Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CACn5sdQ4SaFqZDxhE5_s6x2L68Gf66Hq0MWjfN4=0T9zb3rSxw@mail.gmail.com>
Date: Thu, 9 Feb 2017 14:24:58 -0300
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com, Agustin Mista <mista.agustin@...il.com>
Subject: Multiple DoS parsing and executing extended regex expressions in GNU libc

Hello,

We found a few extended regex expressions in GNU libc that will crash or
abort the execution of regcomp or regexec. For instance:

\a?{1,32767}

will immediately exhaust the stack calling calc_eclosure_iter in the
compilation. A small variation of this regex is:

\a?{0,32767}

will consume a very large amount of memory: it seems to eat 16GB in less
than a minute. It is also possible to exhaust the stack memory trying to
parse:

(((((((( ... repeated 15000 times

this issue is caused because regcomp will call the parse_expression,
parse_branch and parse_reg_exp functions over and over again.
Finally, the following regex will trigger an abort or invalid free when
regexec is called:

/S^^|\0|()//S^^|\0|()//S^^|\1|()/

I don't think these issues can be used to execute arbitrary code, but it
seems quite easy to produce a DoS if a remote application is parsing
untrusted regex expressions.
In fact, we asked one of our students, Agustín Mista, to create a simple PoC
to show how to crash a proFTP server if you can write a .ftpaccess file.
You can find the script attached.

These issues were tested in GNU libc 2.19 (Ubuntu 14.04) and 2.24 (ArchLinux).

I think it should affect the last version of GNU libc as well. Can someone
confirm it?

I'm investigating how to submit these issues in the new CVE form...


Regards,
Gustavo.

Content of type "text/html" skipped

View attachment "PoC.hs" of type "text/x-haskell" (1087 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.