# Cve-2011-3192[SOLVED]

## upengan78

Hello,

It's about http://www.securityfocus.com/bid/49303

Didn't see any thread here, so I thought I'd start one. Wonder if this gets discussed somewhere else for Gentoo?

I added below to /etc/apache2/httpd.conf

```
# Drop the Range header when more than 5 ranges.

# CVE-2011-3192

SetEnvIf Range (?:,.*?){5,5} bad-range=1

RequestHeader unset Range env=bad-range

# We always drop Request-Range; as this is a legacy

# dating back to MSIE3 and Netscape 2 and 3.

RequestHeader unset Request-Range

# optional logging.

CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-range

CustomLog /var/log/apache2/range-CVE-2011-3192.log common env=bad-req-range

```

Restarted apache2 and running killapache.pl against this Gentoo system. My Load average has gone up from 1 to 17 and may rise higher.

access_log

```

sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -

sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -

sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -

sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -

sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -

sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -

sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -

sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -

sourceIP - - [26/Aug/2011:09:46:28 -0500] "HEAD / HTTP/1.1" 200 -
```

error_log

```
[Fri Aug 26 09:47:48 2011] [error] [mod_pagespeed 0.9.0.0-0 @17384] /var/cache/mod_pagespeed/6lO3lRc2F3y74cOhDGe7.lock:0: creating dir (code=13 Permission denied)

[Fri Aug 26 09:47:48 2011] [error] [mod_pagespeed 0.9.0.0-0 @17384] /var/cache/mod_pagespeed/DV5iN99a8DSsPKhAa7At.lock:0: creating dir (code=13 Permission denied)

[Fri Aug 26 09:47:48 2011] [error] [mod_pagespeed 0.9.0.0-0 @17384] /var/cache/mod_pagespeed/7z4Ro6Xtzx7iey9-4mK_.lock:0: creating dir (code=13 Permission denied)

[Fri Aug 26 09:47:48 2011] [error] [mod_pagespeed 0.9.0.0-0 @17384] /var/cache/mod_pagespeed/4C1UzN6j_pND0j9rscPW.lock:0: creating dir (code=13 Permission denied)

[Fri Aug 26 09:47:48 2011] [error] [mod_pagespeed 0.9.0.0-0 @17384] /var/cache/mod_pagespeed/6lO3lRc2F3y74cOhDGe7.lock:0: creating dir (code=13 Permission denied)

[Fri Aug 26 09:47:48 2011] [error] [mod_pagespeed 0.9.0.0-0 @5452] /var/cache/mod_pagespeed/DV5iN99a8DSsPKhAa7At.lock:0: creating dir (code=13 Permission de

```

range-CVE-2011-3192.log

```
sourceIP - - [26/Aug/2011:09:48:12 -0500] "HEAD / HTTP/1.1" 200 -

sourceIP - - [26/Aug/2011:09:48:12 -0500] "HEAD / HTTP/1.1" 200 -

sourceIP - - [26/Aug/2011:09:48:12 -0500] "HEAD / HTTP/1.1" 200 -

sourceIP - - [26/Aug/2011:09:48:12 -0500] "HEAD / HTTP/1.1" 200 -

sourceIP - - [26/Aug/2011:09:48:12 -0500] "HEAD / HTTP/1.1" 200 -

sourceIP - - [26/Aug/2011:09:48:12 -0500] "HEAD / HTTP/1.1" 200 -
```

So it seems the workaround I applied doesn't seem to help? Any idea if there will be a patch from Gentoo or you guys recommend any tweaks to this workaround or any other method as a workaround?

Let me know.

Thanks.Last edited by upengan78 on Fri Aug 26, 2011 4:22 pm; edited 1 time in total

----------

## Yuu

Hi upengan78,

I wanted to create this thread too but... I think I don't like starting threads  :Very Happy: 

However, I was aware of this issue few days ago and I even made a small python scrypt (killapache doesn't work for me) to test my own Apache server. Unfortunately, I must have misread the informations because I didn't know that "Request-Range" was vulnerable too.

For me this fix (RequestHeader unset <header>) just remove the range/request-range header : 

```
127.0.0.1 - - [26/Aug/2011:17:36:07 +0200] "GET / HTTP/1.1" 200 651

127.0.0.1 - - [26/Aug/2011:17:36:07 +0200] "GET / HTTP/1.1" 200 651

127.0.0.1 - - [26/Aug/2011:17:36:07 +0200] "GET / HTTP/1.1" 200 651

127.0.0.1 - - [26/Aug/2011:17:36:08 +0200] "GET / HTTP/1.1" 200 651
```

Then, the client gets a HTTP status code = 200 (instead of 206) and don't get the ranges. So, that works for me.

So, thank you for this update :]

----------

## upengan78

No Problem.

About that Request Range, yes that also needs to be taken care of . Update : http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082427.html

I have the script and works for me fine. I had to emege Parallel/Fork Manager though.

I just finished installing mod_security on my gentoo however that also didn't take care of the issue after enabling apache2 with mod_security with a restart, load still goes high.

In addition, I enabled Sec rules from here http://blog.spiderlabs.com/2011/08/mitigation-of-apache-range-header-dos-attack.html, those didn't help me either.

Also tried Rewrite Engine rules in the comment section of aboe(spiderlab) link and load still goes high.

SOLVED.

I realized I did a mistake in /etc/conf.d/apache file with -D option. In order to use mod_security I had wrongly put -D MOD_SECURITY instead of SECURITY. After correctiong and restarting apache2, the killapache script now shows below,

```

Host does not seem vulnerable
```

 Note that I haven't added special security rule. Essentially just emerged mod_security, enabled conf.d/apache  to add -D SECURITY, restarted apache2 and it looks ready to defend from this attack at least..

----------

