes including
but not solely httpd processes,” Kingcope wrote in an Apache Bugzilla bug report.
Apache now is developing a patch for the bug, but it apparently won’t be ready for a few more days. Apache is by far the most widely deployed Web server, with hundreds of millions of installations around the world. Apache servers accounted for more than 65 percent of all Web servers in July, according to statistics gathered by Netcraft.