Apache httpd remote denial of service (new vulnerability check)

[Aaron Bryson]

Here is an idea for a new passive scanner vulnerability check. Just to be clear - because this is a denial of service check we want it to be passive and NOT actively exploit it. As such, here is a method for determining a vulnerable version that should be easy to implement. I see this often enough that it warrants automation in ZAP.

Note that to perform this check, really any request can be used, what we are really looking for is a response from the server which contains the Server response header and the Apache version information.

REQUEST

GET /jquery/js/jquery-ui.custom.min.js HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Referer: https://foobar.example.com/index
Cookie: JSESSIONID=a5x3Al2vx3uJg5YCgpFuwaR3.undefined; account_id=1
Host: foobar.example.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

RESPONSE

HTTP/1.1 200 OK
Date: Tue, 02 Dec 2014 17:53:09 GMT
Server: Apache/2.2.15 (CentOS)
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 18:00:00 CST
P3P: CP="PHY ONL UNI PUR FIN COM NAV INT DEM STA HEA CUR ADM DEV OUR IND"
Accept-Ranges: bytes
ETag: W/"207694-1409379728000"
Last-Modified: Sat, 30 Aug 2014 06:22:08 GMT
Content-Length: 207694
Connection: close
Content-Type: text/javascript;charset=UTF-8

---------------------------------------------------------------------

Vulnerability Report Information (feel free to use this report write up or modify it as you see fit)

Description: Apache httpd remote denial of service

Vulnerability description: A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server: http://seclists.org/fulldisclosure/2011/Aug/175. An attack tool is circulating in the wild. Active use of this tools has been observed. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. This alert was generated using only banner information. It may be a false positive. Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19).

Attack details: Current version is : 2.2.15 

The impact of this vulnerability: Remote Denial of Service

How to fix this vulnerability: Upgrade to the latest version of Apache HTTP Server (2.2.20 or later), available from the Apache HTTP Server Project Web site.

Web references

• CVE-2011-3192

• Apache HTTPD Security ADVISORY

• Apache HTTP Server 2.2.20 Released

• Apache httpd Remote Denial of Service (memory exhaustion)

[Colm O'Flaherty]

Hi. The 'insecure component' scanner should already detect this issue, although it only reports the CVE number, target that the detail from your mail. Note though that it will be reported as a false positive because some distributions like red hat and centos employ security 'backports'.. Meaning that the version number of Apache is not necessarily indicative of that actual version.

Colm

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.