Re: DoS attack: apache (& other) .htaccess Authentication

Dustin Sallings (dustin@spy.net)
Thu, 15 Jan 1998 22:47:26 -0800

> > If you're now trying to open this directory (or any file within)
> > and enter any user / password combination, you'll get a
> > hanging (death running) client. This is, because it's reading
> > /dev/zero and searches for a colon (':') to separate
> > the user name from the password field (mod_auth.c, get_pw(), line 127).
> [...]
>
> > Because also other authentication methods may be exploitable
> > I would prefer to patch it in a way that it's no longer be
> > available to open /dev/zero (or any other device) for reading,
> > so I patched fpopen() in alloc.c:
>
> perhaps you should stat the file and make sure its a normal file?
> There may be other device files which cause problems by virtue
> of having lots of data, or by blocking for long periods of time.
> For example a blocking read on a dialup device that waits for
> carrier sense on a modem. Is there any reason to allow device
> files to be read from the config?
>
> This may not stop all possible attacks. Normal files might be
> used to indefinitely block the daemon. For example some systems
> allow regular users to make NFS mounts. In this case an NFS
> server can be brought up, mounted, then brought down. The
> httpd reading an nfs mounted file would then block for a long
> period of time while NFS times out. The same result can be
> achieved by performing a denial of service attack against an already
> existing NFS mount.
>
> Are there other ways to cause long blocking times when reading
> normal files? Do any common unix systems have mandatory file locking?

A size limit might not be a bad thing to do. Even a normal file (as
someone here mentioned) can do nasty things to the webserver. Consider:

bleu:~/public_html 159> ls -l .htpasswd
-rw------- 1 dustin staff 1000000000000 Jan 15 22:44 .htpasswd

That's a perfectly real file, but if my webserver tried to find a
password in there...

--
Taos Mountain TS         My girlfriend asked me which one I like better.
pub  1024/3CAE01D5 1994/11/03 Dustin Sallings <dustin@spy.net>
|    Key fingerprint =  87 02 57 08 02 D0 DA D6  C8 0F 3E 65 51 98 D8 BE
L_______________________ I hope the answer won't upset her. ____________