lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 08 Mar 2013 11:18:19 +1300
From: Amos Jeffries <squid3@...enet.co.nz>
To: Kurt Seifried <kseifried@...hat.com>
CC: tytusromekiatomek@...hmail.com, bugtraq@...urityfocus.com,
  squid-bugs@...id-cache.org, Alex Rousskov <rousskov@...surement-factory.com>
Subject: Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc

On 8/03/2013 10:07 a.m., Kurt Seifried wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/05/2013 01:53 PM, tytusromekiatomek@...hmail.com wrote:
>> ################################################################ #
>> DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc #
>> ################################################################ #
>> # Authors: # # 22733db72ab3ed94b5f8a1ffcde850251fe6f466 #
>> c8e74ebd8392fda4788179f9a02bb49337638e7b # AKAT-1 #
>> #######################################
>>
>> # Versions: 3.2.5, 3.2.7
>>
>>
>> This error is only triggered when squid needs to generate an error
>> page (for example backend node is not responding etc...) POC
>> (request): -- cut -- GET http://127.0.0.1:1/foo HTTP/1.1
>> Accept-Language: , -- cut --
>>
>> e.g : curl -H "Accept-Language: ," http://localhost:3129/
>>
>> Code:
>>
>> strHdrAcptLangGetItem is called with pos equals 0, therefore first
>> branch in if (316 line) is taken, because xisspace(hdr[pos]) is
>> false, then pos++ is not executed (because hdr[0] is ','). In 335
>> line statement in while is also false because hdr[0] = ',', so
>> whole loop body is omited. dt = lang, thus after assignment in 353
>> line *lang == '\0', so expression in if statement in 357 line is
>> false. So next execution of while body (314 line), has got same
>> preconditions as previous, thus it's infinite loop.
> Was this reported upstream to squid-bugs@...id-cache.org? Has anyone
> confirmed this, and if so, does it require a CVE #?

I confirm it is possible. A regression was introduced in some 3.2 parser 
alterations.
A preliminary patch is attached which restores the Squid-3.1 behaviour.

As this is triggerable by remote clients I am inclined to release an 
advisory.
Affected stable versions are Squid-3.3 up to and including 3.3.2, 
Squid-3.2 up to and including 3.2.8.

Amos Jeffries
Squid Project


> - -- 
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
>
> iQIcBAEBAgAGBQJROQF3AAoJEBYNRVNeJnmTq5oQANtdEmCVhIbR9RppkKuPsIP0
> QW+sMJYIunEdUchS+p8IRQiN3IrD8ySDuyWeOSTW6riYopH1XhV1RMY67+JJ63kg
> vR7Toh5GFTjKmd6HvrN7FX7yZ5UyupClX1WhBk2s8GTIhYckDCykvWePJwei2cT3
> fRYc72jSsEoqKP5CTS9YK91Ap0FZRGDREt/V6yZwGkYAVh6j89XC5j95VPzNCigQ
> QQquLNr0AaRQC2E/Ofa++GW8GHf1yGMOQ49ypEKr1n7CrY3uZD2/Gp968GPZx+DJ
> /31KyBAW5v2e1cTIOMgan+mVR8PDHcWSKFQu3bRpd4JaeNkYWHsd66w2tclL8r6Q
> N09+GJFiEdE9ycsHMHMyz8DcCtzLo6BnrP9NTHYzd5Q2CyNpNS0RnAVsFU0Bj2VX
> WLA7JhcM0+5+UJvn9dIuNSaB7xVusKi5Q4YCP33FFULsDczKs5tFBrvrvEn3h9//
> gol31UVSMpB00Bh5ijWifLmrRXJ9+RodxZUZ4PfmmllPA30iuoTqb0yhmVv314GG
> 5/T/PnsMYEAWSrsaqdcfWiWNLGyx/lqovrXofszratY7Urphp0OJNueN9Et7IPkZ
> E42eXZt3x3FfJzFNA2WgXIW13aTQ+iRdAqMip+jmylfMr6JtABevu+V1JXvZkcHY
> 8E7GKbUGP4HexDIWiA0a
> =tSGC
> -----END PGP SIGNATURE-----


View attachment "accept_lang_vulnerability.patch" of type "text/plain" (1405 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ