nginx and Apache killer

Igor Sysoev igor at sysoev.ru
Sat Aug 27 08:11:04 UTC 2011


Following "Apache Killer" discussions and the advisory from 2011-08-24
(Advisory: Range header DoS vulnerability Apache HTTPD 2.x CVE-2011-3192)
we'd like to clarify a couple of things in regards to nginx behavior
either in standalone or "combo" (nginx+apache) modes.

First of all, nginx doesn't favor HEAD requests with compression,
so the exact mentioned attack doesn't work against a standalone
nginx installation.

If you're using nginx in combination with proxying to apache backend,
please check your configuration to see if nginx actually passes range
requests to the backend:

1) If you're using proxying WITH caching then range requests are not
sent to backend and your apache should be safe.

2) If you're NOT using caching then you might be vulnerable to the attack.

In order to mitigate this attack when your installation includes
apache behind nginx we recommend you the following:

1. Refer to the above mentioned security advisory CVE-2011-3192 for apache
and implement described measures accordingly.

2. Consider using nginx configuration below (in server{} section of
configuration). This particular example filters 5 and more ranges
in the request:

  if ($http_range ~ "(?:\d*\s*-\s*\d*\s*,\s*){5,}") {
      return 416;
  }

We'd also like to notify you that for standalone nginx installations
we've produced the attached patch. This patch prevents handling
malicious range requests at all, instead outputting just the entire file
if the total size of all ranges is greater than the expected response.


-- 
Igor Sysoev
-------------- next part --------------
Index: src/http/modules/ngx_http_range_filter_module.c
===================================================================
--- src/http/modules/ngx_http_range_filter_module.c	(revision 4034)
+++ src/http/modules/ngx_http_range_filter_module.c	(working copy)
@@ -146,7 +146,6 @@
 ngx_http_range_header_filter(ngx_http_request_t *r)
 {
     time_t                        if_range;
-    ngx_int_t                     rc;
     ngx_http_range_filter_ctx_t  *ctx;
 
     if (r->http_version < NGX_HTTP_VERSION_10
@@ -192,10 +191,9 @@
         return NGX_ERROR;
     }
 
-    rc = ngx_http_range_parse(r, ctx);
+    switch (ngx_http_range_parse(r, ctx)) {
 
-    if (rc == NGX_OK) {
-
+    case NGX_OK:
         ngx_http_set_ctx(r, ctx, ngx_http_range_body_filter_module);
 
         r->headers_out.status = NGX_HTTP_PARTIAL_CONTENT;
@@ -206,15 +204,16 @@
         }
 
         return ngx_http_range_multipart_header(r, ctx);
-    }
 
-    if (rc == NGX_HTTP_RANGE_NOT_SATISFIABLE) {
+    case NGX_HTTP_RANGE_NOT_SATISFIABLE:
         return ngx_http_range_not_satisfiable(r);
-    }
 
-    /* rc == NGX_ERROR */
+    case NGX_ERROR:
+        return NGX_ERROR;
 
-    return rc;
+    default: /* NGX_DECLINED */
+        break;
+    }
 
 next_filter:
 
@@ -235,11 +234,12 @@
 ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx)
 {
     u_char            *p;
-    off_t              start, end;
+    off_t              start, end, size;
     ngx_uint_t         suffix;
     ngx_http_range_t  *range;
 
     p = r->headers_in.range->value.data + 6;
+    size = 0;
 
     for ( ;; ) {
         start = 0;
@@ -277,9 +277,10 @@
 
                 range->start = start;
                 range->end = r->headers_out.content_length_n;
+                size += range->end - start;
 
                 if (*p++ != ',') {
-                    return NGX_OK;
+                    break;
                 }
 
                 continue;
@@ -331,10 +332,18 @@
             range->end = end + 1;
         }
 
+        size += range->end - start;
+
         if (*p++ != ',') {
-            return NGX_OK;
+            break;
         }
     }
+
+    if (size > r->headers_out.content_length_n) {
+        return NGX_DECLINED;
+    }
+
+    return NGX_OK;
 }
 
 


More information about the nginx mailing list