As more information becomes available regarding the recently published Range vulnerability affecting Microsoft platforms (see MS15-034and CVE-2015-1635), you can start mitigating this issue for your backend applications using the following iRule that would remove the Range header when large ranges are detected.
What versions of code supports this iRule? I'm asking because I'm getting the following:
Bad Characters. Only the following special characters are allowed: period, asterisk, forward slash, dash, colon, underscore, question mark, equals, at sign, comma, ampersand and space (.*/-:_?=@,&
Also @Raymond, can you provide a link to the iRule Hoolio wrote?
The iRule is already case insensitive as noted in the HTTP::header syntax page: "The header name is not case sensitive, so for example, 'HTTP::header value HEADER_NAME' will match a header with the name HeAdEr_NaMe."
I am unable to post detailed content, however, I propose an alternative iRule which is more strictly fixated on MS15-034, does not false positive, and matches all known evasion techniques for RFC 2616 section 14.35. Please see meow://pastebin.com/BV2uePxk
An updated version of the iRule I've created that more accurately addresses the core vulnerability has been released to address evasion techniques such as "Range: bytes=0-200,201-18446744073709551615"
meow://pastebin.com/3MAEE2Fq
Having read article
http://blog.didierstevens.com/2015/04/17/ms15-034-detection-some-observations/
I'm curious to know if the RegEx that has been supplied will mitigate some of the other exploits in the Range field (Counting Whitespaces etc)
I worked with Didier (we're in the same vertical) and the iRule at meow://pastebin.com/3MAEE2Fq will handle those evasions. The RegEx/PCRE supplied in the original iRule on this article will also match, however, the nomenclature isn't quite accurate. While the iRule will match MS15-034 due to the length of the 0xFFF... value in itself it is not precise and will fire on any byte range that is ten digits or more. It's quite aggressive and prone to false positives. The one supplied at meow://pastebin.com/3MAEE2Fq will only match on MS15-034 and has been production tested at $dayjob with the exploit and the evasions identified by Didier.
El-Guapo, this vulnerability does not affect F5 software. This iRule is designed to protect back-end Windows servers against this attack. In addition, SNAT is a layer 3 construct and has no effect on HTTP headers.
