oops, did it again... forgot to cc the list :s
On 25 August 2011 06:25, -= Glowing Sex =- <doo...@gmail.com> wrote: > Very nice stuff! > I think kcope did grab the idea from something you actually mentioned once > davide, lol,a reference to a website i think and mentioning the byte range. > I played abit with this, changed the request of 0- to more like this, > > root@craked:~# perl killapache.pl www.***.com > IO::Socket::INET=GLOB(0x22016f8) HEAD / HTTP/1.1 > Host: www.***.com > Range:bytes=0- > Accept-Encoding: gzip > Connection: close > ^C > > This, when i added the If-Range was less successful so i removed that, and > changed the 0- section to one wich includes -doc_size , this produced a > difference... and oh, i did also make it print "$sock $p"; for alittle to > watch the header sending... alot of time it was not adding on the $p , it > stopped at 0-. > Interesting anyhow to play with the advisory/opatch and exploit.. it > produces some wicked results on many httpds. I mean instant death to nearly > all of freebsd v8 wich i have seen now... > Anyhow, i hope we dont see another one lke this, i really blame apache for > this, and wont ever hold an exploit coder to things wich are readable on > some pages of apache, and just do not get brought to the fore, it is > expected that everyone know how to update to dev, wich unfortunately is not > goin to happen :P. > anyhow, cheers for all the input on this, the patches for it work, and it > is much nicer without any apache d0s :) > thx, cheers, > xd > > > > > On 25 August 2011 00:26, Davide Guerri <davide.gue...@gmail.com> wrote: > >> Hi Douglas, >> I'd put optional spaces (\s*) between bytes= and the ranges and between >> ranges. >> >> The following >> >> > bytes= 0-1, 5-69,-69 >> >> is a valid Range header value (I mean that is accepted by apache). >> >> I agree with you about not to check the http method (GET/HEAD/POST seem to >> be all vulnerable) and about the use of the [N]o[S]ub and the [L]ast flag. >> >> To sum up I'd rather use something like the following: >> >> > RewriteEngine On >> > RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+ >> > RewriteRule .* - [NS,L,F] >> >> I can say nothing about the efficiency of the Cond. >> >> If you remove any check that matches a single range webdav should work. It >> seems really unusual for a service to use multiple ranges to me... >> >> Davide. >> >> >> >> On 24/ago/2011, at 15:40, Douglas Huff wrote: >> >> > I think this is a more complete rule that should be slightly more >> efficient and thorough even though it's 3 separate matches: >> > >> > RewriteEngine On >> > RewriteCond %{HTTP:Range} bytes=0-[0-9]+, [NC,OR] >> > RewriteCond %{HTTP:Range} bytes=([0-9-],){4,} [NC,OR] >> > RewriteCond %{HTTP:Range} bytes=[0-9,-]+,0-(,|$) [NC] >> > RewriteRule .? http://%{SERVER_NAME}/ [NS,L,F] >> > >> > I cannot remember if the second RewriteCond's syntax is supported by >> mod_rewrite and don't have a machine handy right this moment to test >> effectiveness anyhow. >> > >> > This should stop any requests with a range starting with 0- specified as >> a range (first and third rule) or 4 or more ranges included (second rule). >> > >> > -- >> > Douglas Huff >> > >> > On Aug 24, 2011, at 5:29 AM, Carlos Alberto Lopez Perez wrote: >> > >> >> On 20/08/11 14:05, Moritz Naumann wrote: >> >>> On 20.08.2011 00:23 HI-TECH . wrote: >> >>>> (see attachment) >> >>>> /Kingcope >> >>> >> >>> Works (too) well here. Are there any workarounds other than rate >> >>> limiting or detecting + dropping the traffic IPS-wise? >> >>> >> >>> Moritz >> >>> >> >> >> >> You can use the following redirect as a temporally workaround: >> >> >> >> # a2enmod rewrite >> >> >> >> RewriteEngine On >> >> RewriteCond %{HTTP:Range} bytes=0-.* [NC] >> >> RewriteRule .? http://%{SERVER_NAME}/ [R=302,L] >> >> >> >> >> >> >> >> _______________________________________________ >> >> Full-Disclosure - We believe in it. >> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/