lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <51390177.4000608@redhat.com>
Date: Thu, 07 Mar 2013 14:07:03 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: tytusromekiatomek@...hmail.com
CC: bugtraq@...urityfocus.com, squid-bugs@...id-cache.org
Subject: Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/05/2013 01:53 PM, tytusromekiatomek@...hmail.com wrote:
> ################################################################ #
> DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc # 
> ################################################################ # 
> # Authors: # # 22733db72ab3ed94b5f8a1ffcde850251fe6f466 #
> c8e74ebd8392fda4788179f9a02bb49337638e7b # AKAT-1 # 
> #######################################
> 
> # Versions: 3.2.5, 3.2.7
> 
> 
> This error is only triggered when squid needs to generate an error
> page (for example backend node is not responding etc...) POC
> (request): -- cut -- GET http://127.0.0.1:1/foo HTTP/1.1 
> Accept-Language: , -- cut --
> 
> e.g : curl -H "Accept-Language: ," http://localhost:3129/
> 
> Code:
> 
> strHdrAcptLangGetItem is called with pos equals 0, therefore first
> branch in if (316 line) is taken, because xisspace(hdr[pos]) is
> false, then pos++ is not executed (because hdr[0] is ','). In 335
> line statement in while is also false because hdr[0] = ',', so
> whole loop body is omited. dt = lang, thus after assignment in 353
> line *lang == '\0', so expression in if statement in 357 line is
> false. So next execution of while body (314 line), has got same
> preconditions as previous, thus it's infinite loop.

Was this reported upstream to squid-bugs@...id-cache.org? Has anyone
confirmed this, and if so, does it require a CVE #?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJROQF3AAoJEBYNRVNeJnmTq5oQANtdEmCVhIbR9RppkKuPsIP0
QW+sMJYIunEdUchS+p8IRQiN3IrD8ySDuyWeOSTW6riYopH1XhV1RMY67+JJ63kg
vR7Toh5GFTjKmd6HvrN7FX7yZ5UyupClX1WhBk2s8GTIhYckDCykvWePJwei2cT3
fRYc72jSsEoqKP5CTS9YK91Ap0FZRGDREt/V6yZwGkYAVh6j89XC5j95VPzNCigQ
QQquLNr0AaRQC2E/Ofa++GW8GHf1yGMOQ49ypEKr1n7CrY3uZD2/Gp968GPZx+DJ
/31KyBAW5v2e1cTIOMgan+mVR8PDHcWSKFQu3bRpd4JaeNkYWHsd66w2tclL8r6Q
N09+GJFiEdE9ycsHMHMyz8DcCtzLo6BnrP9NTHYzd5Q2CyNpNS0RnAVsFU0Bj2VX
WLA7JhcM0+5+UJvn9dIuNSaB7xVusKi5Q4YCP33FFULsDczKs5tFBrvrvEn3h9//
gol31UVSMpB00Bh5ijWifLmrRXJ9+RodxZUZ4PfmmllPA30iuoTqb0yhmVv314GG
5/T/PnsMYEAWSrsaqdcfWiWNLGyx/lqovrXofszratY7Urphp0OJNueN9Et7IPkZ
E42eXZt3x3FfJzFNA2WgXIW13aTQ+iRdAqMip+jmylfMr6JtABevu+V1JXvZkcHY
8E7GKbUGP4HexDIWiA0a
=tSGC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ