Forum Discussion

madi_56757's avatar
madi_56757
Icon for Nimbostratus rankNimbostratus
Aug 25, 2011

Apache Killer

hello all,

 

 

I need help for following rule

 

We need an irule to avoid an exploit on Apache

 

 

 

Apache syntax

 

 

 

RewriteEngine On

 

RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]

 

RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+

 

RewriteRule .* - [F]

 

 

 

application delivery
dev
devops
iRules
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 02, 2011
    Apache released 2.2.20 which fixes CVE-2011-3192:

     

     

    http://www.apache.org/dist/httpd/Announcement2.2.html

     

     

    Aaron
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Sep 03, 2011
    I'll send a tshirt to the first non-MVP or F5er with a solution using something other than regex.
  • James_Denton_12's avatar
    James_Denton_12
    Icon for Nimbostratus rankNimbostratus
    Mar 23, 2012
    Jason,

    Not sure if you're monitoring this, but the following seems like a solution without using regex: 

    
when HTTP_REQUEST {
    if { [HTTP::header exists "Range"] } {
    set tot_ranges [llength [split [HTTP::header "Range"], ","]]
    if { $tot_ranges >= 40 } {
    log local0. " Range attack CVE-2011-3192 detected from [IP::client_addr] on Host [HTTP::host].  [llength [split [HTTP::header "Range"], ","]] ranges requested."
        HTTP::header remove Range
        drop
        }
        return
    }
}

    Seems to provide the same results on my LTM VE. Not sure what the performance benefit looks like.

    James Denton

    james.denton@rackspace.com
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 08, 2012
    wow, missed this. Yep, that'll play, James. Congrats! We'll get a t-shirt on the way to you. Is the address in your profile correct?