Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc

From: Amos Jeffries <squid3@treenet.co.nz>
To: Kurt Seifried <kseifried@redhat.com>
Cc: tytusromekiatomek@hushmail.com,bugtraq@securityfocus.com,squid-bugs@squid-cache.org,Alex Rousskov <rousskov@measurement-factory.com>
Subject: Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc
Date:

Attachments:
accept_lang_vulnerability.patch

On 8/03/2013 10:07 a.m., Kurt Seifried wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/05/2013 01:53 PM, tytusromekiatomek@hushmail.com wrote:
>> ################################################################ #
>> DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc #
>> ################################################################ #
>> # Authors: # # 22733db72ab3ed94b5f8a1ffcde850251fe6f466 #
>> c8e74ebd8392fda4788179f9a02bb49337638e7b # AKAT-1 #
>> #######################################
>>
>> # Versions: 3.2.5, 3.2.7
>>
>>
>> This error is only triggered when squid needs to generate an error
>> page (for example backend node is not responding etc...) POC
>> (request): -- cut -- GET http://127.0.0.1:1/foo HTTP/1.1
>> Accept-Language: , -- cut --
>>
>> e.g : curl -H "Accept-Language: ," http://localhost:3129/
>>
>> Code:
>>
>> strHdrAcptLangGetItem is called with pos equals 0, therefore first
>> branch in if (316 line) is taken, because xisspace(hdr[pos]) is
>> false, then pos++ is not executed (because hdr[0] is ','). In 335
>> line statement in while is also false because hdr[0] = ',', so
>> whole loop body is omited. dt = lang, thus after assignment in 353
>> line *lang == '\0', so expression in if statement in 357 line is
>> false. So next execution of while body (314 line), has got same
>> preconditions as previous, thus it's infinite loop.
> Was this reported upstream to squid-bugs@squid-cache.org? Has anyone
> confirmed this, and if so, does it require a CVE #?

I confirm it is possible. A regression was introduced in some 3.2 parser 
alterations.
A preliminary patch is attached which restores the Squid-3.1 behaviour.

As this is triggerable by remote clients I am inclined to release an 
advisory.
Affected stable versions are Squid-3.3 up to and including 3.3.2, 
Squid-3.2 up to and including 3.2.8.

Amos Jeffries
Squid Project


> - -- 
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
>
> iQIcBAEBAgAGBQJROQF3AAoJEBYNRVNeJnmTq5oQANtdEmCVhIbR9RppkKuPsIP0
> QW+sMJYIunEdUchS+p8IRQiN3IrD8ySDuyWeOSTW6riYopH1XhV1RMY67+JJ63kg
> vR7Toh5GFTjKmd6HvrN7FX7yZ5UyupClX1WhBk2s8GTIhYckDCykvWePJwei2cT3
> fRYc72jSsEoqKP5CTS9YK91Ap0FZRGDREt/V6yZwGkYAVh6j89XC5j95VPzNCigQ
> QQquLNr0AaRQC2E/Ofa++GW8GHf1yGMOQ49ypEKr1n7CrY3uZD2/Gp968GPZx+DJ
> /31KyBAW5v2e1cTIOMgan+mVR8PDHcWSKFQu3bRpd4JaeNkYWHsd66w2tclL8r6Q
> N09+GJFiEdE9ycsHMHMyz8DcCtzLo6BnrP9NTHYzd5Q2CyNpNS0RnAVsFU0Bj2VX
> WLA7JhcM0+5+UJvn9dIuNSaB7xVusKi5Q4YCP33FFULsDczKs5tFBrvrvEn3h9//
> gol31UVSMpB00Bh5ijWifLmrRXJ9+RodxZUZ4PfmmllPA30iuoTqb0yhmVv314GG
> 5/T/PnsMYEAWSrsaqdcfWiWNLGyx/lqovrXofszratY7Urphp0OJNueN9Et7IPkZ
> E42eXZt3x3FfJzFNA2WgXIW13aTQ+iRdAqMip+jmylfMr6JtABevu+V1JXvZkcHY
> 8E7GKbUGP4HexDIWiA0a
> =tSGC
> -----END PGP SIGNATURE-----


=== modified file 'src/errorpage.cc'
--- src/errorpage.cc   2013-02-12 11:34:35 +0000
+++ src/errorpage.cc      2013-03-07 21:45:41 +0000
@@ -381,17 +381,9 @@
     while (pos < hdr.size()) {
         char *dt = lang;
 
-        if (!pos) {
-            /* skip any initial whitespace. */
-            while (pos < hdr.size() && xisspace(hdr[pos]))
-                ++pos;
-        } else {
-            // IFF we terminated the tag on whitespace or ';' we need to skip to the next ',' or end of header.
-            while (pos < hdr.size() && hdr[pos] != ',')
-                ++pos;
-            if (hdr[pos] == ',')
-                ++pos;
-        }
+        /* skip any initial whitespace. */
+        while (pos < hdr.size() && xisspace(hdr[pos]))
+            ++pos;
 
         /*
          * Header value format:
@@ -422,6 +414,12 @@
         *dt = '\0'; // nul-terminated the filename content string before system use.
         ++dt;
 
+        // IFF we terminated the tag on whitespace or ';' we need to skip to the next ',' or end of header.
+        while (pos < hdr.size() && hdr[pos] != ',')
+            ++pos;
+        if (hdr[pos] == ',')
+            ++pos;
+
         debugs(4, 9, HERE << "STATE: dt='" << dt << "', lang='" << lang << "', pos=" << pos << ", buf='" << ((pos < hdr.size()) ? hdr.substr(pos,hdr.size()) : "") << "'");
 
         /* if we found anything we might use, try it. */





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.