BugTraq
Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc Mar 05 2013 08:53PM
tytusromekiatomek hushmail com (2 replies)
Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc Mar 08 2013 12:37AM
Amos Jeffries (amos treenet co nz) (1 replies)
Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc Mar 11 2013 08:20PM
Kurt Seifried (kseifried redhat com)
Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc Mar 07 2013 09:07PM
Kurt Seifried (kseifried redhat com) (1 replies)
Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc Mar 07 2013 10:18PM
Amos Jeffries (squid3 treenet co nz)
On 8/03/2013 10:07 a.m., Kurt Seifried wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/05/2013 01:53 PM, tytusromekiatomek (at) hushmail (dot) com [email concealed] wrote:
>> ################################################################ #
>> DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc #
>> ################################################################ #
>> # Authors: # # 22733db72ab3ed94b5f8a1ffcde850251fe6f466 #
>> c8e74ebd8392fda4788179f9a02bb49337638e7b # AKAT-1 #
>> #######################################
>>
>> # Versions: 3.2.5, 3.2.7
>>
>>
>> This error is only triggered when squid needs to generate an error
>> page (for example backend node is not responding etc...) POC
>> (request): -- cut -- GET http://127.0.0.1:1/foo HTTP/1.1
>> Accept-Language: , -- cut --
>>
>> e.g : curl -H "Accept-Language: ," http://localhost:3129/
>>
>> Code:
>>
>> strHdrAcptLangGetItem is called with pos equals 0, therefore first
>> branch in if (316 line) is taken, because xisspace(hdr[pos]) is
>> false, then pos++ is not executed (because hdr[0] is ','). In 335
>> line statement in while is also false because hdr[0] = ',', so
>> whole loop body is omited. dt = lang, thus after assignment in 353
>> line *lang == '\0', so expression in if statement in 357 line is
>> false. So next execution of while body (314 line), has got same
>> preconditions as previous, thus it's infinite loop.
> Was this reported upstream to squid-bugs (at) squid-cache (dot) org [email concealed]? Has anyone
> confirmed this, and if so, does it require a CVE #?

I confirm it is possible. A regression was introduced in some 3.2 parser
alterations.
A preliminary patch is attached which restores the Squid-3.1 behaviour.

As this is triggerable by remote clients I am inclined to release an
advisory.
Affected stable versions are Squid-3.3 up to and including 3.3.2,
Squid-3.2 up to and including 3.2.8.

Amos Jeffries
Squid Project

> - --
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
>
> iQIcBAEBAgAGBQJROQF3AAoJEBYNRVNeJnmTq5oQANtdEmCVhIbR9RppkKuPsIP0
> QW+sMJYIunEdUchS+p8IRQiN3IrD8ySDuyWeOSTW6riYopH1XhV1RMY67+JJ63kg
> vR7Toh5GFTjKmd6HvrN7FX7yZ5UyupClX1WhBk2s8GTIhYckDCykvWePJwei2cT3
> fRYc72jSsEoqKP5CTS9YK91Ap0FZRGDREt/V6yZwGkYAVh6j89XC5j95VPzNCigQ
> QQquLNr0AaRQC2E/Ofa++GW8GHf1yGMOQ49ypEKr1n7CrY3uZD2/Gp968GPZx+DJ
> /31KyBAW5v2e1cTIOMgan+mVR8PDHcWSKFQu3bRpd4JaeNkYWHsd66w2tclL8r6Q
> N09+GJFiEdE9ycsHMHMyz8DcCtzLo6BnrP9NTHYzd5Q2CyNpNS0RnAVsFU0Bj2VX
> WLA7JhcM0+5+UJvn9dIuNSaB7xVusKi5Q4YCP33FFULsDczKs5tFBrvrvEn3h9//
> gol31UVSMpB00Bh5ijWifLmrRXJ9+RodxZUZ4PfmmllPA30iuoTqb0yhmVv314GG
> 5/T/PnsMYEAWSrsaqdcfWiWNLGyx/lqovrXofszratY7Urphp0OJNueN9Et7IPkZ
> E42eXZt3x3FfJzFNA2WgXIW13aTQ+iRdAqMip+jmylfMr6JtABevu+V1JXvZkcHY
> 8E7GKbUGP4HexDIWiA0a
> =tSGC
> -----END PGP SIGNATURE-----

=== modified file 'src/errorpage.cc'
--- src/errorpage.cc 2013-02-12 11:34:35 +0000
+++ src/errorpage.cc 2013-03-07 21:45:41 +0000
@@ -381,17 +381,9 @@
while (pos < hdr.size()) {
char *dt = lang;

- if (!pos) {
- /* skip any initial whitespace. */
- while (pos < hdr.size() && xisspace(hdr[pos]))
- ++pos;
- } else {
- // IFF we terminated the tag on whitespace or ';' we need to skip to the next ',' or end of header.
- while (pos < hdr.size() && hdr[pos] != ',')
- ++pos;
- if (hdr[pos] == ',')
- ++pos;
- }
+ /* skip any initial whitespace. */
+ while (pos < hdr.size() && xisspace(hdr[pos]))
+ ++pos;

/*
* Header value format:
@@ -422,6 +414,12 @@
*dt = '\0'; // nul-terminated the filename content string before system use.
++dt;

+ // IFF we terminated the tag on whitespace or ';' we need to skip to the next ',' or end of header.
+ while (pos < hdr.size() && hdr[pos] != ',')
+ ++pos;
+ if (hdr[pos] == ',')
+ ++pos;
+
debugs(4, 9, HERE << "STATE: dt='" << dt << "', lang='" << lang << "', pos=" << pos << ", buf='" << ((pos < hdr.size()) ? hdr.substr(pos,hdr.size()) : "") << "'");

/* if we found anything we might use, try it. */

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus