Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at

看板Bugtraq作者squid3.時間12年前 (2013/04/27 12:32)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串4/4 (看更多)

--------------060807070704030804010305 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 8/03/2013 10:07 a.m., Kurt Seifried wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 03/05/2013 01:53 PM, tytusromekiatomek@hushmail.com wrote: >> ################################################################ # >> DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc # >> ################################################################ # >> # Authors: # # 22733db72ab3ed94b5f8a1ffcde850251fe6f466 # >> c8e74ebd8392fda4788179f9a02bb49337638e7b # AKAT-1 # >> ####################################### >> >> # Versions: 3.2.5, 3.2.7 >> >> >> This error is only triggered when squid needs to generate an error >> page (for example backend node is not responding etc...) POC >> (request): -- cut -- GET http://127.0.0.1:1/foo HTTP/1.1 >> Accept-Language: , -- cut -- >> >> e.g : curl -H "Accept-Language: ," http://localhost:3129/ >> >> Code: >> >> strHdrAcptLangGetItem is called with pos equals 0, therefore first >> branch in if (316 line) is taken, because xisspace(hdr[pos]) is >> false, then pos++ is not executed (because hdr[0] is ','). In 335 >> line statement in while is also false because hdr[0] = ',', so >> whole loop body is omited. dt = lang, thus after assignment in 353 >> line *lang == '\0', so expression in if statement in 357 line is >> false. So next execution of while body (314 line), has got same >> preconditions as previous, thus it's infinite loop. > Was this reported upstream to squid-bugs@squid-cache.org? Has anyone > confirmed this, and if so, does it require a CVE #? I confirm it is possible. A regression was introduced in some 3.2 parser alterations. A preliminary patch is attached which restores the Squid-3.1 behaviour. As this is triggerable by remote clients I am inclined to release an advisory. Affected stable versions are Squid-3.3 up to and including 3.3.2, Squid-3.2 up to and including 3.2.8. Amos Jeffries Squid Project > - -- > Kurt Seifried Red Hat Security Response Team (SRT) > PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (GNU/Linux) > > iQIcBAEBAgAGBQJROQF3AAoJEBYNRVNeJnmTq5oQANtdEmCVhIbR9RppkKuPsIP0 > QW+sMJYIunEdUchS+p8IRQiN3IrD8ySDuyWeOSTW6riYopH1XhV1RMY67+JJ63kg > vR7Toh5GFTjKmd6HvrN7FX7yZ5UyupClX1WhBk2s8GTIhYckDCykvWePJwei2cT3 > fRYc72jSsEoqKP5CTS9YK91Ap0FZRGDREt/V6yZwGkYAVh6j89XC5j95VPzNCigQ > QQquLNr0AaRQC2E/Ofa++GW8GHf1yGMOQ49ypEKr1n7CrY3uZD2/Gp968GPZx+DJ > /31KyBAW5v2e1cTIOMgan+mVR8PDHcWSKFQu3bRpd4JaeNkYWHsd66w2tclL8r6Q > N09+GJFiEdE9ycsHMHMyz8DcCtzLo6BnrP9NTHYzd5Q2CyNpNS0RnAVsFU0Bj2VX > WLA7JhcM0+5+UJvn9dIuNSaB7xVusKi5Q4YCP33FFULsDczKs5tFBrvrvEn3h9// > gol31UVSMpB00Bh5ijWifLmrRXJ9+RodxZUZ4PfmmllPA30iuoTqb0yhmVv314GG > 5/T/PnsMYEAWSrsaqdcfWiWNLGyx/lqovrXofszratY7Urphp0OJNueN9Et7IPkZ > E42eXZt3x3FfJzFNA2WgXIW13aTQ+iRdAqMip+jmylfMr6JtABevu+V1JXvZkcHY > 8E7GKbUGP4HexDIWiA0a > =tSGC > -----END PGP SIGNATURE----- --------------060807070704030804010305 Content-Type: text/plain; charset=windows-1252; name="accept_lang_vulnerability.patch" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="accept_lang_vulnerability.patch" PT09IG1vZGlmaWVkIGZpbGUgJ3NyYy9lcnJvcnBhZ2UuY2MnCi0tLSBzcmMvZXJyb3JwYWdl LmNjCTIwMTMtMDItMTIgMTE6MzQ6MzUgKzAwMDAKKysrIHNyYy9lcnJvcnBhZ2UuY2MJMjAx My0wMy0wNyAyMTo0NTo0MSArMDAwMApAQCAtMzgxLDE3ICszODEsOSBAQAogICAgIHdoaWxl IChwb3MgPCBoZHIuc2l6ZSgpKSB7CiAgICAgICAgIGNoYXIgKmR0ID0gbGFuZzsKIAotICAg ICAgICBpZiAoIXBvcykgewotICAgICAgICAgICAgLyogc2tpcCBhbnkgaW5pdGlhbCB3aGl0 ZXNwYWNlLiAqLwotICAgICAgICAgICAgd2hpbGUgKHBvcyA8IGhkci5zaXplKCkgJiYgeGlz c3BhY2UoaGRyW3Bvc10pKQotICAgICAgICAgICAgICAgICsrcG9zOwotICAgICAgICB9IGVs c2UgewotICAgICAgICAgICAgLy8gSUZGIHdlIHRlcm1pbmF0ZWQgdGhlIHRhZyBvbiB3aGl0 ZXNwYWNlIG9yICc7JyB3ZSBuZWVkIHRvIHNraXAgdG8gdGhlIG5leHQgJywnIG9yIGVuZCBv ZiBoZWFkZXIuCi0gICAgICAgICAgICB3aGlsZSAocG9zIDwgaGRyLnNpemUoKSAmJiBoZHJb cG9zXSAhPSAnLCcpCi0gICAgICAgICAgICAgICAgKytwb3M7Ci0gICAgICAgICAgICBpZiAo aGRyW3Bvc10gPT0gJywnKQotICAgICAgICAgICAgICAgICsrcG9zOwotICAgICAgICB9Cisg ICAgICAgIC8qIHNraXAgYW55IGluaXRpYWwgd2hpdGVzcGFjZS4gKi8KKyAgICAgICAgd2hp bGUgKHBvcyA8IGhkci5zaXplKCkgJiYgeGlzc3BhY2UoaGRyW3Bvc10pKQorICAgICAgICAg ICAgKytwb3M7CiAKICAgICAgICAgLyoKICAgICAgICAgICogSGVhZGVyIHZhbHVlIGZvcm1h dDoKQEAgLTQyMiw2ICs0MTQsMTIgQEAKICAgICAgICAgKmR0ID0gJ1wwJzsgLy8gbnVsLXRl cm1pbmF0ZWQgdGhlIGZpbGVuYW1lIGNvbnRlbnQgc3RyaW5nIGJlZm9yZSBzeXN0ZW0gdXNl LgogICAgICAgICArK2R0OwogCisgICAgICAgIC8vIElGRiB3ZSB0ZXJtaW5hdGVkIHRoZSB0 YWcgb24gd2hpdGVzcGFjZSBvciAnOycgd2UgbmVlZCB0byBza2lwIHRvIHRoZSBuZXh0ICcs JyBvciBlbmQgb2YgaGVhZGVyLgorICAgICAgICB3aGlsZSAocG9zIDwgaGRyLnNpemUoKSAm JiBoZHJbcG9zXSAhPSAnLCcpCisgICAgICAgICAgICArK3BvczsKKyAgICAgICAgaWYgKGhk cltwb3NdID09ICcsJykKKyAgICAgICAgICAgICsrcG9zOworCiAgICAgICAgIGRlYnVncyg0 LCA5LCBIRVJFIDw8ICJTVEFURTogZHQ9JyIgPDwgZHQgPDwgIicsIGxhbmc9JyIgPDwgbGFu ZyA8PCAiJywgcG9zPSIgPDwgcG9zIDw8ICIsIGJ1Zj0nIiA8PCAoKHBvcyA8IGhkci5zaXpl KCkpID8gaGRyLnN1YnN0cihwb3MsaGRyLnNpemUoKSkgOiAiIikgPDwgIiciKTsKIAogICAg ICAgICAvKiBpZiB3ZSBmb3VuZCBhbnl0aGluZyB3ZSBtaWdodCB1c2UsIHRyeSBpdC4gKi8K Cg== --------------060807070704030804010305--

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 squid3. 的文章

文章代碼(AID): #1HUrJI-B (Bugtraq)