Received: (qmail 9327 invoked by uid 2012); 31 Oct 1998 17:39:12 -0000
Message-Id: <19981031173912.9326.qmail@hyperreal.org>
Date: 31 Oct 1998 17:39:12 -0000
From: Joseph W <sniffen@goodnet.com>
Reply-To: sniffen@goodnet.com
To: apbugs@hyperreal.org
Subject: Dos style attack with the usage of SSI's include virtual directive
X-Send-Pr-Version: 3.2

>Number:         3323
>Category:       mod_include
>Synopsis:       Dos style attack with the usage of SSI's include virtual directive
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          closed
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sat Oct 31 09:40:00 PST 1998
>Last-Modified:  Sun Nov  8 23:04:13 PST 1998
>Originator:     sniffen@goodnet.com
>Organization:
>Release:        1.3.3 w/SSL 1.28
>Environment:
OpenBSD 2.3 i386, gcc 2.8.1
>Description:
It has come to my attention that when specifying a 
<!--#include virtual="a few /'s(one will do)"--> 
directive, you may be able to make apache cause a system to crash eventually. 
On my system (AMD K6 200 w/64mb of ram,3200rpm hdd) the load average raised a 
steady .2 points each second or so. 
Top reported this after starting the "attack":
PID USERNAME PRI NICE  SIZE   RES STATE WAIT     TIME    CPU COMMAND
5467 nobody    95    0   13M 9580K run   -        2:00 121.24% httpd
Probably 20 seconds or so into it.
This is somewhat similar to the past dos attacks with 1.2.4 and earlier using
a large amount of /'s in the url request.
>How-To-Repeat:
Well, first you have to enable SSI's for the file you are going to use 
this include directive in:
---
srm.conf:
AddHandler server-parsed file.type (I put index.html)
---
Within the file.type, inside a document root, you would put
<!--#include virtual="/"-->
The attack comes just from trying to load the file over http.
Even after I stop trying to load the file, apache still consumes more and
more resources until I restart the daemon(sighup is enough).
Will not work if you have too many /'s inside the virtual="" directive.
>Fix:
Someone needs to work on the handle_include() function inside mod_include.c,
adding code to ignore single and consecutive /'s without leading text?
>Audit-Trail:
State-Changed-From-To: open-feedback
State-Changed-By: marc
State-Changed-When: Sat Oct 31 09:55:28 PST 1998
State-Changed-Why:
There is nothing wrong with using <!--#include virtual="/"-->
and it should be permitted.

This appears like it may be due to recursive includes.
You didn't mention this, but is the file you are including
"/" from the file that gets served when you ask for "/"?
That is the only way I can duplicate this, and there is
a fairly obvious cause for this behaviour when trying to do
a recursive include.

Apache does do some checking to try to avoid recursive
includes, but obviously it doesn't go far enough, probably due to
the translation being done from / to index.html by mod_index.

From: "Joseph W." <sniffen@goodnet.com>
To: apbugs@Apache.Org
Cc:  Subject: Re: mod_include/3323: Dos style attack with the usage of SSI's include virtual directive
Date: Sat, 31 Oct 1998 11:17:08 -0700

 That is exactly this case, recursive includes.
 The only problem here though is that it eventually will crash
 the machine. At least the machine that this was tested on.
 
 I guess we will have to trust our users that they won't try to
 exploit this for now. <g>
 
 

From: Marc Slemko <marcs@znep.com>
To: "Joseph W." <sniffen@goodnet.com>
Cc: Apache bugs database <apbugs@apache.org>
Subject: Re: mod_include/3323: Dos style attack with the usage of SSI's
 include virtual directive
Date: Sat, 31 Oct 1998 11:55:47 -0800 (PST)

 On 31 Oct 1998, Joseph W. wrote:
 
 > The following reply was made to PR mod_include/3323; it has been noted by GNATS.
 > 
 > From: "Joseph W." <sniffen@goodnet.com>
 > To: apbugs@Apache.Org
 > Cc:  Subject: Re: mod_include/3323: Dos style attack with the usage of SSI's include virtual directive
 > Date: Sat, 31 Oct 1998 11:17:08 -0700
 > 
 >  That is exactly this case, recursive includes.
 >  The only problem here though is that it eventually will crash
 >  the machine. At least the machine that this was tested on.
 >  
 >  I guess we will have to trust our users that they won't try to
 >  exploit this for now. <g>
 
 Or simply do what is recommended anyway: set a ulimit on the amount of
 memory a httpd process can use before you start it.  This protects against
 40394 DoS attacks with a minimal or nil impact on legitimate use.
 
State-Changed-From-To: feedback-closed
State-Changed-By: marc
State-Changed-When: Sun Nov  8 23:04:12 PST 1998
State-Changed-Why:
A fix to prevent this, plus other infinite recursive includes,
has been committed and will be available in 1.3.4.
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]