Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <54180453.2050309@treenet.co.nz>
Date: Tue, 16 Sep 2014 21:35:15 +1200
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE-Request: squid pinger remote DoS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/09/2014 6:56 p.m., cve-assign@...re.org wrote:
>> I made a fix for squid 3.4.6 and request a CVE
> 
>> https://bugzilla.novell.com/show_bug.cgi?id=891268
> 
> Regardless of the "what happens to squid itself" answer, is it
> known that the crash has a security impact? This message seemed to
> conclude with an implied request for more information, e.g., "it
> looks like you can," etc. An example of a security impact would be:
> the administrator wanted pinger to be running, and a crash means
> that pinger processes/threads are no longer available, and pinger
> is not automatically restarted.
> 
> If there is a security impact, then the patch in Novell Bug 891268 
> would probably correspond to at least three CVE IDs, e.g.,
> 
> 1. "used to index into a string array" possibly corresponds to 
> http://cwe.mitre.org/data/definitions/129.html for the modified 
> default case after case 136, and approximately two other places in
> the patch
> 
> 2. added "if (n <= 0)" code possibly corresponds to 
> http://cwe.mitre.org/data/definitions/389.html
> 
> 3. added "if (preply.psize) < 0" code apparently corresponds to a
> more general issue with missing data validation
> 

What could happen worst-case (#1 or #3 on a proxy with logging set to
level 2) is that the pinger can be used to deliver strings from heap
to the Squid parent process cache.log.

With #3 the size is not limited to c-string bytes terminated on first
nil. There it amounts to the difference between the expected payload
and received payload. A negative value in that calculation could
result in a large number of bytes flooding the parent processes log,
slowing the entire service down and/or exhausting log disk space,
which in turn can crash the parent process.


The best-case being that some HTTP servers are assigned incorrect RTT
values. Which adversely affects latency based routing logics for all
traffic involving that server IP.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUGARSAAoJELJo5wb/XPRj52QH/A1y8EHZvXYYReaeToydtZa7
0vlbEMnDxBaVr4vNEp3Sf9UThZ/FUPYUjmMrBLCKyZ7wMJQPYWaf0HRdc9Qo6yau
8uja0tzjzwYNrVbZ5kb83xlEbLnviytQZv3aTljbVRN7Ys1bOqhjSsUVv8mf2syS
YGIzTktVgUX+k/eXXH4WoBEPhtlJvaAsnpyTL8RmtgBsVIvF/HltK/kSgFdS9t8O
rWUbTdlsBHKH3QBLYVvk3opdPCByJ79kiu+c3TjKgbJyFxfktIqrWQgQPUh9kO1K
o9mjhIrFwUSlpUmIzoFHAzqHWtBJnYBHfD/tZF3Iv9QjFQ5YqZUCT9MPdjA0ZP8=
=frFw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.