Bug#312390: marked as done (apache-ssl: apache-ssl uses 100% cpu after bogus http request)

To: adconrad@0c3.net
Cc: Debian Apache Maintainers <debian-apache@lists.debian.org>
Subject: Bug#312390: marked as done (apache-ssl: apache-ssl uses 100% cpu after bogus http request)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 07 Jun 2005 18:48:12 -0700
Message-id: <[🔎] handler.312390.D312390.111819463222505.ackdone@bugs.debian.org>
In-reply-to: <21999.203.49.196.168.1118194601.squirrel@mail.0c3.net>
References: <21999.203.49.196.168.1118194601.squirrel@mail.0c3.net> <[🔎] courier.42A616CD.00005E48@mail.ginzton.net>

Your message dated Wed, 8 Jun 2005 11:36:41 +1000 (EST)
with message-id <21999.203.49.196.168.1118194601.squirrel@mail.0c3.net>
and subject line Bug#312390: apache-ssl: apache-ssl uses 100% cpu after bogus      http request
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 7 Jun 2005 21:51:10 +0000
>From matt@ginzton.net Tue Jun 07 14:51:10 2005
Return-path: <matt@ginzton.net>
Received: from skynet.ginzton.net (mail.ginzton.net) [69.36.243.55] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DflyY-0003n8-00; Tue, 07 Jun 2005 14:51:10 -0700
Received: from localhost (localhost [127.0.0.1])
  (uid 1000)
  by mail.ginzton.net with local; Tue, 07 Jun 2005 14:51:09 -0700
From: Matt Ginzton <matt@ginzton.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache-ssl: apache-ssl uses 100% cpu after bogus http request
X-Mailer: reportbug 1.50
Date: Tue, 07 Jun 2005 14:51:09 -0700
Message-ID: <[🔎] courier.42A616CD.00005E48@mail.ginzton.net>
X-BadReturnPath: magi@localhost rewritten as matt@ginzton.net
  using "From" header
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: apache-ssl
Version: 1.3.26.1+1.48-0woody3
Severity: grave
Tags: security
Justification: user security hole

I'm using debian woody, with the apache-ssl server, and several times over
the past two months I've seen the server start using 100% cpu (per process;
sometimes just one apache-ssl process is affected; sometimes as many as
12!).  I'm filing this with a rather aggressive priority since it appears
to be a remotely accessible DoS exploit, though no user data seems to be
compromised.

When this happens, I've looked at apache's access.log, and each time I've
found requests that look like

213.148.18.198 - - [07/Jun/2005:01:20:55 -0700] "GET / HTTP/1.1" 200 7090 "http://www.qptv.ru"; "MSIE 6.0"
213.148.18.198 - - [07/Jun/2005:01:20:55 -0700] "\t\x15\x10" 400 - "-" "-"

repeated over and over, near the time I estimate the server started
sucking up 100% cpu.  Always from that exact IP address
(213.148.18.198, for which I can find no information), and always, a
pair of requests, "GET /" followed by "\t\x15\x10".

I'd think this has been reported before, but google turns up no hits for
the offending IP address.

When this happens, I've tried strace'ing the apache-ssl process, and all it
does is set timers and then wake up with SIGITIMER repeatedly.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux skynet 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages apache-ssl depends on:
ii  apache-common           1.3.26-0woody6   Support files for all Apache webse
ii  dpkg                    1.9.21           Package maintenance system for Deb
ii  libc6                   2.2.5-11.8       GNU C Library: Shared libraries an
ii  libdb2                  2:2.7.7.0-7      The Berkeley database routines (ru
ii  libexpat1               1.95.2-6         XML parsing C library - runtime li
ii  libssl0.9.6             0.9.6c-2.woody.7 SSL shared libraries
ii  logrotate               3.5.9-8          Log rotation utility
ii  mime-support            3.18-1.3         MIME files 'mime.types' & 'mailcap
ii  openssl                 0.9.6c-2.woody.7 Secure Socket Layer (SSL) binary a
ii  perl                    5.6.1-8.9        Larry Wall's Practical Extraction 
ii  perl [perl5]            5.6.1-8.9        Larry Wall's Practical Extraction 

---------------------------------------
Received: (at 312390-done) by bugs.debian.org; 8 Jun 2005 01:37:12 +0000
>From adconrad@0c3.net Tue Jun 07 18:37:12 2005
Return-path: <adconrad@0c3.net>
Received: from loki.0c3.net [69.0.240.48] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DfpVI-0005bZ-00; Tue, 07 Jun 2005 18:37:12 -0700
Received: from localhost
	([127.0.0.1] helo=mail.0c3.net ident=www-data)
	by loki.0c3.net with esmtp (Exim 4.34)
	id 1DfpUn-0000Yv-9s
	for 312390-done@bugs.debian.org; Tue, 07 Jun 2005 19:36:41 -0600
Received: from 203.49.196.168
        (SquirrelMail authenticated user adconrad)
        by mail.0c3.net with HTTP;
        Wed, 8 Jun 2005 11:36:41 +1000 (EST)
Message-ID: <21999.203.49.196.168.1118194601.squirrel@mail.0c3.net>
In-Reply-To: <[🔎] courier.42A616CD.00005E48@mail.ginzton.net>
References: <[🔎] courier.42A616CD.00005E48@mail.ginzton.net>
Date: Wed, 8 Jun 2005 11:36:41 +1000 (EST)
Subject: Re: Bug#312390: apache-ssl: apache-ssl uses 100% cpu after bogus 
     http request
From: "Adam Conrad" <adconrad@0c3.net>
To: 312390-done@bugs.debian.org
Reply-To: adconrad@0c3.net
User-Agent: SquirrelMail/1.5.1 [CVS]
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: adconrad@0c3.net
X-SA-Exim-Scanned: No (on loki.0c3.net); SAEximRunCond expanded to false
Delivered-To: 312390-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_01,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Matt Ginzton wrote:
>
> I'm filing this with a rather aggressive priority since it
> appears to be a remotely accessible DoS exploit, though no user data seems
> to be compromised.

A DoS != an exploit, in most people's minds, just a serious annoyance. 
While annoyances like this may be fixed in the course of stable updates,
they will generally never get fixed in an "oldstable" release.

Since Sarge was released as stable a couple of days ago and Woody has
moved to "oldstable" status, one would only expect real security exploits
(remote execution, privelege escalation, etc) to be fixed in woody
packages from here on in.

I'd recommend upgrading to Sarge at your earliest convenience.  Many
improvements have been made there, including a (generally) much more
stable set of both apache1.3 and apache2 (which I recommend upgrading to
if you can) packages.

... Adam

Reply to:

References:
- Bug#312390: apache-ssl: apache-ssl uses 100% cpu after bogus http request
  - From: Matt Ginzton <matt@ginzton.net>

Prev by Date: Bsc for sale
Next by Date: Bug#226954: marked as done (apache: mod_proxy; auth/basic; tomcat4: apache inserts blank line in header)
Previous by thread: Bug#312390: apache-ssl: apache-ssl uses 100% cpu after bogus http request
Next by thread: Bsc for sale
Index(es):
- Date
- Thread